White Paper
6-04
How AirDefense Ensures Compliance with the
DoD Wireless Directive
The purpose of this whitepaper is to summarize the wireless policies defined by DoD Directive 8100.2,
dated April 14, 2004, and to explain how a 24 x 7 monitoring solution ensures that DoD organizations
can comply with the directive.
1. Purpose of the DoD Wireless Directive
The Department of Defense (DoD) Directive Number 8100.2 was issued on April 14, 2004. The Directive
covers the use of commercial wireless devices, services, and technologies in the DoD Global Information
Grid (GIG). The Directive spells out policies for deploying secure wireless networks, and requires
monitoring of those wireless networks for compliance. Additionally, the Directive states that wireless
networks are banned from use in certain areas, and it covers policies for banned and authorized wireless
networks. The Directive is effective immediately.
2. Scope of the Directive
The Directive applies to all DoD
personnel, contractors, and visitors
that enter DoD facilities or that have
access to DoD information.
The DoD Wireless Directive applies to all DoD
organizations, including the Office of the Secretary
of Defense, the Military Departments, the Chairman
of the Joint Chiefs of Staff, the Combatant
Command, the Office of the Inspector General of the Department of Defense, the Defense Agencies, the
DoD Field Activities, and all other DoD organizations. The Directive refers to these agencies collectively
as the DoD Components.
The Directive applies to all commercial wireless devices, services, and technologies, including voice and
data capabilities. This includes, but is not limited to, commercial wireless networks and Portable
Electronic Devices (PEDs) such as laptop computers with wireless capability, cellular/Personal
Communications System (PCS) devices, audio/video recording devices, scanning devices, remote
sensors, messaging devices, Personal Digital Assistants (PDAs), and any other commercial wireless
devices capable of storing, processing, or transmitting information.
3. Responsibilities
The Assistant Secretary of Defense for Networks and
Information Integration, as the DoD Chief Information
Officer, shall monitor and provide oversight and policy
development of all DoD wireless activities.
Directive: Include intrusion
detection methodologies for
wireless systems.
The DoD Wireless Directive requires heads of the DoD Components to submit to the DoD CIO, within
180 days of this Directive, specific implementation timelines for compliance, and ensure that all new
commercial wireless procurements comply with this Directive immediately. The Directive asks DAAs
(Designated Approving Authorities) to:
¾ Ensure that wireless networks do not introduce wireless vulnerabilities that undermine the assurance
of interconnected systems
¾ Include intrusion detection methodologies for the wireless systems.
4. Need for the DoD Wireless Directive - Risks of Wireless Networks
Along with the many conveniences and cost
saving advantages to wireless LANs, there are
also many inherent risks and vulnerabilities.
These exist in the nature of the wireless medium,
and in insecure wireless LAN devices and
configurations.
“Wireless LANs are a breeding ground for new
attacks because the technology is young and
organic growth creates the potential for a huge
payoff for hackers.”
Pete Lindstrom, Spire Security
Wireless Medium – Uncontrolled &
Shared
Traditional wired networks use cables to transfer information, which are protected by the buildings that
enclose them. To gain access to a wired network, a hacker must bypass the physical security of the
building or breach the firewall. On the other hand, wireless networks use the air, an uncontrolled medium.
Wireless LAN signals can travel through the walls, ceilings, and windows of the building. This renders
the entire network accessible from another floor of the building, from an adjoining building, from the
parking lot, or from across the street. Radio signals from a single access point can travel up to thousands
of feet outside of the building walls.
Wireless networks use a shared medium, i.e., any wireless device in the network can “see” all the traffic
of all other wireless devices in the network. The risks of using a shared medium is increasing with the
advent of readily available “hacker’s tools.” A variety of specialized tools and tool kits enable hackers to
“sniff” data and applications, and to break both encryption and authentication.
Insecure Wireless LAN Devices
“Through year-end 2004, the employee’s ability to
install unmanaged access points will result in more
than 50% of enterprises exposing sensitive
information through wireless networks.”
Gartner
Insecure wireless LAN devices, such as access
points and user stations, can seriously
compromise both the wireless network and the
wired network, making them popular targets for
hackers.
Insecure Access points can be insecure due to improper user configuration, or insufficient default
configurations, which do not have strong encryption or authentication. They become gateways that
hackers use to access both the wireless and the wired network.
Insecure wireless user stations pose even a bigger risk than insecure access points. These devices, which
often have either no security configuration or are using an insufficient default configuration, easily come
and go in the enterprise. Hackers can convert laptops into “soft” access points (soft APs) by either using a
variety of software programs, such as HostAP, Hotspotter, or Airsnarf, or, by simply using a USB
wireless adapter. By inserting a soft AP into a wireless network, a hacker can cause legitimate users in the
network to connect to hacker’s soft AP, compromise the user laptop, and use it as a bridge to breach the
network backbone.
“The problems with rogue access points will wane — though accidental network associations and
attacks against mobile laptops will increase. This makes it very important to understand the risks of
wireless LAN laptops and other devices that are present in every organization.”
Gartner
Wireless LANs Allow Strangers Easy Access
Accidental association takes place when a wireless laptop running the LAN-friendly Windows® XP or a
mis-configured client automatically associates and connects to a user station in a neighboring network.
This enables intruders to connect to innocent user’s computers often without their knowledge,
www.airdefense.net
2
Copyright  2004, AirDefense, Inc
compromise sensitive documents on the user station, and expose it to even further exploitation. This
danger is compounded if the station is connected to a wired network, which is also now accessible.
Ad hoc networks are peer-to-peer connections
“Unmanaged wireless LANs can
between devices with wireless LAN cards that do not
jeopardize entire enterprise networks,
require an access point or any form of authentication
data, and operations."
from other user stations. While these ad-hoc networks
Forrester
can be convenient for transferring files between
stations or to connect to network printers, since they
lack security, they enable hackers to easily compromise an innocent user’s station or laptop.
5. Summary of Policy Requirements
The DoD Wireless Directive covers several areas of policy requirements. These are listed under sections
4.1 through 4.10. Table 1 summarizes key policies under the directive.
Section
Policy Area
4.1.1, 4.1.2 &
4.1.3
Need for strong encryption (FIPS 140-2 compliant) and authentication
policies.
4.1.4
Mitigation of Denial of Service and other disruptions or attacks.
4.2 & 4.3
Banning wireless devices in designated areas.
4.4
Removing Wireless Personal Area networks (WPAN) / Bluetooth Devices
from designated areas.
4.5
Active monitoring of unauthorized access of DoD IS (monitoring for
unauthorized wireless devices).
4.6, 4.7, 4.8
Mobile code, PED (concurrent) connectivity, and Anti-virus guidelines.
4.10
Establishing a knowledge management process.
Table 1. Summary of DoD Policy Directives
6. Role and Overview of the AirDefense Solution
The goal of the DoD Wireless Directive is to protect its computers and network from vulnerabilities
caused by wireless devices and networks. This is achieved via policies. Every network has to have a well
defined and documented policy. Without proper monitoring and
enforcement, policies are no more than a paperweight. The DoD
Directive defines wireless policies. AirDefense can help DoD
organizations monitor and enforce this policy directive.
Define Policy
DoD directive has defined policy very well
Monitor Policy
Use monitoring tools to ensure compliance
Enforce Policy
Enforce policy by using proper technologies
www.airdefense.net
3
Copyright  2004, AirDefense, Inc
With a distributed and cooperative processing
“RF Monitoring has emerged as a
architecture of remote smart sensors that work in
legitimate and often times required
tandem with a server appliance, AirDefense passively
component of the enterprise WLAN.”
monitors all wireless LAN activity in real time for the
MetaGroup
highest level of security, policy enforcement, and
operational support. The architecture provides the secure foundation for AirDefense to offer a scalable
and manageable solution for wireless LANs in a single office, a campus, or hundreds of locations around
the globe. AirDefense provides for 24x7, real-time monitoring of all 802.11 protocols for any vendor and
any device.
While AirDefense proactively notifies IT personnel of alarms for security threats, policy violations, and
performance issues, the system also allows for network administrators to access a single interface for a
complete view of the wireless LAN and management-critical intelligence. The system also allows IT
managers to take proactive actions to enforce policies.
Figure 1. AirDefense Solution uses cooperative architecture that provides scalability and
reliability with centralized management.
7. How AirDefense Ensures Compliance with the Directive
The goal of the DoD wireless Directive is to protect its computers and network from vulnerabilities
caused by wireless devices and networks.
Wireless network policies form the base of all wireless LAN deployments. AirDefense allows
organizations to manage customized wireless LAN policies based on the desired security and acceptable
uses for each wireless LAN device. AirDefense allows enterprises to customize policies for each device
as part of its centralized policy manager, which defines, monitors, and enforces the device-centric
policies. This section summarizes how AirDefense enables compliance with most of the DoD Wireless
Policy Directives.
www.airdefense.net
4
Copyright  2004, AirDefense, Inc
4.1.1 Monitoring for Strong Authentication
Per Section 4.1.1, strong authentication, non-repudiation, and personal identification is required for
access to a DoD IS in accordance with published DoD policy and procedures. Identification and
Authentication (I&A) measures shall be implemented at both the device and network level. I&A of
unclassified voice is desirable; voice packets across an Internet protocol [e.g., Voice over Internet
Protocol (VoIP)] shall implement I&A in accordance with published DoD policy and procedures.
AirDefense allows organizations to set authentication and personal identification policy and monitor for
its compliance. If any wireless LAN device is found noncompliant, AirDefense generates a notification. AirDefense has
specific detection for VPN or 3-factor authentication solutions,
such as AirFortress. AirDefense has detected situations in which
customers configured strong authentication along with “open”
authentication (no authentication), a mistake that totally negates
the value of strong authentication, leaving the network vulnerable.
Only automated real-time monitoring ensures that proper
authentication is always in place.
4.1.2 Monitoring for Strong Encryption
Per Section 4.1.2, encryption of unclassified data for
transmission to and from wireless devices is required. At a
minimum, data encryption must be implemented end-to-end
over an assured channel and shall be validated under the
Cryptographic Module Validation Program as meeting
requirements per Federal Information Processing Standards
(FIPS) 140-2.
Screenshot of AirDefense DoD Policy
Reports that were created specifically
to ensure compliance with DoD
Directive 8100.2.
AirDefense allows organizations to set encryption policies and monitor for its compliance. If any of the
wireless LAN devices is found non-compliant, AirDefense generates a notification. AirDefense has
specific detection for FIPS 140-2 compliant solutions such as AirFortress.
4.1.4 Mitigation of Denial of Service and other Disruptions or Attacks
Per section 4.1.4, measures shall be taken to mitigate denial of service attacks. These measures shall
address not only external threats, but potential interference from friendly sources.
AirDefense identifies network reconnaissance activity, suspicious wireless LAN activity, impending
threats, and attacks against the wireless LAN.
Attacks against Wireless LANs: AirDefense uses four intrusion detection technologies with correlation
across sensors to identify attacks. With correlation among its four key detection technologies, AirDefense
dramatically reduces false positives and gives accurate results. As the leader in wireless LAN intrusion
detection, AirDefense alerts IT security personnel to a range of attacks that include:
¾ Identity MAC spoofing
¾ Out-of-Sequence communication triggered by
AirDefense’s four intrusion detection
session hijacking or Man-in-the-Middle
technologies and correlation engines make
attacks
it the most effective IDS.
¾ Multiple forms of De-Authenticate and
Disassociate Denial-of-Service Attacks
¾ Multiple forms of Denial-of-Service Attacks with Excessive MAC addresses
¾ Dictionary attacks from excessive failed authentication attempts
www.airdefense.net
5
Copyright  2004, AirDefense, Inc
Suspicious Activity & Impending Threats: AirDefense correlates information from all remote sensors
over time to identify suspicious activity, such as:
¾ A user station on the watch list entering an organization’s air space at any location
¾ A suspicious station repeatedly attempting to connect with multiple access points
¾ Anomalous traffic from unusual off-hours activity or large downloads to a station
Reconnaissance Activity: AirDefense recognizes multiple forms of wireless LAN scans including scans
from Netstumbler, Wellenreiter, and Windows XP.
Wireless Health Monitoring: By constantly monitoring all wireless activity, AirDefense provides a
comprehensive solution to monitor the health of the wireless LAN and provide operational support that
maximizes network performance.
¾ Performance Monitoring, to identify usage characteristics, interference from neighboring wireless
LANs, and channel overlap
¾ Network Use & Abuse of traffic patterns over time, potential abuse of the network, and access point
utilization
¾ Alert network administrators to unplugged, stolen, or failing access points
4.2 & 4.3 Banning Wireless Devices in Designated Areas
Section 4.2 of the Directive states that wireless devices shall not be allowed into an area where classified
information is discussed or processed. Section
“Perform wireless intrusion detection to
4.3 states that wireless devices used for storing,
discover rogue access points, foreign devices
processing, and/or transmitting information
connecting to corporate access points and
shall not be operated in areas where classified
accidental associations to nearby access points
information is electronically stored, processed,
in use by other companies.”
Gartner
or transmitted
The Directive is needed because unauthorized
“rogue” wireless LANs represent one of the biggest threats to an organization’s network security. Rogue
wireless LANs create an open entry point (backdoor) to the enterprise network by bypassing all existing
security measures. Identification of these rogue wireless LANs is paramount for all organizations.
AirDefense provides full rogue detection that goes beyond simple alerts of broadcasting access points.
Detection of All Rogue WLAN Devices & Activity: AirDefense recognizes all wireless LAN devices,
which include access points, wireless LAN user stations, soft APs (where stations function as access
points), and specialty devices (such as wireless bar code scanners for shipping or inventory applications).
AirDefense also identifies rogue behavior from ad hoc, peer-to-peer networking between user stations,
and accidental associations from user stations connecting to neighboring networks.
Detecting a rogue access point is trivial.
Figuring out what damage was done by it
requires strong forensics capabilities.
Analysis of Rogue Connections: AirDefense analyzes all
connections made by rogue activities to understand the
communication among all wireless LAN devices. By
identifying the stations that connect to rogue wireless
LANs, AirDefense enables IT personnel to assess which
devices are at risk.
Risk & Damage Assessment: AirDefense tracks all rogue communication and provides forensic
information to identify when the rogue first appeared, how much data was exchanged, and the direction of
traffic (downloads from the enterprise network vs. uploads). With detailed analysis, AirDefense assists IT
personnel assess the risk and damage from the rogue. Packet capture can also be enabled for further
analysis of the rogue devices using a network analyzer such as Ethereal or Sniffer.
www.airdefense.net
6
Copyright  2004, AirDefense, Inc
4.4 Removing Wireless Personal Area networks (WPAN) / Bluetooth Devices
Section 4.4 requires that DAAs shall ensure that Wireless
Personal Area Network (WPAN) capability is removed or
physically disabled from a device unless FIPS PUB 140-2validated cryptographic modules are implemented.
Class 1 Bluetooth devices that easily
form Wireless Personal Area
Networks have a range of 330 feet.
Bluetooth devices are rapidly growing. With Class 1
Bluetooth devices having a range of 330 feet, they can cause security issues that are similar to those of
wireless LAN devices. Bluetooth networks in many enterprises connect back to a wired network at some
point. Hackers can use an insecure networked Bluetooth laptop as an entry point into the entire enterprise
network, gaining access to sensitive information that may not even exist on the Bluetooth network.
AirDefense BlueWatch can enable
individual users and enterprises to
identify rogue and insecure Bluetooth
devices in their air space.
AirDefense BlueWatch is a Windows-based software
program that scans for the presence of Bluetooth devices
and their key attributes. BlueWatch can enable individual
users and enterprises to identify rogue and insecure
Bluetooth devices in their air space, enabling them to take
proactive steps to mitigate the risk of security breaches.
4.5. Active Monitoring of Unauthorized Access of DoD IS
Per Section 4.5, the DoD Components shall actively screen for wireless devices. Active electromagnetic
sensing at the DoD or contractor premises to detect/prevent unauthorized access of DoD ISs shall be
performed to ensure compliance.
AirDefense allows enterprises to customize policies for each device as part of its centralized policy
manager that defines, monitors, and enforces the device-centric policies.
Wireless LAN Devices & Roaming Policies: AirDefense allows IT managers to define policies for
authorized user stations, their configuration, how stations connect to the wireless LAN, and recognized
threats. A network roaming policy for user stations recognizes roaming policy violations when a user
station tries to connect with unapproved access points
within the enterprise.
24x7 active monitoring using passive
sensors and a strong centralized
Channel Policies: AirDefense allows enterprises to
policy manager ensures that WLANs
establish channel policies for:
are conforming to the security policy.
¾ Ad Hoc networks between stations, and to specify
the channels for authorized ad hoc networks
¾ Authorized channels for each access point, and to identify all WLAN traffic on unsanctioned channels
¾ Off-hours traffic monitoring for certain wireless devices and locations
Vendor Policies: Because wireless LANs should be deployed using enterprise-class infrastructure,
AirDefense allows IT managers to define approved hardware vendors for devices using the wireless LAN.
With a list of accepted vendors, AirDefense then recognizes all hardware from unapproved vendors when
they enter the enterprise airspace.
4.10 Wireless Knowledge management (KM)
Section 4.10 states that a DoD wireless KM process shall be established to increase sharing of DoD
wireless expertise to include information on vulnerability assessments, best practices, and procedures for
wireless device configurations and connections. The KM process shall be utilized by DAAs to help
determine acceptable uses of wireless devices and employ appropriate mitigating actions. The DoD
Components shall use the KM process to coordinate, prioritize, and avoid duplication of vulnerability
assessments of wireless devices.
www.airdefense.net
7
Copyright  2004, AirDefense, Inc
AirDefense maintains a historical database that powers robust reporting and analysis for historic trends
and forensics that enables realization of KM process. Some of the key information for Knowledge
Management provided by AirDefense includes:
¾ Historical Data for Trends and Forensics reports for specific trends and forensics
¾ Automated Summary email reports (daily and weekly) for management, security, and network
administrators
¾ Device-Centric Reports for missing devices, ad hoc networks, probing stations, individual access
point and user station snapshot
¾ Security & Rogue Detection Reports for vulnerability assessment, rogue summaries, rogue details,
and unauthorized access points
¾ Policy Reports that accumulate access point policy violations and policy summaries
Summary
As we discussed in this white paper, wireless network risks are real. A $40 access point or an insecure
wireless-ready laptop connected to the secure network can open serious security holes or backdoors,
rendering useless millions of dollars spent on securing the network backbone using firewalls and intrusion
detection systems.
The goal of the DoD Wireless Directive is to take proactive steps to prevent such security holes. That is
best accomplished by defining a policy that protects DoD computers and networks. To benefit from this
policy, DoD organizations should:
¾ Monitor for the presence of rogue user stations or access point and their activity
¾ Deploy wireless LAN technologies that comply with the policy (e.g., FIPS 140-2 compliant
encryption)
¾ Monitor wireless network infrastructure for compliance with the policy
24 X 7 monitoring using distributed sensors working with a
“AirDefense offers the only
central server is the only practical way to monitor for
enterprise-class solution for 24x7
compliance. The AirDefense solution is designed for
real-time monitoring.”
wireless LAN monitoring, to proactively detect threats and
Kendra Warren, CIO, DeCA
attacks and ensure policy compliance and enforcement.
AirDefense has recently created reports that are specifically
designed to assess compliance of wireless devices and networks with the DoD Directive (see the report
samples on the next page). Dozens of Federal bodies, including a number of DoD organizations, are
already taking advantage of AirDefense to ensure proper security and peace of mind.
www.airdefense.net
8
Copyright  2004, AirDefense, Inc
AirDefense DoD Compliance Report Samples
Figure 2.
Summary,
Operational
Support, and
Authentication
Reports
Figure 3.
Availability,
Vulnerability,
and
Encryption
Reports
About AirDefense, Inc.
Founded in 2001, AirDefense pioneered the concept of 24x7 monitoring of the airwaves and provides the
most advanced solutions for rogue wireless LAN detection, policy enforcement, intrusion protection and
monitoring the health of wireless networks. Blue chip companies and government agencies rely upon
AirDefense solutions to secure and manage wireless networks around the globe.
For more information or feedback on this white paper, please contact
Email: info@airdefense.net; Phone: 770.663.8115
All trademarks are the property of their respective owners.
www.airdefense.net
9
Copyright  2004, AirDefense, Inc