WirelessWall Secure – Versatile -Proven Ed Smith – CEO WirelessWall, LLC ed@wirelesswall.com 2012 HPIC Meeting – Los Alamos NM - September 26, 2012 WirelessWall - A Mature, Proven solution • The WirelessWall Core Technology was originally developed by U.S. Navy to provide secure, Mobile shipboard networks, it is a “Secure in Place” solution • Mature and fielded since 2001 (DoD, DOE, Municipal and Commercial entities) the design has met the needs of multiple federal and military agencies • Over $50M investment for development, prestigious BOD Military and Civilian advisors • Multiple NIST certifications and FIPS 140-2 • Premiere Vendor support: Cisco, Motorola, Aruba, Nortel, etc. • JSIC/JFCOM multi-year tested 2005-2009 recommended for interoperability DoD-wide and use by Coalition Forces Copyright WirelessWall LLC 2012 Copyright WirelessWall LLC 2012 WirelessWall Layer 2 Advantage • Wireless mesh network infrastructure once in place, need to be secured. It was for this demanding environment that the WirelessWall platform was built, to secure in place, all networks of all kinds. • The WirelessWall security was built as a vendor agnostic platform offering end to end security. The platform offers simplicity in offering Layer 2 security through by installing software in on device then the other. Under this solution everything in between, over the wireless, as well as the wired portion of a network, is secured. • A common management interface can handle clusters of access points even in mobile mesh for zoned security. The bottom line is that existing communication infrastructure combined with wireless 802.11x, mesh and WiMax technologies now have a platform of offering end to end security in shared public/private networks. Copyright WirelessWall LLC 2012 WirelessWall- the industry’s first Wireless Firewall Like a firewall, it supports policy filters to control what services users can access on a network and provide an audit trail. ● ● Like a VPN, it provides encrypted network access for users via a client Superior to a firewall or a VPN because it is Layer-2, with considerable performance and simplicity advantages over IPsec or SSL ● FIPS 140-2 certified strong AES encryption with Control comparable to WPA2-Enterprise, even on legacy WiFi ● Offers best-of-breed wireless security: strong encryption, authentication and access and protects data in-transit for WiFi, WiMax, Mesh, 3G, 4G, Zigbee or LANs ● Makes the wired and wireless portions of a network “unsniffable,” and improves any network topology by adding blanket end-to-end encryption ● Copyright WirelessWall LLC 2012 Encryption is the future • Killing Data:“In The Future, Encryption Will Become The Cornerstone Of Your Data Security And Privacy Strategy” – Forrester , January 30, 2012 • • • “Most security professionals today do not understand the motivations behind data theft; they put controls in place that protect the data that is most valuable to them, as opposed to the data that is most valuable to criminals.” In the future, you will encrypt data — both in motion and at rest — by default. This data-centric approach to security is a much more effective way to keep up with determined cybercriminals. “Ubiquitous encryption is the only hope we have of maintaining some kind of parity with attackers in the new threat landscape.” Copyright WirelessWall LLC 2012 Accomplishments – SRNS Team and Canberra Support • • • • • Don Gregory - pioneered the development and implementation of the RF Networking in Limited and Protected Areas at SRS DOE facilities. (Started project in 2003) Pervis Rouse – Joined the team in 2005 to assist in further development/implementation. Scott Rogers – Canberra has provided and continues to provide primary technical support to the effort. Dennis Hadlock supported the entire effort in his organization and made the implementation possible. Tim Martinson has been involved with the effort over a number of years. Copyright WirelessWall LLC 2012 Cost/Benefit Analysis • The actual benefits seen at SRNS include: – – – – – – – Dramatically reduced installation costs Providing a solution when wired networks are not an option Overall improved data security Reduced manpower needs Dramatic overall cost savings compared to wired networks The cost of pulling cables can run into the hundreds of dollars per foot Cost of the documentation and planning, union labor, any penetrations into sealed areas – Assuming a nominal $100 per foot to pull cable and a small building with 300400 feet of cable as an example, for a total in just cable cost of $30k to $40k – WirelessWall would be roughly 20% of the wired costs Copyright WirelessWall LLC 2012 Summation • WirelessWall is approved by DOE and has been in use at SRNS for 6 years • It is a software “Secure in Place” solution that allows existing equipment to be protected without replacement • Wireless/Wired “Solid Core Security” can be implemented very quickly and cost-effectively • The major advantages WirelessWall are cost and ease of implementation • Secure encryption is mandatory in today’s threat environment Copyright WirelessWall LLC 2012 Background The Savannah River Site, a 310 square mile site, is located in the south eastern coastal area of the United States in the state of South Carolina. It is bordered to the west by the Savannah River and Georgia, and is close to several major cities, including Augusta and Savannah.(GA.), Columbia, Greenville, and Charleston (S.C.). It is in an area residents refer to as the Central Savannah River Area, or CSRA. Site Facts • • The site was built during the 1950s to refine nuclear materials for deployment in nuclear weapons. It covers 310 square miles (800 km2) and employs more than 10,000 people. It is owned by the U.S. Department of Energy (DOE). The management and operating contract is held by Savannah River Nuclear Solutions LLC (SRNS)(Savannah River Nuclear Solutions (SRNS), LLC - now a Fluor partnership with Honeywell, and Huntington Ingalls Industries (formerly part of Northrop Grumman)), and the Liquid Waste Operations contract is held by Savannah River Remediation, which is a team of companies led by URS Corporation. Reactor name Start-up date Shutdown date R Reactor December 1953 June 1964 P Reactor February 1954 August 1988 K Reactor October 1954 July 1992 L Reactor July 1954 June 1988 C Reactor March 1955 June 1985 Current and Future Missions • • • • • • • Home to the Savannah River National Laboratory. Contains the nation's only operating radiochemical separations facility. Tritium facilities are also the United States' only source of tritium, an essential component in nuclear weapons. The nation's only mixed oxide fuel (MOX) manufacturing plant is being constructed at SRS. When operational, the MOX facility will convert legacy weapons-grade plutonium into fuel suitable for commercial power reactors. On August 1, 2007, construction officially began on the $4.86 billion MOX facility. The current deadline for the completion of construction is 2014. Following startup testing, the facility would begin operations in 2016 with a disposition rate of up to 3.5 tons of plutonium oxide each year. The mission is supposed to end in 2035, although it could be extended to 2038. Major focus is cleanup activities related to work done in the past for the nation's nuclear buildup. Currently none of the reactors on-site are operating, although two of the reactor buildings are being used to consolidate and store nuclear materials. Future plans for the site cover a wide range of options, including host to research reactors, a reactor park for power generation, and other possible uses. ALARA: Why Use RF Networking? Initial cost avoidance of hard-wired networked system installations. • Much less expensive than the installation of hard-wired systems. This is particularly true for older existing radiological facilities. • For D&D (Decommissioning and Demolition) Facilities, Wireless Systems can be removed before building demolition and be re-used. Reduced man-hours and materials associated with source checks and alarm responses for ARMs and CAMs. • Source Checks on ARMs can be preformed remotely; Alarms can be acknowledged and the status of the entire network checked remotely prior to leaving the RCO office. ALARA: Why Use RF Networking? Reduced worker radiation and contamination exposure. Following an alarm RCO can perform initial investigation without entering an unknown radiation or airborne contamination condition. Routine operational checks and source checks on ARMs can be performed without entering a radiation area. Routine operational checks and alpha spectrum can be viewed on Alpha CAMs before entering the contamination area. ALARA: Why Use RF Networking? Improved Facility operational control. For ARMs and CAMs the alarm and operational status of the network can be checked at the operational center or any access point. The Control Room and the RCO office can get alarms and have full access to the information at the same time and avoid notification errors. ALARA: Why Use RF Networking? Improved alarm and operability communications. The status and operability of the monitoring equipment can be checked real-time. Changes in radiological condition on special jobs or operations can be monitored closely. ALARA: Why Use RF Networking? Flexibility in the deployment of equipment. Relocation of portable and fixed monitoring equipment can be completed quickly reducing exposure to radiation and contamination. Operational data electronically archived and will enhance reconstruction of events and job planning. Operational data is date/time stamped and electronically saved daily. In the event of an incident the operational data on all of the associated equipment can be reviewed. Previous events/jobs can be critiqued to reduce exposure and time in the area. Component List • ASUS VMWare Complete Workstation – Windows Office Suite and Canberra/Aquila RadHawk Program. • Canberra Alpha Sentry Manager ASM1000, Canberra Alpha Sentry Continuous Air Monitor Sampling Head, Thermo RMS3 • D-Link 4-Port Ethernet Switch • Wireless Wall – FIPS 140-2 Validated • Cranite’s FIPS 140-2 Compliance Certificate • Proxim ORiNOCO Mosel Ap-4000 Access Point • ORiNOCO Model Classic Gold, PC Card • Aquila, RadComm/Code Talker RF Interface RF Systems CANBERRA AQUILA/Wireless Wall • Applicable for most RME (ARMs, CAMs, ICAMs & PCMs) • FIPS (Federal Information Processing Standard) 140-2 Compliant - for use in all Areas (including Limited and Protected Areas). • Can support multiple access points • Network is easily expanded (at a later date as equipment is added) • Fixed or Portable Application • First and Only DOE facility to install and operate wireless networking of radiation equipment in Limited and Protected Areas and approved by DOE. WIRELESSWALL • provides government certified security software for WLANs • WirelessWall carries a FIPS 140-2 rating. FIPS is short for Federal Information Processing Standards; the 140 cryptographic standard was created by the National Institute of Standards and Technology (NIST). The standard has four levels of security - Level 1, Level 2, Level 3, and Level 4 -- that increase in quality as they go up. FIPS 140-1, the first level, only supports DES and 3DES encryption. The various levels are suitable for a wide array of areas in which cryptographic modules could be used. • WirelessWall generally comes with three pieces: the policy server, an access controller for each subnet of the network, and client software for each PC. RADHAWK CLIENT - Features • • • • • • • • • • • • Windows Based Application RadNet Compliant RadNet - is a non-proprietary protocol that utilizes standard Internet protocols Remote monitoring of up to 256 instruments User-definable colors, sounds, backgrounds and tab hierarchy Timeout alarm Multiple password levels Data logging Spectrum panning Windows® 2000 and XP Accessible via wired or wireless Ethernet LAN Able to accommodate non-RadNet compliant devices via Code Talker hardware RadNet Packet Types Currently Supported • • • • • • Alpha CAM Beta CAM Gamma Area Monitor Gamma Criticality Monitor Neutron Area Monitor Neutron Criticality Monitor RF Systems in Service RMS3 ARMs 105-L (Protected Area) Basin Alpha CAMs in 105-K (Protected Area) ARM and CAM demo System 735-2B F-Canyon TRU Waste Remediation Project CAMs Pending RF Deployment Alpha CAMs and ARMs in H-Canyon awaiting facility design change. (Limited Area) Testing is complete and design change approved. HB-Line awaiting facility approval for testing (Limited Area). RMS3 Risk Assessment/Installation is in progress at H-Tank Farm. F-Tank Farm is awaiting facility approval for Risk Assessment testing. K-Area – Nuclear Material Management K-Area – Nuclear Material Management Appended Technical Equipment Detail Portable Alpha CAM – Original Design Omni Antenna ASM1000 RF Transmitter CAM Head Front View - New Portable ASM1000/AS1700R Unit Omni Antenna CAM Head RF Transmitter ASM1000 Side View CAM Head Omni Antenna ASM1000 RF Transmitter Additional Views Canberra/Aquila Code Talker RF Transmitter Gasket Seal NEMA 4 Enclosure Mounting Bracket & Clips FIPS Encryption RF Card Dimensions 9.6” x 6.6” x 2.6” AC Power Adapter Antenna Cable Computer, RMS3 RS232, or CAM RS485 Cable Proxim Orinoco AP-4000 Access Point - Repeater In computer networking, a wireless access point (WAP) is a device that allows wireless devices to connect to a wired network using Wi-Fi, Bluetooth or related standards. The WAP usually connects to a router (via a wired network), and can relay data between the wireless devices (such as computers or printers) and wired devices on the network. Diagram of Portable RF RMS3 The RMS-3 is an area and criticality radiation monitoring system designed to provide early warning if a hazardous condition develops. HTF Portable RMS3 ARM Omni Antenna Directional Antenna Detector RF Transmitter RMS3 First portable VAMP Cart Conversion without RF capability VAMP - Victoreen Area Monitor Packet Old VAMP Cart to be converted to RMS3 30”w x 30”h x 9”d 20”w x 16”h x 9.5”d TYPICAL AQUILA/WIRELESS WALL RF NETWORK Examples of HTF West Hill RF RADHAWK – Screen Shots Examples of HTF East Hill Radhawk Display RMS3 RMS3 RMS3 WirelessWall Value Propositions The recognized value propositions of WirelessWall are: • • • • • • • • • Eliminates major cost of secure wireless provisioning. By encrypting at the end-points, no security is required for APs and no need to use exotic vendor specific schemes for AP management. Cloaking. Fills security gaps by providing uniform high (WPA2-Enterprise) security-only across at layer 2, eliminating port and application vulnerabilities and securing heterogeneous networks. Low Overhead. High end encryption requiring low overhead and low bandwidth. Multiple AP encryption. End to end pass-through of already-encrypted frames Fast . No intermediate encryption required for multiple AP's. Improves security. Eliminates Man-in-the-Middle (MITM) spoofing/sniffing risks or Denial of Service (DoS) vulnerabilities of IPSec and SSL VPNs. Works with anything. It protects existing infrastructure investment by enabling strong security on legacy devices which may not support WPA2-Enterprise mode. Goes the distance. It provides end-to-end security by extending encryption all the way from the wireless client to the data center instead of at the access point, which would otherwise leave the distant bridge from data center to AP vulnerable. Mandated. Most powerful true end-to-end solution for Smart Grid addressing FIPS Cyber Security Meets the DoD 8100-2 directive for wireless use on the DoD “Grid” and is FIPS certified. 45