NIST Wireless Network Security 802.11, Bluetooth and Handheld Devices
Description
Introduction
Wireless technologies have become increasingly popular in our everyday business and personal lives.
Personal digital assistants (PDA) allow individuals to access calendars, e-mail, address and phone number
lists, and the Internet. Some technologies even offer global positioning system (GPS) capabilities that can
pinpoint the location of the device anywhere in the world. Wireless technologies promise to offer even
more features and functions in the next few years.
An increasing number of government agencies, businesses, and home users are using, or considering
using, wireless technologies in their environments. Agencies should be aware of the security risks
associated with wireless technologies. Agencies need to develop strategies that will mitigate risks as they
integrate wireless technologies into their computing environments. This document discusses certain
wireless technologies, outlines the associated risks, and offers guidance for mitigating those risks.
1.1 Authority
The National Institute of Standards and Technology (NIST) developed this document in furtherance of its
statutory responsibilities under the Computer Security Act of 1987 and the Information Technology
Management Reform Act of 1996 (specifically 15 United States Code [U.S.C.] 278 g-3 (a)(5)). This is not
a guideline within the meaning of 15 U.S.C. 278 g-3 (a)(3).
Guidelines in this document are for federal agencies that process sensitive information. They are
consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130.
This document may be used by nongovernmental organizations on a voluntary basis. It is not subject to
copyright.
Nothing in this document should be taken to contradict standards and guidelines made mandatory and
binding upon federal agencies by the Secretary of Commerce under statutory authority. Nor should these
guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce,
the Director of the OMB, or any other federal official.
1.2 Document Purpose and Scope
The purpose of this document is to provide agencies with guidance for establishing secure wireless
networks.1 Agencies are encouraged to tailor the recommended guidelines and solutions to meet their
specific security or business requirements.
The document addresses two wireless technologies that government agencies are most likely to employ:
wireless local area networks (WLAN) and ad hoc or—more specifically—Bluetooth networks. The
document also addresses the use of wireless handheld devices. The document does not address
technologies such as wireless radio and other WLAN standards that are not designed to the Institute of
Electrical and Electronics Engineers (IEEE) 802.11 standard. These technologies are out of the scope of
this document.
Wireless technologies are changing rapidly. New products and features are being introduced
continuously. Many of these products now offer security features designed to resolve long-standing
weaknesses or address newly discovered ones. Yet with each new capability, a new threat or vulnerability
is likely to arise. Wireless technologies are evolving swiftly. Therefore, it is essential to remain abreast of
the current and emerging trends in the technologies and in the security or insecurities of these
technologies. Again, this guideline does not cover security of other types of wireless or emerging wireless
technologies such as third-generation (3G) wireless telephony.
Wireless technologies have become increasingly popular in our everyday business and personal lives.
Personal digital assistants (PDA) allow individuals to access calendars, e-mail, address and phone number
lists, and the Internet. Some technologies even offer global positioning system (GPS) capabilities that can
pinpoint the location of the device anywhere in the world. Wireless technologies promise to offer even
more features and functions in the next few years.
An increasing number of government agencies, businesses, and home users are using, or considering
using, wireless technologies in their environments. Agencies should be aware of the security risks
associated with wireless technologies. Agencies need to develop strategies that will mitigate risks as they
integrate wireless technologies into their computing environments. This document discusses certain
wireless technologies, outlines the associated risks, and offers guidance for mitigating those risks.
1.1 Authority
The National Institute of Standards and Technology (NIST) developed this document in furtherance of its
statutory responsibilities under the Computer Security Act of 1987 and the Information Technology
Management Reform Act of 1996 (specifically 15 United States Code [U.S.C.] 278 g-3 (a)(5)). This is not
a guideline within the meaning of 15 U.S.C. 278 g-3 (a)(3).
Guidelines in this document are for federal agencies that process sensitive information. They are
consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130.
This document may be used by nongovernmental organizations on a voluntary basis. It is not subject to
copyright.
Nothing in this document should be taken to contradict standards and guidelines made mandatory and
binding upon federal agencies by the Secretary of Commerce under statutory authority. Nor should these
guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce,
the Director of the OMB, or any other federal official.
1.2 Document Purpose and Scope
The purpose of this document is to provide agencies with guidance for establishing secure wireless
networks.1 Agencies are encouraged to tailor the recommended guidelines and solutions to meet their
specific security or business requirements.
The document addresses two wireless technologies that government agencies are most likely to employ:
wireless local area networks (WLAN) and ad hoc or—more specifically—Bluetooth networks. The
document also addresses the use of wireless handheld devices. The document does not address
technologies such as wireless radio and other WLAN standards that are not designed to the Institute of
Electrical and Electronics Engineers (IEEE) 802.11 standard. These technologies are out of the scope of
this document.
Wireless technologies are changing rapidly. New products and features are being introduced
continuously. Many of these products now offer security features designed to resolve long-standing
weaknesses or address newly discovered ones. Yet with each new capability, a new threat or vulnerability
is likely to arise. Wireless technologies are evolving swiftly. Therefore, it is essential to remain abreast of
the current and emerging trends in the technologies and in the security or insecurities of these
technologies. Again, this guideline does not cover security of other types of wireless or emerging wireless
technologies such as third-generation (3G) wireless telephony.
More Books by U.S. NIST
