WirelessWall HPIC_Pr..

advertisement
WirelessWall
Secure – Versatile -Proven
Ed Smith – CEO
WirelessWall, LLC
ed@wirelesswall.com
2012 HPIC Meeting – Los Alamos NM - September 26, 2012
WirelessWall - A Mature, Proven solution
•
The WirelessWall Core Technology was originally developed by U.S. Navy to provide
secure, Mobile shipboard networks, it is a “Secure in Place” solution
•
Mature and fielded since 2001 (DoD, DOE, Municipal and Commercial entities) the design
has met the needs of multiple federal and military agencies
•
Over $50M investment for development, prestigious BOD Military and Civilian advisors
•
Multiple NIST certifications and FIPS 140-2
•
Premiere Vendor support: Cisco, Motorola, Aruba, Nortel, etc.
•
JSIC/JFCOM multi-year tested 2005-2009 recommended for interoperability DoD-wide and
use by Coalition Forces
Copyright WirelessWall LLC 2012
Copyright WirelessWall LLC 2012
WirelessWall Layer 2 Advantage
•
Wireless mesh network infrastructure once in place, need to be secured. It was for this
demanding environment that the WirelessWall platform was built, to secure in place, all
networks of all kinds.
•
The WirelessWall security was built as a vendor agnostic platform offering end to end
security. The platform offers simplicity in offering Layer 2 security through by installing
software in on device then the other. Under this solution everything in between, over
the wireless, as well as the wired portion of a network, is secured.
•
A common management interface can handle clusters of access points even in
mobile mesh for zoned security. The bottom line is that existing communication
infrastructure combined with wireless 802.11x, mesh and WiMax technologies now have
a platform of offering end to end security in shared public/private networks.
Copyright WirelessWall LLC 2012
WirelessWall- the industry’s first Wireless Firewall
Like a firewall, it supports policy filters to control what services users can
access on a network and provide an audit trail.
●
●
Like a VPN, it provides encrypted network access for users via a client
Superior to a firewall or a VPN because it is Layer-2, with considerable
performance and simplicity advantages over IPsec or SSL
●
FIPS 140-2 certified strong AES encryption with Control comparable to
WPA2-Enterprise, even on legacy WiFi
●
Offers best-of-breed wireless security: strong encryption, authentication
and access and protects data in-transit for WiFi, WiMax, Mesh, 3G, 4G,
Zigbee or LANs
●
Makes the wired and wireless portions of a network “unsniffable,” and
improves any network topology by adding blanket end-to-end encryption
●
Copyright WirelessWall LLC 2012
Encryption is the future
• Killing Data:“In The Future, Encryption Will Become The Cornerstone Of
Your Data Security And Privacy Strategy” – Forrester , January 30, 2012
•
•
•
“Most security professionals today do not understand the motivations
behind data theft; they put controls in place that protect the data that is
most valuable to them, as opposed to the data that is most valuable to
criminals.”
In the future, you will encrypt data — both in motion and at rest — by
default. This data-centric approach to security is a much more effective
way to keep up with determined cybercriminals.
“Ubiquitous encryption is the only hope we have of maintaining some kind
of parity with attackers in the new threat landscape.”
Copyright WirelessWall LLC 2012
Accomplishments – SRNS Team and Canberra Support
•
•
•
•
•
Don Gregory - pioneered the development and implementation of the RF
Networking in Limited and Protected Areas at SRS DOE facilities. (Started
project in 2003)
Pervis Rouse – Joined the team in 2005 to assist in further
development/implementation.
Scott Rogers – Canberra has provided and continues to provide primary
technical support to the effort.
Dennis Hadlock supported the entire effort in his organization and made
the implementation possible.
Tim Martinson has been involved with the effort over a number of years.
Copyright WirelessWall LLC 2012
Cost/Benefit Analysis
• The actual benefits seen at SRNS include:
–
–
–
–
–
–
–
Dramatically reduced installation costs
Providing a solution when wired networks are not an option
Overall improved data security
Reduced manpower needs
Dramatic overall cost savings compared to wired networks
The cost of pulling cables can run into the hundreds of dollars per foot
Cost of the documentation and planning, union labor, any penetrations into
sealed areas
– Assuming a nominal $100 per foot to pull cable and a small building with 300400 feet of cable as an example, for a total in just cable cost of $30k to $40k
– WirelessWall would be roughly 20% of the wired costs
Copyright WirelessWall LLC 2012
Summation
• WirelessWall is approved by DOE and has been in use at
SRNS for 6 years
• It is a software “Secure in Place” solution that allows existing
equipment to be protected without replacement
• Wireless/Wired “Solid Core Security” can be implemented
very quickly and cost-effectively
• The major advantages WirelessWall are cost and ease of
implementation
• Secure encryption is mandatory in today’s threat environment
Copyright WirelessWall LLC 2012
Background
The Savannah River Site, a 310 square mile site, is located in the
south eastern coastal area of the United States in the state of
South Carolina. It is bordered to the west by the Savannah River
and Georgia, and is close to several major cities, including Augusta
and Savannah.(GA.), Columbia, Greenville, and Charleston (S.C.).
It is in an area residents refer to as the Central Savannah River
Area, or CSRA.
Site Facts
•
•
The site was built during the 1950s to refine nuclear materials for deployment in
nuclear weapons. It covers 310 square miles (800 km2) and employs more than
10,000 people.
It is owned by the U.S. Department of Energy (DOE). The management and
operating contract is held by Savannah River Nuclear Solutions LLC
(SRNS)(Savannah River Nuclear Solutions (SRNS), LLC - now a Fluor partnership
with Honeywell, and Huntington Ingalls Industries (formerly part of Northrop
Grumman)), and the Liquid Waste Operations contract is held by Savannah River
Remediation, which is a team of companies led by URS Corporation.
Reactor name
Start-up date
Shutdown date
R Reactor
December 1953
June 1964
P Reactor
February 1954
August 1988
K Reactor
October 1954
July 1992
L Reactor
July 1954
June 1988
C Reactor
March 1955
June 1985
Current and Future Missions
•
•
•
•
•
•
•
Home to the Savannah River National Laboratory.
Contains the nation's only operating radiochemical separations facility.
Tritium facilities are also the United States' only source of tritium, an essential component in
nuclear weapons.
The nation's only mixed oxide fuel (MOX) manufacturing plant is being constructed at SRS.
When operational, the MOX facility will convert legacy weapons-grade plutonium into fuel
suitable for commercial power reactors. On August 1, 2007, construction officially began on
the $4.86 billion MOX facility. The current deadline for the completion of construction is 2014.
Following startup testing, the facility would begin operations in 2016 with a disposition rate of
up to 3.5 tons of plutonium oxide each year. The mission is supposed to end in 2035, although
it could be extended to 2038.
Major focus is cleanup activities related to work done in the past for the nation's nuclear
buildup.
Currently none of the reactors on-site are operating, although two of the reactor buildings are
being used to consolidate and store nuclear materials.
Future plans for the site cover a wide range of options, including host to research reactors, a
reactor park for power generation, and other possible uses.
ALARA: Why Use RF Networking?
 Initial cost avoidance of hard-wired networked system
installations.
• Much less expensive than the installation of hard-wired systems. This is
particularly true for older existing radiological facilities.
• For D&D (Decommissioning and Demolition) Facilities, Wireless Systems
can be removed before building demolition and be re-used.
 Reduced man-hours and materials associated with source
checks and alarm responses for ARMs and CAMs.
• Source Checks on ARMs can be preformed remotely; Alarms can be
acknowledged and the status of the entire network checked remotely prior
to leaving the RCO office.
ALARA: Why Use RF Networking?
 Reduced worker radiation and contamination exposure.
Following an alarm RCO can perform initial investigation
without entering an unknown radiation or airborne
contamination condition. Routine operational checks and
source checks on ARMs can be performed without entering a
radiation area. Routine operational checks and alpha
spectrum can be viewed on Alpha CAMs before entering the
contamination area.
ALARA: Why Use RF Networking?
 Improved Facility operational control.
For ARMs and CAMs the alarm and operational status of the
network can be checked at the operational center or any
access point. The Control Room and the RCO office can get
alarms and have full access to the information at the same
time and avoid notification errors.
ALARA: Why Use RF Networking?
 Improved alarm and operability communications.
The status and operability of the monitoring equipment can be
checked real-time. Changes in radiological condition on
special jobs or operations can be monitored closely.
ALARA: Why Use RF Networking?
 Flexibility in the deployment of equipment.
Relocation of portable and fixed monitoring equipment can be completed
quickly reducing exposure to radiation and contamination.
 Operational data electronically archived and will enhance reconstruction of
events and job planning.
Operational data is date/time stamped and electronically saved daily. In
the event of an incident the operational data on all of the associated
equipment can be reviewed. Previous events/jobs can be critiqued to
reduce exposure and time in the area.
Component List
• ASUS VMWare Complete Workstation – Windows Office Suite
and Canberra/Aquila RadHawk Program.
• Canberra Alpha Sentry Manager ASM1000, Canberra Alpha
Sentry Continuous Air Monitor Sampling Head, Thermo RMS3
• D-Link 4-Port Ethernet Switch
• Wireless Wall – FIPS 140-2 Validated
• Cranite’s FIPS 140-2 Compliance Certificate
• Proxim ORiNOCO Mosel Ap-4000 Access Point
• ORiNOCO Model Classic Gold, PC Card
• Aquila, RadComm/Code Talker RF Interface
RF Systems
CANBERRA AQUILA/Wireless Wall
• Applicable for most RME (ARMs, CAMs, ICAMs & PCMs)
• FIPS (Federal Information Processing Standard) 140-2
Compliant - for use in all Areas (including Limited and
Protected Areas).
• Can support multiple access points
• Network is easily expanded (at a later date as equipment is
added)
• Fixed or Portable Application
• First and Only DOE facility to install and operate wireless
networking of radiation equipment in Limited and Protected
Areas and approved by DOE.
WIRELESSWALL
• provides government certified security software for WLANs
• WirelessWall carries a FIPS 140-2 rating. FIPS is short for
Federal Information Processing Standards; the 140
cryptographic standard was created by the National Institute
of Standards and Technology (NIST). The standard has four
levels of security - Level 1, Level 2, Level 3, and Level 4 -- that
increase in quality as they go up. FIPS 140-1, the first level,
only supports DES and 3DES encryption. The various levels
are suitable for a wide array of areas in which cryptographic
modules could be used.
• WirelessWall generally comes with three pieces: the policy
server, an access controller for each subnet of the network,
and client software for each PC.
RADHAWK CLIENT - Features
•
•
•
•
•
•
•
•
•
•
•
•
Windows Based Application
RadNet Compliant
RadNet - is a non-proprietary protocol that utilizes standard Internet
protocols
Remote monitoring of up to 256 instruments
User-definable colors, sounds, backgrounds and tab hierarchy
Timeout alarm
Multiple password levels
Data logging
Spectrum panning
Windows® 2000 and XP
Accessible via wired or wireless Ethernet LAN
Able to accommodate non-RadNet compliant devices via Code Talker
hardware
RadNet Packet Types Currently Supported
•
•
•
•
•
•
Alpha CAM
Beta CAM
Gamma Area Monitor
Gamma Criticality Monitor
Neutron Area Monitor
Neutron Criticality Monitor
RF Systems in Service




RMS3 ARMs 105-L (Protected Area) Basin
Alpha CAMs in 105-K (Protected Area)
ARM and CAM demo System 735-2B
F-Canyon TRU Waste Remediation Project CAMs
Pending RF Deployment
 Alpha CAMs and ARMs in H-Canyon awaiting facility design
change. (Limited Area) Testing is complete and design change
approved.
 HB-Line awaiting facility approval for testing (Limited Area).
 RMS3 Risk Assessment/Installation is in progress at H-Tank
Farm.
 F-Tank Farm is awaiting facility approval for Risk Assessment
testing.
K-Area – Nuclear Material Management
K-Area – Nuclear Material Management
Appended Technical Equipment Detail
Portable Alpha CAM – Original Design
Omni Antenna
ASM1000
RF Transmitter
CAM Head
Front View - New Portable ASM1000/AS1700R Unit
Omni Antenna
CAM Head
RF Transmitter
ASM1000
Side View
CAM Head
Omni Antenna
ASM1000
RF Transmitter
Additional Views
Canberra/Aquila Code Talker RF Transmitter
Gasket Seal
NEMA 4 Enclosure
Mounting
Bracket &
Clips
FIPS Encryption
RF Card
Dimensions
9.6” x 6.6” x 2.6”
AC
Power
Adapter
Antenna
Cable
Computer, RMS3
RS232, or CAM
RS485 Cable
Proxim Orinoco AP-4000 Access Point - Repeater
In computer networking, a wireless access point (WAP) is a device that
allows wireless devices to connect to a wired network using Wi-Fi,
Bluetooth or related standards. The WAP usually connects to a router (via a
wired network), and can relay data between the wireless devices (such as
computers or printers) and wired devices on the network.
Diagram of Portable RF RMS3
The RMS-3 is an area and criticality
radiation monitoring system
designed to provide early warning
if a hazardous condition develops.
HTF Portable RMS3 ARM
Omni
Antenna
Directional
Antenna
Detector
RF
Transmitter
RMS3
First portable VAMP Cart Conversion without RF capability
VAMP - Victoreen
Area Monitor
Packet
Old VAMP Cart to be converted to RMS3
30”w x 30”h x 9”d
20”w x 16”h x 9.5”d
TYPICAL AQUILA/WIRELESS WALL RF NETWORK
Examples of HTF West Hill RF RADHAWK – Screen Shots
Examples of HTF East Hill
Radhawk Display
RMS3
RMS3
RMS3
WirelessWall Value Propositions
The recognized value propositions of WirelessWall are:
•
•
•
•
•
•
•
•
•
Eliminates major cost of secure wireless provisioning. By encrypting at the end-points, no security is
required for APs and no need to use exotic vendor specific schemes for AP management.
Cloaking. Fills security gaps by providing uniform high (WPA2-Enterprise) security-only across at
layer 2, eliminating port and application vulnerabilities and securing heterogeneous networks.
Low Overhead. High end encryption requiring low overhead and low bandwidth.
Multiple AP encryption. End to end pass-through of already-encrypted frames
Fast . No intermediate encryption required for multiple AP's.
Improves security. Eliminates Man-in-the-Middle (MITM) spoofing/sniffing risks or Denial of Service
(DoS) vulnerabilities of IPSec and SSL VPNs.
Works with anything. It protects existing infrastructure investment by enabling strong security on
legacy devices which may not support WPA2-Enterprise mode.
Goes the distance. It provides end-to-end security by extending encryption all the way from the
wireless client to the data center instead of at the access point, which would otherwise leave the
distant bridge from data center to AP vulnerable.
Mandated. Most powerful true end-to-end solution for Smart Grid addressing FIPS Cyber Security
Meets the DoD 8100-2 directive for wireless use on the DoD “Grid” and is FIPS certified.
45
Download