The US Joint Forces Command has taken a multivendor, best-of-breed approach to managing and securing Wi-Fi networks.

A Department of Defense agency, the USJFC researches future engineering trends that will benefit integrated warfighting among military branches. Based on its own testing of Wi-Fi networking, the USJFC recommends a multilayered security and management infrastructure as a best practice to the Army, Navy, Air Force and Marines.

In its own network, for example, it uses separate vendors for access points, encryption, authentication, intrusion detection and network management. It sees a mix of best-of-breed systems as less penetrable from a security standpoint, says Tony Cerri, experiment engineering department head at USJFC.

802.11a for a dense population
The lab runs a wireless LAN supporting 400 users, expected to soon grow to 700. Its Cisco Aironet 1200 access point infrastructure makes heavy use of 802.11a at 5GHz, because its network covers a dense user population in a two-building area and needs the extra channels to avoid interference.

"Having only three non-overlapping channels [in 802.11b and 802.11g at 2.4GHz] just doesn't cut it," Cerri says. 802.11a, on the other hand, supports eight to 24 channels, depending on geography.

Client devices include Fujitsu and Acer tablet PCs, Dell laptops and Vocera 802.11 voice badges.

Security is an overlay
On top of the Cisco connectivity infrastructure is an AirFortress overlay for Advanced Encryption Standard (AES) Layer 2 encryption, a Bluesocket gateway authentication network and an AirDefense sensor network for intrusion detection.

Most recently, the USJFC layered on AirWave centralised configuration and management software to help scale access point deployment. This move happened after attempting to automate access point setup with Cisco's Wireless LAN Solution Engine (WLSE) for two months and finding it "not intuitive," says Derek Krein, wireless engineer.

The AirWave Management Platform also gathers RF statistics for root cause analysis and enables the USJFC to define and deploy security policy and conduct security configuration audits - an important security step currently lacking in many government agencies, according to a May 2005 study by the US Government Accountability Office.

Authentication and roaming
Bluesocket allows pass-through authentication, enabling users to log in with the command's Active Directory and then transparently roam across what appears as a single wireless domain. This appealed to the USJFC, because Krein says the command "isn't comfortable deploying the 802.11i security standard until the problems with 802.1X have been solved."

He was referring to cross-subnet roaming delays associated with two-way, mutual authentication that are particularly problematic with real-time applications such as voice. A new roaming extension to the 802.11 standard, 802.11r, is expected to solve the latency issues, but not until at least 2007.