Fortifying the Syracuse PD
October 28, 2003
Using government-level cryptography standards is what let this central New York city's police department go completely wireless without worry.
The pundits keep saying that information on a Wi-Fi network cannot be 100 percent secure. But what if it has to be? That's the question that was bothering Pat Phelps, a police officer and IT specialist in the Syracuse, N.Y. police department, as he moved to bring the department toward a wireless capability.
"The big thing is the nature of the information that is going across the network," he explained. "We take great pains to secure that in our wired network, and we needed to be sure we could do that on the wireless network as well."
To secure the city's growing network of police-department hotspots, Phelps turned to AirFortress, a product of Tampa, Fla.-based Fortress Technologies. It's a big win for AirFortress, and also an example of a marketing technique that is giving AirFortress an edge in the crowded marketplace of Wi-Fi security.
Specifically, AirFortress got into the market in a big way. In the summer of 2002 the firm earned the government's FIPS 140-1 certification. (FIPS is short for Federal Information Processing Standards; the 140-1 is a cryptographic standard.) With that certification in hand, the firm was able to sell thousands of wireless security gateways to the military.
That was enough to convince Phelps.
"If it is good enough for the government, we are willing to rely on them to say that it works," he said. Of course, the police department is not relying solely on the word of the military. In-house techs have tried to crack the system, and Phelps will hire some white-hat crackers to do the same. "But we are pretty confident."
The police department plans to use wireless access in interview rooms so that officers can verify information on the spot. In addition, hotspots scattered around the city will enable officers to access criminal histories and other data while in their cars.Given the kind of sensitive data that will be involved here, analysts say, the police department will have a special obligation to keep the system under lock and key. "Once you establish that link, you should be approaching that same level of security as if you were sitting at a wired desk," said Ken Hyers, a wireless industry senior analyst at In-Stat/MDR. "If you have hotspots everywhere, so that people can just pull up in their cars, that of course means that a hacker can pull up in his car too. You don't want to create a drive-in cracker situation."
All of which begs the question: What makes the AirFortress solution different from others? Well, a couple of things, according to Ken Evans, vice president of marketing and product management at Fortress Technologies.
In the first place, he said, AirFortress brings together diverse approaches to security, gathering encryption, access control and mutual authentication into a single product. "We are taking a lot of different elements, which potentially could have been disparate products, and we are pulling them all together in a single, centralized security platform," he explained.
Further, AirFortress is banking on the value of a stand-alone system. While some systems manufacturers are integrating security solutions vertically into their entire product stack, Evans said, clients are better served by a freestanding product that is not tied to any particular system solution.
Perhaps most importantly, beyond the actual security abilities, there is the simplicity of the thing. "What matters most is the ease of use to the network administrators who have to implement these solutions and have to maintain them," said Evans. "One of the best complements we ever got was from a gentleman in the Air Force who was using our solution for a supply logistics situation. He said, 'I like you product because it collects dust.' He got the product, he installed it and then he was able to forget about it."
Looking ahead, Evans said, the looming security debate in the Wi-Fi world lies in the nature of the wireless networks themselves, specifically in the growing battle between fat and thin access points.
"Should you put a lot of management capabilities, security capabilities, in the access point? Or should it be as dumb as a sprinkler head?" said Evans, who foresees a thin-point solution winning out. "If you look far enough down the road there is room for both solutions, but in a corporate environment that is trying to replace a wired network, they will realize that the whole point of an access point is to provide access and little else. They should cost about $75 apiece and all the rest of your management should be located somewhere else in the network."
From a security standpoint, said analyst Hyers, the thin solution probably is the way to go. With fat access points, security must put locks on dozens of doors. Thin access points of the other hand funnel all security issues to a single back door. "It is probably intrinsically more secure to have that single door," he said.