Still Sweet on Suite B: NSA-approved Cryptography for Civilian and Military WLANs

Share Post

What's the big deal about Aruba having military-grade Suite B cryptography integrated with its wireless LANs?

Well, the truth is, it's a pretty big deal. Why? Because commercial mobile devices – smartphones, tablets and laptops – can be used to securely access networks that handle sensitive but unclassified, confidential and classified information up to the secret level.

And of course, all the productivity benefits of user mobility come with it. Authorized users get secure access to network resources based on who they are – no matter where they are, what devices they use or how they connect.

Selected by the U.S. National Security Agency (NSA) for its strong security and performance characteristics, Suite B is like a recipe. It is comprised of a very specific set of security protocols and algorithms. Their implementation, as prescribed by the NSA, is exacting and unambiguous.

So the question I've been getting from a lot of people is this: If Suite B is so well defined and its implementation so specific, how can Aruba differentiate its solution from competitors?

The answer is simple: By virtue of the Aruba Mobile Virtual Enterprise (MOVE) architecture and integrated security capabilities, Aruba WLANs are less expensive to deploy and operate. Let me explain:

Many U.S. Department of Defense (DoD) agencies, by policy, require devices that execute cryptographic operations to be either under human control or be physically secured because they consider them to be part of their information assurance infrastructure and highly sensitive.

Cisco performs all 802.11i cryptography in its access points (APs). This means these same DoD agencies must deploy Cisco APs in special enclosures that are expensive to buy and install, and none of them today support Suite B, which means you can look forward to budgeting for new Cisco AP hardware sometime in the distant future.  Aruba, on the other hand, performs cryptography (including Suite B) in the centralized Mobility Controller – not the AP – so Aruba APs do not require enclosures, and, consequently, cost less to install and maintain  And, all of the Aruba APs that have ever been fielded can support a Suite B environment today.

Similarly, some DoD policies mandate regular inspection of cryptography-enabled, FIPS-compliant devices regularly, for example, every 30 days. Imagine a Cisco WLAN with 500 APs, each of which must be inspected every 30 days – ridiculously expensive. Conversely, Aruba APs do not require regular inspection because cryptography and security runs on the Mobility Controller.

Finally, every DoD network is required to undergo a security validation process before going online for production use. Called the Department of Defense Information Assurance Certification and Accreditation Process or DIACAP, every little security detail of every device must be double checked.

For Cisco and Motorola, every AP configuration and installation should be validated during the DIACAP process in order to ensure compliance. If you have hundreds of APs, this can be a time-consuming and expensive endeavor. Again, unlike other vendors, Aruba's security capabilities including Suite B, run on the Mobility Controller so the process to obtain authority to operate (ATO) is simpler and much faster.

So, yes, Aruba's implementation of Suite B is, well, pretty sweet.