Installing modern, secure Wi-Fi technology in a federal facility sounds easy enough, but for many agencies it’s a daunting task. Agencies frequently lack the expertise needed to design and deploy a Wi-Fi solution that can be used for official or non-official business and comply with the many complex security controls required by the Federal Information Security Management Act (FISMA).
One federal regulatory agency confronted this challenge in 2020. The agency wanted a Wi-Fi solution that was on an infrastructure compliant with the Federal Risk and Authorization Management Program (FedRAMP), was a managed service, and that would provide secure, controlled Wi-Fi coverage at its five locations across the country for 1,300-plus end users, according to a new case study, How Federal Agencies Can Get Highly Secure Wi-Fi — Without Going Through the ATO Process.
Secure wireless within the office
To enable this capability, agency decision-makers turned to Paliton Networks and CommScope RUCKUS, which designed and deployed a highly scalable solution that enables all employees within that agency to conduct official business on their government furnished equipment (GFE) laptops, without the need to deploy two separate networks – one for official business and the other for non-official business.
The solution, called the Controlled Non-Official Business Internet, or CNOBI from Paliton, was designed to provide Wi-Fi coverage for government non-official business — however, it can be utilized to provide Wi-Fi coverage for official business as well. It’s Controlled because it limits access to only those explicitly authorized. It’s Controlled because it provides RUCKUS URL filtering services to limit access to non-workplace safe content. It’s Controlled because RUCKUS Analytics provides the ability to create reports of user activity. As a core service it’s non-official because, while it meets many requirements, it resides outside the agency’s security and accreditation process. A distinct advantage when combined with other solutions.
With one managed solution, different types of users can be segregated on the same network. Agencies can authenticate employees to conduct official business on their GFE devices, non-official business on BYOD devices and sponsor access to agency visitors.
As a managed service, CNOBI and its components are owned, operated, and maintained by Paliton. The solution is highly secure, meets many National Institute of Standards and Technology (NIST) security controls, is Federal Information Processing Standard (FIPS)-compliant, and operates on a FedRAMP-authorized infrastructure—Microsoft Azure GovCloud.
With the CNOBI solution in place, agency employees can be at any agency facility, using their GFE laptops, and — wirelessly and securely — be able to conduct official business.
Like many agencies during the pandemic, this federal agency issued GFE laptops to its employees so they could work at home. Those laptops are outfitted with security software and features that force them to automatically connect with the agency’s highly secure virtual private network (VPN) immediately after connecting to a trusted Wi-Fi network.
If it can be done at home, why not in an office environment?
The marriage of the two solutions gives agency employees a trusted service to perform official work on the GFE laptops while maintaining mobility within the office. A user can simply undock and be automatically reconnected over the VPN via Wi-Fi anywhere CNOBI has coverage. FIPS-certified CommScope RUCKUS hardware and software residing on top of the FedRAMP infrastructure provides service assurance and enables GFE devices to apply higher encryption standards.
CNOBI also protects users and wireless networks from Frag Attacks, a new category of zero-day vulnerabilities that affect most Wi-Fi devices, both clients and networks. Adversaries can exploit these vulnerabilities to run malicious code, take control of devices, capture data, and use the devices to launch other attacks.
Users of CNOBI are inherently protected because the solution relies upon the 802.1X EAP-TLS (Extensible Authentication Protocol - Transport Layer Security) protocol to authenticate individual certificate-based identities instead of shared passwords. EAP-TLS-based systems mitigate cracking, man-in-the-middle, or frag attacks because each side of the Wi-Fi connection — the Wi-Fi system and the end user device — authenticates each other. If either side mistrusts the other, they cannot connect. This prevents the end user from accidently connecting to a rogue malicious device, ensuring that only authorized users can connect to the Wi-Fi system. Once users enroll their devices, they never have to enter a password again.
Additionally, CommScope RUCKUS Analytics helps drive improved management and efficiencies for the agency. These include predictive analytics to alert agency officials about anticipated resource utilization metrics to enable pre-emptive policy or control adjustments, if necessary.
CNOBI takes the complexity out of IT while providing agency employees with highly secure Wi-Fi from any location where the service is deployed.
To learn more, download the federal case study: How Federal Agencies Can Get Highly Secure Wi-Fi — Without Going Through the ATO Process