Wireless security: SP 800-152 vs. X9.112

There have been two standards for wireless security that have been released recently. One is NIST's Special Publication 800-153 (PDF), "Guidelines for Securing Wireless Local Area Networks (WLANs) (Draft);" the other is ANS X9.112, "Wireless Management and Security – Part 1: General Requirements." One obvious difference between these standards is their length: SP 800-152 is 24 pages long while X9.112 has 71 pages. As you might expect from that, there's quite a difference in the level of detail that each standard addresses. One easy way to understand the difference in the detail that each document provides is to look at their tables of contents.

Here's the table of contents of SP 800-153:

Executive Summary

1. Introduction

1.1 Authority

1.2 Purpose and Scope

1.3 Audience

1.4 Document Structure

2. WLAN Security Configuration

2.1 Configuration Design

2.1.1 Needs Gathering

2.1.2 WLAN Architecture

2.2 Configuration Implementation, Evaluation, and Maintenance

3. WLAN Security Monitoring

3.1 WLAN Security Monitoring Basics

3.1.1 Attack Monitoring

3.1.2 Vulnerability Monitoring

3.2 Monitoring Tools

3.3 Continuous Monitoring Recommendations

3.4 Periodic Assessment Recommendations

List of Appendices

Appendix A— Supporting NIST SP 800-53 Security Controls and Publications

Appendix B— Acronyms and Abbreviations

Appendix C— References

List of Figures

Figure 1: Simplified View of WLAN Architecture

And here's the table of contents for X9.112:



1 Scope

1.1 Audience

1.2 Business Case

2 Normative references

3 Terms and definitions

4 Abbreviated terms

5 Wireless Risks

5.1 Introduction

5.2 Applicable Risks

5.2.1 Physical Topology

5.2.2 Access Control – Least Privilege

5.2.3 Encryption

5.2.4 Network Integrity

5.2.5 Wireless Transmission

5.2.6 Unauthorized Wireless Access Devices

5.2.7 Denial of Service (DoS)

5.2.8 Data Integrity

6 Requirements

6.1 Overview

6.2 Wireless Security Policy

6.3 Data Security

6.4 Entity Authentication

6.5 Data Integrity

6.6 Security Encapsulation

6.7 Key Management

6.8 Wireless Networks

6.9 Audit Logging

6.10 Physical Security

6.11 Access Control

7 Wireless Security Policy

7.1 Roles and Responsibilities

7.2 Security Controls

7.3 Technology Controls

7.4 Access Controls

7.5 Configuration Controls

7.6 Cryptography Controls

7.7 Physical Controls

7.8 Log Management

Annex A (normative) Wireless Validation Control Objectives

A.1 Introduction

A.2 Environmental Controls

A.2.1 Security Policy

A.2.2 Security Organization

A.2.3 Asset Classification and Management

A.2.4 Personnel Security

A.2.5 Physical and Environmental Security

A.2.6 Operations Management

A.2.7 System Access Management

A.2.8 Systems Development and Maintenance

A.2.9 Wireless Access Continuity Management

A.2.10 Monitoring and Compliance

A.2.11 Event Journaling

A.3 Key Management Life Cycle Controls

A.3.1 Key Generation

A.3.2 Key Storage, Backup and Recovery

A.3.3 Key Distribution

A.3.4 Key Usage

A.3.5 Key Destruction and Archival

A.3.6 Cryptographic Device Life Cycle Controls

A.4 Wireless Management Life Cycle Controls

A.4.1 Wireless Device Life Cycle

A.4.2 Wireless Encryption

A.4.3 Wireless Authentication

A.4.4 Wireless Integrity

A.4.5 Wireless Encapsulation

Annex B (Normative) Wireless Cryptography Controls

Annex C (Informative) Wireless Technology Standards

Wireless Local Area Networks

C.1 Broadband Wireless

C.2 Bluetooth

C.2.1 Architecture

C.2.2 Client ID

C.2.3 Client Provisioning

C.2.4 External Functional Interface (EFI)

C.2.5 General formats

C.2.6 Multimedia Messaging Service (MMS)

C.2.7 Persistence

C.2.8 Pictogram

C.2.9 Push

C.2.10 Synchronisation

C.2.11 User Agent Profile (UAProf)

C.2.12 Wireless Application Environment

C.2.13 Wireless Protocols

C.2.14 Wireless Security

C.2.15 Wireless Telephony Application (WTA)

C.3 Voice and Messaging

Annex D (Informative) X9 Registry

Annex E (Informative) OCC Risk Management of Wireless Networks

So if you're looking for general guidance and pointers to what other government standards might apply to the security of your wireless networks, SP 800-153 might be what you're looking for. If you're looking for more detailed guidance on how to understand the security of your wireless network and how to improve it, X9.112 might be better for you. On the other hand, SP 800-153 is free while X9.112 costs $100.

Leave a Reply

Your email address will not be published. Required fields are marked *