The federal government and the Department of Defense (DoD) recognize that standards-based wireless networking has become an essential part of conducting business efficiently. Many commercially available products offer the capability of providing electronic security, comparable to wired networks. However, these products must be configured and secured properly to provide the desired degree of protection.
Unlike a wired network, where active components of the data communications network are physically secure in a telecom room with restricted access, the wireless network requires distribution of access points and antennas throughout the facility. To further protect these assets, a consideration of policies may be needed.
What is the purpose of the DoD Instruction 8420.01?
Department of Defense Network Designers and Installers will use DoD instruction 8420.01 for guidance in designing networks with appropriate security measures.
DoD Instruction 8420.01: Commercial Wireless Local-Area Network (WLAN) Devices, Systems, and Technologies
The purpose of this issuance is as follows:
- Establishes policy, assigns responsibilities, and provides procedures for the use of commercial WLAN devices, systems, and technologies per the authority in DoD Directive (DoDD) 5144.02.
- Specifies the minimum set of security measures required on WLAN-enabled portable electronic devices (PED) and workstations that transmit, receive, process, or store unclassified and classified information.
- Clarifies the use of non-DoD WLAN systems
- Helps establish a wireless network intrusion detection and prevention capability for monitoring WLAN and configuring it for improved event handling.
- Promotes reciprocity by requiring all DoD owned and operated unclassified WLANs to support access by authorized DoD users with a DoD provided WLAN-enabled PED.
- Guides the use of personal devices on a WLAN
- Directs DoD Components to include support for unclassified WLAN systems in new DoD facilities during the planning stage to accommodate new technologies.
Because of the distributed nature of wireless LANs, the DoD Instruction addresses the physical security of access points throughout a facility. The following paragraphs are excerpts from 8420.01:
3.2. UNCLASSIFIED WLAN SECURITY CERTIFICATION AND VALIDATION
(a). (5). Validated Physical Security
APs used in unclassified WLANs should not be installed in unprotected environments due to an increased risk of tampering or theft. If installed in unprotected environments, APs that store plaintext cryptographic keying information must be protected with added physical security to mitigate risks.
(a) DoD Components may choose products that meet FIPS 140-2 overall level 2, or higher, validation to ensure that the AP provides validated tamper evidence, at a minimum; or
(b) DoD Components may physically secure APs by placing them inside of securely mounted, pick-resistant, lockable enclosures.
3.8. CLASSIFIED WLAN SECURITY CERTIFICATION AND VALIDATION
(b). Physical Security of Classified WLANs
(1) WLAN APs used to transmit or process classified information must be physically secured. Methods must exist to facilitate the detection of tampering. WLAN APs must have controlled physical security, in accordance with Volumes 3 and 4 of DoD Manual 5200.01.
(2) Physical or electronic inventories may be conducted by polling the serial number or MAC address. APs not stored in a communication security approved security container must be physically inventoried.
(3) WLAN APs must be set to the lowest possible transmit power setting that meets the required signal strength of the area serviced by the AP.
Handling Access Points With Care
It is important to note that where enclosures are positioned, locking capabilities must be utilized to prevent intrusion and tampering. The prevention of physical access to an access point (while permitting authorized access) will enable proper security measures with convenient servicing of the access point when necessary.
If an enclosure is adapted to secure the mounting of a wireless access point – the general security of the enclosure should be reviewed. Physically attaching the enclosure to the building structure (not ceiling gridwork) is an essential part of maintaining the integrity of a secure installation.
The performance of the access point is a key determinant when choosing the means of physical security. When securing access points per 8420.01, caution must be exercised not to degrade performance, wireless coverage, installation convenience, and aesthetics of the access point. The use of RF-transparent materials can ensure both physical protection and unobstructed wireless performance.