From cell phones to Blackberrys to wireless cards in laptops, nearly every federal worker and contractor connects to the Internet wirelessly these days. But there is no federal standard for securing these connections.
That is why the National Institute of Standards and Technology recently issued a draft guidance for how to use the Extensible Authentication Protocol (EAP), which is a way to protect the user and wireless network.
NIST Special Publication 800-120 is in draft and is focused mainly on federal wireless networks. Comments were due Jan. 30 and NIST expects the final guidance out this spring.
“By using wireless networks, you open up your network to attackers,” says Katrin Hoeper, a former NIST guest research fellow and now a senior security engineer in Motorola’s Applied Research and Technology Center. “You need to protect the network and the information on it and you also need to protect the users. You don’t want federal users to think they are accessing their federal network, but in fact accessing someone else’s network.”
Hoeper says hackers can more easily get into unprotected or inadequately protected wireless links. NIST is calling for mutual authentication using EAP.
“The network and the user should establish a key to encrypt the wireless link,” she says. “This document shows how federal agencies can use EAP to provide network access authentication to achieve all security objectives.”
She adds that the draft guideline is mainly for network administrators to secure wireless networks, and that there are more than 40 different EAP methods and NIST wanted to narrow down the choices of what to use.
“If an administrator is setting up a network how do the know what to support?” she asks. “The draft gives some guidelines on what to pick and provides a general set of EAP methods and gives examples.”
In the guidance, NIST says EAP methods have advanced in how they protect wireless networks.
Hoeper says many agencies rely on PIN and password authentication to wireless networks. But the guidance details when agencies should consider EAP instead of password log-on.
“What is done in EAP is first the network establishes a secure tunnel and then exchanges the password in that tunnel for authentication,” she says. “Password-based authentication is used by a lot of older authentication systems and passwords are not very secure.”
Hoeper was a guest research fellow at NIST for two years after she finished her PhD at Waterloo University in Ontario, Canada.