Maryland's Public System of Higher Education

• Complete a security assessment of the wireless system before production implementation. The assessment should include an evaluation of potential risks to the campus networks that are accessible from a wireless domain
• Maintain a current, documented diagram of the topology of the wireless network
• Perform periodic assessments for access point discovery
• Perform periodic security testing and assessment of the wireless network
• Implement configuration/change control and management to ensure that equipment has the latest software release that includes security enhancements and patches for discovered vulnerabilities
• Implement standardized configurations to maintain wireless network security, to ensure change of default values, and to ensure consistency of operations
• Implement security training to raise awareness about the threats and vulnerabilities inherent in the use of wireless technologies
• Monitor the wireless industry for changes to standards that enhance security features and for the release on new products
• Wireless networks should facilitate some form of cryptographic protocol, where necessary, examples being secure shell (SSH), Transport-Level Security (TLS), Internet Protocol Security (IPsec), or Virtual Private Networks (VPN)
• Use a VPN for any protocol that may include sensitive information
• Additional countermeasures such as strategically locating access points, ensuring firewall filtering, and blocking and the installation of antivirus software should be implemented
• Ensure that all access points are administered from the wired LAN and never the wireless network

The Wireless Security Plan must do the following:

• Identify who may use the technology
• Identify whether Internet access is required
• Describe who can install access points and other wireless equipment
• Provide guidelines on the location of and physical security for access points
• Describe the type of information that may be sent over wireless links
• Define standard security settings for access points
• Describe limitations on how the wireless devices may be used
• Provide guidelines on reporting wireless security incidents
• Define the frequency and scope of security assessments to include access point discovery

• All default passwords should be changed
• If SNMP is not required, the institution should disable it
• If SNMP is required, institutions should use SMNPv3 or higher

• Wireless networks should authenticate the identity of all users, where necessary

• Institutions should monitor wireless networks to identify potentially infected devices