Solutions from AirTight Networks can help a civilian agency to quickly assess wireless security and centrally enforce policy throughout the organization's enterprise networks.
Federal civilian agencies are under increased scrutiny of their programs for wireless security. A recent report by the U.S. Government Accountability Office (GAO-11-43) praises efforts by the 24 major agencies on implementing practices for wireless security. But the GAO also cites related inconsistencies, such as insufficient practices for monitoring or conducting security assessments of their wireless networks. Without corrective efforts, the GAO notes that "wireless networks will remain at an increased vulnerability to attack."
In FISMA, Congress assigned the National Institute of Standards and Technology (NIST) to develop technical guidelines for security. The following Special Publications from NIST provide guidelines for securing wireless technologies, according to the GAO report.
|
NIST SP 800-53 Controls for Wireless Security |
AirTight Capabilities |
|
AC-18 |
Wireless access:
- Establish usage restrictions and implementation guidance for wireless access;
- Monitor for unauthorized wireless access;
- Authorize wireless access prior to connection; and
- Enforce requirements for wireless connections.
|
- Wireless access for authorized VLANs and enforcing "no Wi-Fi" policies on those portions of wired enterprise that must remain No Wi-Fi
- Support for 802.11n, 802.11g, 802.11b and 802.11a
- assure proper wireless access and prevent unauthorized wireless behavior (automated, always on, auto authorization of clients, behavior based authorization)
|
|
AC-19 |
Access control for mobile devices
- Establish usage restrictions and implementation guidance for organization-controlled mobile devices;
- Authorize connection of mobile devices meeting organizational usage restrictions and implantation guidance;
- Monitor for unauthorized connections of mobile devices;
- Enforce requirements for the connection of mobile devices;
- Disable information system functionality that provides the capability for automatic execution of code on mobile devices without user direction;
- Applies controls to mobile devices returning from locations deemed to be of significant risk.
|
- Profile policies enforced for home, work and away
- Automatically block unauthorized access behavior without user intervention or harming neighboring networks
|
|
AU-6 |
Audit review,
analysis, and reporting
- Review and analyze information system audit records for indications of inappropriate or unusual activity, and report findings to designated organizational officials;
- Adjust the level of audit review, analysis, and reporting when there are significant changes in risks.
|
- Monitor both the wired and wireless networks for wireless
traffic
- Perform wireless policy audits
- Automated reports, compliance reports, forensics analysis,
remote packet capture
|
|
CA-7 |
Continuous monitoring
- Use a configuration management process for the information system and its constituent components;
- Determine the security impact of changes to the information system and environment of operation;
- Provide ongoing security control assessments;
- Report the security state of the information system to appropriate organizational officials.
|
- Always on, Discovers vulnerabilities affecting wireless assets 24x7
- Proactive WLAN performance management and troubleshooting
|
|
IA-2 |
Identification and authentication
(organizational users):
- Ensure that the information system uniquely identifies and
authenticates organizational users (or processes acting on behalf of
organizational users).
|
- No open wireless network usage
- Monitor encryption and authentication configurations of
authorized wireless networks
|
|
IA-8 |
Identification and
authentication (non-organizational users):
- Ensure that the information system uniquely identifies and
authenticates non-organizational users such as civilians,
contractors, or guests (or processes acting on behalf of
non-organizational users).
|
- Monitor encryption and authentication configurations of
authorized guest wireless networks
|
|
PE-18 |
Location of information system
components:
- Ensure that the organization position information system
components within the facility to minimize the opportunity for
unauthorized access.
|
- Discover all wireless assets on a 24x7 basis without requiring a
physical site survey
- Locate unauthorized Wi-Fi devices on your floor map for quick
removal
|
|
RA-2 |
Security
categorization:
- Categorize information and the information system in accordance
with applicable federal authorities;
- Document the security categorization results in the security
plan;
- Ensure the security categorization decision is reviewed and
approved by authorized parties.
|
- Automatically classifies all wireless activity into authorized,
rogue and external
- Accurately identify genuine threats versus false alarms
- Customization of alerts, events and reports
|
|
RA-3 |
Risk assessment:
- Conduct an assessment of risk, including the likelihood and
magnitude of harm, from the unauthorized access, use, disclosure,
disruption, modification, or destruction of the information system
and the information it processes, stores, or transmits.
- Document risk assessment results;
- Review risk assessment results;
- Update the risk assessment or whenever there are significant
changes to the system or environment of operation (including the
identification of new threats and vulnerabilities), or other
conditions that may impact the security state of the system.
|
- Automated, canned and customizable reports, e.g. wireless
vulnerabilities, intrusion prevention
- Continuously monitors wireless activity to identify soft spots
in wireless security
|
|
RA-5 |
Vulnerability
scanning:
- Scan for vulnerabilities in the system and hosted applications,
and when new vulnerabilities potentially affect the
system/applications are identified and reported;
- Employ vulnerability scanning tools and techniques that promote
interoperability among tools and automate parts of the vulnerability
management process by using standards;
- Analyze vulnerability scan reports and results from security
control assessments;
- Remediate legitimate vulnerabilities in accordance with an
organizational assessment of risk; and
- Share information obtained from the vulnerability scanning
process and security control assessments with designated personnel
to help eliminate similar vulnerabilities in other systems.
|
- Scan for vulnerabilities affecting both the wired and wireless
networks 24x7
- Detect, classify, block and locate rogue access points
- Distributed administration allows regional reports, alerts and
management
- Wireless vulnerability reports can be generated automatically or
on demand with a single click
- Detailed drill down on detected vulnerabilities
|
|
SC-7 |
Boundary protection:
- Monitor and control communications at the external boundary of
the system and at key internal boundaries within the system;
- Connect to external networks or information systems only through
managed interfaces consisting of boundary protection devices
arranged in accordance with an organizational security architecture.
|
- Location based policy enforcement for access points and client
devices
|
|
SI-4 |
Information systems
monitoring:
- Monitor events on the system and detect system attacks;
- Identify unauthorized use of the system;
- Deploy monitoring devices;
- Heighten the level of system monitoring whenever there is an
indication of increased risk;.
|
- Provides monitoring for WLAN security and performance
|
|
SI-5 |
Security alerts, advisories, and
directives:
- Receive system security alerts, advisories, and directives from
designated external organizatinos on an ongoing basis;
- Generate internal security alerts, advisories, and directives as
deemed necessary;
- Disseminate security alerts, advisories, and directives to
designated personnel; and
- Implement security directives in accordance with established
time frames, or notify the issuing organization of the degree of
noncompliance.
|
- Automatic notification of all wireless client vulnerabilities
- Centralized alarms and reporting from thousands of sensors and
millions of devices
|
|
PM-5 |
Information system
inventory:
- Develop and maintain an inventory of the organization’s
information systems.
|
- Detects and documents all wireless devices in the air space
|
The Department of Defense has published DoD Directive 8420.01, which addresses additional security best practices for commercial wireless local area network devices, systems, and technologies. See our DoD Solutions page for more information on how AirTight helps implement these best practices.
AirTight offers the most powerful wireless intrusion prevention (WIPS) technology to protect both wired and wireless networks from wireless threats. SpectraGuard Enterprise WIPS is used by defense and civilian agencies in the United States and abroad which are the most security conscious. AirTight solutions are appropriate to protect “no Wi-Fi” and managed Wi-Fi networks.
AirTight offers the only comprehensive overlay security solution to protect both wired and Wi-Fi networks from wireless threats. AirTight integrates easily with most enterprise WLANs. Airtight 802.11n sensors are backward compatible with 802.11abg and offer future proof security with a system that can be automatically upgraded as new versions of its products are released. AirTight products are FIPS, Common Criteria and CAC compliant.
Links in this microsite will lead you to more information about federal wireless security requirements and solutions from AirTight Networks. Please contact your AirTight Networks federal sales representative for information specific to your agency’s requirements.
