http://www.gcn.com/print/25_16/41041-1.html
By Brad Grimes and Jason Miller GCN Staff 06/19/06 issue The Agriculture Department's wireless policy, updated in April through a series of departmental notices, comprises everything from architectural requirements to acquisition guidance. Unlike the Defense Department's most recent wireless memorandum, USDA's policy covers technologies such as Bluetooth and infrared communications, which the department tightly restricts, requiring that Bluetooth and infrared be used only between government-owned devices or within secure government facilities. These technologies also can only be used with strict security measures turned on, including Encryption Mode 3, use of temporary personal identification numbers and more. It's a very detailed policy. "We have 3,000 county offices where they use wireless devices, and we have to make sure we have a policy that takes care of all our concerns from a security perspective," said Robert Suda, USDA's associate CIO. For instance, if an employee teleworks and uses a wireless LAN at home, a department representative must inspect the employee's home to ensure the use of Secure Sockets Layer protocol, virtual private networking or the IEEE 802.11i wireless security standard with AES encryption. Within USDA, the policy requires the use of 802.11i. Approved two years ago, the standard can be a hurdle for agencies that deployed pre-802.11i networks, because the accompanying encryption algorithms often require hardware upgrades. USDA offices must also deploy 802.11i wireless equipment certified by the National Institute of Standards and Technology to conform to Federal Information Processing Standards 140-2. As in the recent DOD wireless policy, FIPS-140-1 cryptographic modules are not acceptable. Offices that deployed wireless networks before 802.11i came out have a year from April to upgrade, and they're not allowed to connect their noncompliant networks to any other USDA network without a waiver. Aside from 802.11i requirements, USDA has taken many of the same steps as DOD, requiring wireless intrusion detection devices and firewalls along the wireless network. But unlike DOD, USDA is particularly concerned with access point configuration. The department requires X.509 certificates in all devices to authenticate actual access points. USDA also requires that all APs be registered with the department and maintain logs of unauthorized access attempts for 30 days. In addition, the policy said, "APs will be located on interior walls of buildings." Agriculture is one of only a handful of agencies with a mature wireless policy. © 1996-2006 Post-Newsweek Media, Inc. _________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
