Securing The Military's PX WLANs

By Gerry Blackwell

August 11, 2003

When Wi-Fi security was compromised, even U.S. military grocery stores sat up and took notice. They solved the problem with a mix of technologies including a major deployment of AirFortress products.

An army, they say, marches on its stomach. Which is one reason the U.S. military's Defense Commissary Agency (DeCA), the outfit that runs camp PXs where soldiers and their families shop for groceries, is such a big and well-run enterprise.

DeCA manages 276 stores and several distribution centers around the world. It runs them in most ways not much differently than any forward-thinking commercial grocery chain. That means, for example, that it has used 802.11 technology since 1996 -- well before the current 11-Mbps 802.11b standard.

"The grocery industry in general has used wireless for a very long time," notes John Goodman, Chief of the Technology Management Division in DeCA's Directorate of Information Technology.

The news two years ago that hackers had compromised 802.11's Wired Equivalent Protocol (WEP) encryption was no doubt of some concern to commercial grocery chains, but it landed like a bombshell at DeCA. This is, after all, a military organization, however far removed from combat. Security is a very high priority.

Goodman won't talk about specific threats DeCA identified. Most important, though, was that hackers could conceivably break into DeCA's systems and from there penetrate firewalls in front of linked segments of the larger Department of Defense (DoD) network.

"We realized that we must protect our own enclave," Goodman says. "Security is only as good as your weakest link."

It should come as no surprise that DeCA chose the AirFortress solution from Fortress Technologies to beef up its wireless security. It was the only security solution at the time certified to meet Federal Information Processing Standards (FIPS) established by the National Institute of Standards and Technology. It was also DoD's standard.

It wasn't just the threat to DoD's network that motivated DeCA, though. Hackers could also get access to all of DeCA's inventory management data, or even intercept debit card data of DeCA's military patrons.

"It's relatively minor compared to what DoD would want to protect," Goodman concedes, "but we definitely did not want our data to be compromised. We followed DoD [in insisting on FIPS certification] but our standard would have been the same in any case."

DeCA takes wireless security as seriously as it does in part because it's so heavily exposed -- it uses wireless in almost all its facilities, in a number of areas.

The IBM electronic cash registers at check-out lanes are attached to the store LAN by Ethernet cabling, but for other applications where running cables isn't feasible -- outdoor points of sale, bakery-deli shops and storerooms where clerks need to account for produce consigned to salvage -- DeCA uses wirelessly connected registers.

In store warehouses and distribution centers, staff use wireless handheld devices with integrated bar code readers from Psion Teklogix. They use them when picking products off warehouse shelves to stock the store and when receiving or dispatching shipments. The handhelds allow them to record transactions and adjust inventory on the spot, in real time.

For real-time monitoring of the airwaves, DeCA has also started to use the AirDefense wireless LAN security and monitoring system. DeCA has AirDefense sensors installed in about 300 locations, monitored by three server appliances in the United States and Europe.

DeCA uses the handhelds in stores to do remote price checks, for ad hoc stock checking in preparation for an influx of new personnel to a base or to keep tabs on stock levels on items that are part of promotions with supplier partners.

Until the AirFortress security project, which was announced in May 2003, DeCA also used wirelessly-connected IBM printers in the warehouses and distribution centers. Personnel rolled them to whichever loading dock was active to print shipping invoices and receipts.

DeCA has been using the technology so long that nobody thinks much anymore about cost benefits. "I don't really have [a return on investment] number off the top of my head," Goodman says. "It's based on the efficiency [wireless gives us] -- and just industry best practices."

The total investment in wireless at DeCA exceeds $10 million. That covers the cost of purchasing, installing and maintaining some 2,400 wireless handhelds, 450 wireless cash registers and 1,400 Wi-Fi access points. The AirFortress roll-out accounts for about $3 million.

A large part of the latter expense was for implementation. Goodman's team had to visit every site and touch every device. It involved loading the AirFortress client software on every client device -- except the IBM printers on which it was impossible to load it. (The printers are now in fixed locations attached to the wired network.)

It also meant integrating AirFortress software into the Wi-Fi access points. This all took time, but the roll-out was completed earlier this year.

DeCA's investment in Wi-Fi technology is by no means at an end. Earlier this year, the agency launched a long-term upgrade program. It will take months just to finalize the requirements before it goes out to tender. Goodman doesn't expect that to happen until 2005.

While he's not prejudging the issue, the assumption at this point is that vendors bidding on the project will offer 802.11a or 802.11g equipment -- or something even faster. The higher speeds would have little impact on DeCA's current wireless applications -- many work fine over older 2-Mpbs WLAN segments -- but Goodman and his team can already see lots of potential for new applications.

"We've not looked too deeply into this yet," he says. "But things like graphics on the cash registers and electronic signage. There are numerous capabilities that some of our commercial counterparts are already offering their patrons."

"There are shopping carts today with wireless devices integrated. Self-checkout capabilities are a possibility. At this point, though, we're just writing requirements. We'll let the industry propose back to us what they think might be appropriate."

So, wireless industry...'TENTION! Stand on high alert until the bidding war begins. And keep in mind that while an army marches on its stomach, the grocery industry apparently runs on thin air.

Originally published on .

Comment and Contribute
(Maximum characters: 1200). You have
characters left.