Wireless technologies enable
military and civilian government and corporate houses as well operations to
dynamically interconnect Local Area Networks (LANs) quickly and reliably in
environments where wired connections are impractical and cost-prohibitive. This
connection of LANs over the air without the use of a fixed, wired medium is
typically referred to as wireless interconnectivity. Under this infrastructure,
a number of specific connection technologies are used including radio
frequency, microwave, and free-space optics.
While popular from an
operational perspective, wireless LAN interconnections suffer significant
drawbacks when it comes to security. As with any open medium, ensuring the
confidentiality and integrity of sensitive data traveling across these networks
is of paramount importance. These security challenges incurred by transmission
of sensitive information over the airwaves include both passive and active
attacks. Passive attacks occur when perpetrators collect and read sensitive
data, whereas active attacks occur when perpetrators inject new traffic and
network integrity is breached.
To provide insight into
remedying these challenges in a connected and operational arena, the following
discussion examines LAN operational advantages and associated vulnerabilities –
and explores Layer 2 versus Layer 3 alternatives for enhanced security.
The expansion of wireless LAN
interconnections within government and enterprise has come as a result of LAN
flexibility, ease of deployment, and cost savings. As alluded to previously,
outdoor wireless interconnections over radio frequency, microwave, and
free-space optic mediums allow system architects to connect LANs dynamically
without having to physically lay cable or provision a service. In military
environments in particular, wireless LAN interconnections can be established
and dismantled at a moment’s notice in accordance with changing tactical and
strategic battlefield conditions. Examples of this include forward-deployed
tactical units and strategic intra-base virtual campus topologies such as
military clinics and hospitals. A schematic representation of this environment
is shown in Figure 1.
FIGURE-1 |
Figure 1: Wireless
LAN interconnection in a forward-deployed tactical battlefield environment
While providing quick setup
and complete ownership of the backbone wireless LAN links, the connections
offer no inherent level of security. Wireless LAN interconnections are
vulnerable to interception, and therefore, must be secured to ensure the
confidentiality and integrity of the data traveling across them. As a result of
this vulnerability, the U.S. government has developed regulations to mitigate
the threat of interception and specifies encryption as the preferred mechanism
for protecting sensitive data. Within the Department of Defense (DoD),
directives DoDD 8500.2 and DoDD 8100.2 mandate that Sensitive But Unclassified
(SBU) data be encrypted using FIPS 140-2 approved equipment employing the
Advanced Encryption Standard (AES) algorithm when employing wireless systems.
In theory, encryption across
LANs can be done at any of the seven layers defined by the Open System
Interconnection (OSI) model for data networking (Figure 2). The OSI
architecture model defines the functions and components that establish a data
connection. Depending on where encryption is employed in the layered model, the
more transparent and therefore effective it can become. Higher in the model (at
Layer 7), specific applications are considered, while at the bottom (Layer 1),
the general physical medium is addressed. Data encryption is generally done at
the frame (Ethernet Layer 2) or packet (IP Layer 3) levels.
FIGURE-2 |
Layer 2 versus Layer 3: Advantages and vulnerabilities
While the application of
encryption technologies to protect LAN interconnections can thus be made at
either Layer 2 or Layer 3, with the proliferation of the Internet, most
encryption devices available in the market until just recently were packet encryptors
operating strictly at IP Layer 3 using the IP Security (IPsec) encryption
standard. However, with increased traffic volumes and growing use of
latency-sensitive applications such as voice, video, and multimedia, IPsec has
shown significant limitations that impact operational performance. Given the
nature of deployed battlefield communications, Layer 3 interconnections using
IPsec encryption have proven impractical.
Additionally, Layer 2
establishes the physical connection between the local telecommunication devices
and remote destinations, and defines the data frame as the physical
transmission medium between nodes. Layer 2 connections are primarily used for
high-speed/high-data throughput applications between telecommunication
facilities. When this layer is used to connect telecommunications facilities on
high-speed lines, encryption mechanisms encapsulate all higher-level protocols
crossing the link.
Enhancing LAN security
LANs are known for their
ease-of-use and quick setup. However, LAN security is only as good as the weakest
links that tie the wireless network together. Numerous protection challenges
including strong access control mechanisms, intrusion detection and prevention
systems, firewalls, malware removal, and encryption are often tested and
deployed within LANs. However, if these methodologies are not connected
securely, tremendous data compromise and interception vulnerabilities will
result.
0 Comments