DoD Commercial WLAN Technologies Instruction 8420.01

The US Department of Defense (DOD) released a commercial wireless local area network (WLAN) devices, systems, and technologies Instruction (NUMBER 8420.01) that implements the DoD Directive 8100.2 related to commercial wireless that was released in 2004 and updated in 2006 [DoD Instruction Number 8420.01].

DoDD 8100.2

Use of Commercial Wireless Devices, Services, and Technologies in the Department of Defense (DoD) Global Information Grid (GIG) – April 14, 2004. [source]

DoDD 8100.2 Supplement

Use of Commercial Wireless Local-Area Network (WLAN) Devices, Systems, Technologies in the Department of Defense (DoD) Global Information Grid (GIG) -June 2, 2006. [source]

The 8420.01 Instruction mainly applies to DoD owned 802.11 devices and networks.

The Instruction does not apply to non 802.11 technologies such as Bluetooth and WIMAX and non DoD systems that use 802.11 such as hotspots, hotel, and home networks.

Policy for Unclassified WLANs

Unclassified WLAN systems shall be standards-based and IEEE 802.11 compliant, employ certified RF communications functions for interoperability, and employ certified and/or validated information assurance (IA) and cryptographic functions.

Unclassified WLAN-enabled PEDs shall use antivirus software, personal firewalls, data-at-rest encryption, and implement strong identification and authentication (I&A) (e.g., two factor, at a minimum) to access the device and the network.

PED = Portable Electronic Device (aka PDA, PDA phone)
WLAN-enabled PEDs = Devices like the iPhone, Palm Pre, and newer Blackberry smartphones

Policy for Classified WLANs

Employ National Security Agency (NSA)-approved encryption end-to-end and secure the storage, processing, receipt, and transmission of information accessed using NSA-approved encryption.

The WLAN must include information assurance measures:

• Classified WLAN-enabled PEDs shall use NSA, Type 1 encryption to protect classified data-in-transit and data-at-rest on PEDs.
• Unclassified and classified DoD wired and wireless LANs shall have a wireless intrusion detection capability that can be used to monitor WLAN activity and identify WLAN-related policy violations.
• Unclassified and classified WLAN-enabled PEDs used to access DoD e-mail systems shall support the signing and encrypting of e-mail.

Download DoD WLAN Instruction 8420.01 PDF

Download and read the entire DoD Instruction Number 8420.01.

Related posts:

1. BridgeChecker v1.2 Available for Download BridgeChecker v1.2 Available for Download BridgeChecker v1.2 and previous...
2. WLAN Book On Twitter WLAN Book On Twitter WLAN Book is on Twitter!...
3. Rogue Access Point Detection Using iWIDS Rogue Access Point Detection Using iWIDS iWIDS is an online...

BridgeChecker v1.2 Available for Download

BridgeChecker v1.2 and previous versions are available for download from the BridgeChecker Download page.

BridgeChecker User Guide

This version has several new features that make the program much more flexible. Please see the BridgeChecker User Guide for instructions on how to take advantage of the new features.

New Features in BridgeChecker v1.2

• Custom NIC selection for automatic enable/disable feature (BridgeChecker Mode)
• Manual interface enable/disable adapter mode (OneNIC Mode)
• Interface detection based on Windows hardware device name
• Hide notification area icon (sometimes referred to as system tray icon)
• Software will run as a service to bypass Windows Vista UAC issues
• Admin selectable modes of operation, BridgeChecker mode and OneNIC mode
• Flexible licensing options (personal/non-commercial and company/commercial)
• Supports Windows XP, Windows Vista, and Windows 7
• Admin password to change config
• Option to whitelist adapters (e.g., virtual adapters, VPN adapters)

BridgeChecker v1.2 Requirements

• Program tested on Windows XP, Vista, and Windows 7 operating systems
• Requires .NET Framework 2.0 or above
• .NET 3.5 Service Pack 1 (Full Package) direct download from Microsoft
• Windows Vista/Windows 7 users must run installer setup.exe as an Administrator

Recommended Usage Scenarios

The program can be used in the following scenarios.

• disable wireless when connected to LAN
• disable wireless when docked
• disable wireless when Ethernet detected
• disable wireless when wired
• disable wireless when on LAN
• disable wireless when cable connected
• disable wireless when in docking station
• disable wireless when Ethernet plugged in
• disable WLAN when LAN connected
• enable only one network adapter at a time

Comments, Bugs, and Feature Requests

Please use comment feature below to let us know if the BridgeChecker program met your requirements. When commenting please let us know your Windows operating system version and wireless card brand and model if possible. Comments about bugs and feature requests are welcome and encouraged.

Related posts:

1. BridgeChecker Update BridgeChecker BridgeChecker is a windows utility that can automatically...
2. BridgeChecker v1.3 Beta Available for Download BridgeChecker v1.3 Beta Available for Download BridgeChecker is a...
3. Disable Wireless When Connected to LAN in XP and Vista Note: Visit BridgeChecker page for most up to date version...

Like Army’s Wireless LAN Policy, Navy’s guidelines for deploying wireless LAN technologies are outlined in documents developed and distributed by the Department of the Navy (DON) and other DoD organizations. Below is a list of documents related to using commercial wireless LAN technologies in unclassified networks.

SECNAV Instruction 5239.3A

5239.3A, released in December 2004 by the DON CIO, is Department of the Navy Information Assurance Policy. The document establishes Information Assurance (IA) policy for the
Department of the Navy (DON) consistent with National and Department of Defense (DoD) policies. The policy applies to “All Ships and Stations” and doesn’t have any specifics about WLANs or wireless security. The specifics regarding wireless are covered in guidelines below. [source]

SECNAV Instruction 2075.1

DON Use of Commercial Wireless Local Area Network (WLAN) Devices, Services, and Technologies, released November 2006. [source]

This policy provides guidance to secure components of the network that directly pertain to the wireless architecture. It delineates requirements for FIPS-140 Certification and Accreditation as well as Layer 2 Authentication and Encryption.

DON Guidance on Wireless Local Area Network Implementation of the 802.11i Standard, released January 2008. [source]

A. All new WLAN acquisitions must specify the 802.11i addendum.

B. Existing non-compliant WLAN solutions must ensure migration toward compliance with the 802.11i addendum. Migration plans shall be submitted to the Department of the Navy Chief Information Officer (DON CIO) within 90 days.

C. All solutions will continue to be certified and accredited by the appropriate designated approval authority (DAA) prior to implementation.

DoDD 8100.2

Use of Commercial Wireless Devices, Services, and Technologies in the Department of Defense (DoD) Global Information Grid (GIG) – April 14, 2004. [source]

Section 4.1.2 says if data is transmitted wirelessly it must be secured using FIPS validated encryption, and is a good summary of the entire document.

4.1.2 – Encryption of unclassified data for transmission to and from wireless devices is required. Exceptions may be granted on a case-by-case basis as determined by the Designated Approving Authority (DAA) for the wireless connections under their control. At a minimum, data encryption must be implemented end-to-end over an assured channel and shall be validated under the Cryptographic Module Validation Program as meeting requirements per Federal Information Processing Standards (FIPS) Publication (PUB) 140-2, Overall Level 1 or Level 2, as dictated by the sensitivity of the data (reference (g)).

DoDD 8100.2 Supplement

Use of Commercial Wireless Local-Area Network (WLAN) Devices, Systems, Technologies in the Department of Defense (DoD) Global Information Grid (GIG) -June 2, 2006. [source]

This document added additional guidance related IEEE 802.11 wireless LAN technologies and security. Some argued that the document was too specific and details such as specifying 802.11i for security should be contained in Best Business Practice (BBP) and not overarching directives. Others argued that such details were necessary to remove ambiguity that remained after the release of the April 14, 2004 directive. In addition to detailing the data-in-transit security requirements when deploying IEEE 802.11 networks, the document also stated that continuous 24/7 wireless intrusion detection was required for wired and wireless networks.

Related posts:

1. DoD Commercial WLAN Technologies Instruction 8420.01 DoD Commercial WLAN Technologies Instruction 8420.01 The US Department...
2. BridgeChecker v1.2 Available for Download BridgeChecker v1.2 Available for Download BridgeChecker v1.2 and previous...

US Army’s guidelines for deploying wireless LAN technologies is outlined in documents developed and distributed by Army and other DoD organizations. Below is a list of documents related to using commercial wireless LAN technologies in unclassified networks.

DoDD 8100.2

Use of Commercial Wireless Devices, Services, and Technologies in the Department of Defense (DoD) Global Information Grid (GIG) – April 14, 2004. [source]

Section 4.1.2 says if data is transmitted wirelessly it must be secured using FIPS validated encryption, and is a good summary of the entire document.

4.1.2 – Encryption of unclassified data for transmission to and from wireless devices is required. Exceptions may be granted on a case-by-case basis as determined by the Designated Approving Authority (DAA) for the wireless connections under their control. At a minimum, data encryption must be implemented end-to-end over an assured channel and shall be validated under the Cryptographic Module Validation Program as meeting requirements per Federal Information Processing Standards (FIPS) Publication (PUB) 140-2, Overall Level 1 or Level 2, as dictated by the sensitivity of the data (reference (g)).

DoDD 8100.2 Supplement

Use of Commercial Wireless Local-Area Network (WLAN) Devices, Systems, Technologies in the Department of Defense (DoD) Global Information Grid (GIG) -June 2, 2006. [source]

This document added additional guidance related IEEE 802.11 wireless LAN technologies and security. Some argued that the document was too specific and details such as specifying 802.11i for security should be contained in Best Business Practice (BBP) and not overarching directives. Others argued that such details were necessary to remove ambiguity that remained after the release of the April 14, 2004 directive. In addition to detailing the data-in-transit security requirements when deploying IEEE 802.11 networks, the document also stated that continuous 24/7 wireless intrusion detection was required for wired and wireless networks.

AR 25-2 Information Assurance

Sections 4.29 and 4.30 contain guidance regarding portable electronic devices (PEDs) and wireless technologies – revision October 24, 2007. [source]

4–29. Portable electronic devices
Portable electronic devices (PEDs) are portable ISs or devices with or without the capability of wireless or LAN connectivity. These include, but are not limited to, cell phones, pagers, personal digital assistants (PDAs) (for example, Palm Pilots, Pocket PCs), laptops, memory sticks, thumb drives, and two-way radios. Current technologies (infrared, radio frequency, voice, video, microwave) allow the inclusion of numerous capabilities within a single device and dramatically increases the risks associated with IS and network access.

4–30. Wireless local area networks
Wireless LANs are extensions of wired networks and will implement IA policies and procedures in accordance with this and other applicable regulations . Non-compliant wireless LANs will have migration plans documented in POA&Ms, that ensure the systems will meet the minimum requirements of this policy. The DAA will consider the POA&M in the authorization decision. All Army organizations and activities operating wireless local area networks (WLANs) will comply with the following and as supplemented in BBPs.

Wireless Security Standards v1.26

Wireless Best Business Practices (BBP) – updated August 11, 2006. [source]

This document establishes best practice standards for the deployment and use of local wireless network technologies for the Department of the Army. It intends to protect Army resources and data from security threats, improve incident response for wireless issues, and mitigate interference among wireless technologies. Wireless network devices offer a simple, convenient, and inexpensive solution to extend local area network (LAN) accessibility by reducing the requirements of physical infrastructure. Wireless networking removes the encumbrance of wire connections on portable devices, and can also enable laptop and handheld users the ability to travel beyond traditional network boundaries (e.g. between buildings) without losing network connectivity. This flexibility however, introduces several unique vulnerabilities in addition to the inherent risks associated with any wired network.

Since wireless signals are radio transmissions, they can be intercepted by suitable radio receiving devices, jammed intentionally by other devices, sometimes even devices
operating outside the intended service area. If data transmissions are not encrypted or are inadequately encrypted, the intercepted data can be read and understood in a matter of seconds.

“Road Warrior” Laptop Security v1.0

Issued February 17, 2006

Laptops, portable notebooks, tablet-PCs, and similar systems, referred to as mobile computing devices (MCD), pose unique security challenges. Users of these information systems (IS) are tasked with the physical security of these mobile devices while administrators must protect the IS from compromise when used as a standalone system or when remotely connected.

These systems shall be configured to provide host-based security as the primary defensive measure. Combined with the capability to connect securely from trusted or untrusted
sources, the IS must protect the networks during remote user access and permit adequate configuration and security management balanced with user functionality. Technology exists to provide host-based IS protections coupled with the capability to remotely access Army internal resources through protected and securable connectivity.

Army Information Assurance Approved Products List (AIAAPL)

Approved products related to information assurance (firewalls, VPNs, IDS, WIDS, encryption gateways, etc) are listed in document. The document is not available for public download.

Related posts:

1. DoD Commercial WLAN Technologies Instruction 8420.01 DoD Commercial WLAN Technologies Instruction 8420.01 The US Department...
2. Wireless N 802.11n Wi-Fi Standard Approved Wireless N 802.11n Wi-Fi Standard Approved The IEEE has finally...
3. Mac OS X Wireless Signal Strength in Snow Leopard Mac OS X Wireless Signal Strength in Snow Leopard The...

The National Security Agency/Central Security Service is America’s cryptologic organization. It coordinates, directs, and performs highly specialized activities to protect U.S. government information systems and produce foreign signals intelligence information. A high technology organization, NSA is on the frontiers of communications and data processing. It is also one of the most important centers of foreign language analysis and research within the government.

Security Configuration Guides

NSA has developed and distributed configuration guidance for a wide variety of software and hardware. The objective of the configuration guidance program is to provide NSA’s customers with the best possible security options in the most widely used products. Security configuration guides are available for Applications, Database Servers, Operating Systems, Routers, Switches, VoIP and IP Telephony, Web Servers and Browsers and Wireless related technologies.

NSA and Wireless Security

There are currently two documents developed and distributed by the Systems and Network Attack Center’s Network Hardware Analysis and Evaluation Division related to wireless LANs and wireless LAN security.

Guidelines for the Development and Evaluation of IEEE 802.11 Intrusion Detection Systems (IDS) Updated: September 2005

In today’s increasingly wireless world, organizations are quickly realizing the security benefits of constantly monitoring the electromagnetic spectrum within their enterprise. When an organization has an interest in identifying and locating unauthorized wireless hardware and preventing intrusion attempts on their network, the benefits of this monitoring exist regardless of whether or not network owners officially sanction the use of wireless devices. Many government entities have monitored their spaces for the presence of cellular, Bluetooth, infrared, and/or IEEE 802.11 signals for years. The DoD Directive 8100.2 now mandates RF monitoring, intrusion detection, and denial of service prevention in DoD networks. Although not a specific requirement, RF monitoring and intrusion detection could also help federal and military operated health care institutions meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA).

Recommended 802.11 Wireless Local Area Network Architecture Updated: November 2005

Wireless local area network (WLAN) technology based on the IEEE 802.11 suite of standards is available as built-in options on most new personal computers and as add-on hardware through USB and PCMCIA adapters. The low hardware cost, ease of installation, increased mobility, and network configuration flexibility has led many Government agencies and organizations to implement WLAN solutions for their users to access their enterprise network. With the pervasive use of 802.11 networks throughout the Government and their impending use within the intelligence community, it is imperative for the National Security Agency’s (NSA) Information Assurance Directorate (IAD) to make an informed recommendation of a wireless network architecture for Government unclassified networks. Wireless networks with classified data require additional protection solutions that are not addressed here.

I recommend these documents be used for information purposes only and not as strict requirements documents when selecting or configuring 802.11 Intrusion Detection Systems (IDS) or 802.11 Wireless Local Area Networks (WLANs).

Related posts:

1. DoD Commercial WLAN Technologies Instruction 8420.01 DoD Commercial WLAN Technologies Instruction 8420.01 The US Department...
2. BridgeChecker v1.2 Available for Download BridgeChecker v1.2 Available for Download BridgeChecker v1.2 and previous...
3. Wireless N 802.11n Wi-Fi Standard Approved Wireless N 802.11n Wi-Fi Standard Approved The IEEE has finally...