Office of Admin and Finance Image
IT SECURITY RESOURCES

Draft Wireless Networks Security Guidelines
in response to the new
State IT Security Policy on Wireless Networks

4. Network Security Standard

Wireless Networks

General Controls Guidelines

  • Complete a security assessment of the wireless system before production implementation. The assessment should include an evaluation of potential risks to the campus networks that are accessible from a wireless domain
  • Maintain a current, documented diagram of the topology of the wireless network
  • Perform periodic assessments for access point discovery
  • Perform periodic security testing and assessment of the wireless network
  • Implement configuration/change control and management to ensure that equipment has the latest software release that includes security enhancements and patches for discovered vulnerabilities
  • Implement standardized configurations to maintain wireless network security, to ensure change of default values, and to ensure consistency of operations
  • Implement security training to raise awareness about the threats and vulnerabilities inherent in the use of wireless technologies
  • Monitor the wireless industry for changes to standards that enhance security features and for the release on new products
  • Wireless networks should facilitate some form of cryptographic protocol, where necessary, examples being secure shell (SSH), Transport-Level Security (TLS), Internet Protocol Security (IPsec), or Virtual Private Networks (VPN)
  • Use a VPN for any protocol that may include sensitive information
  • Additional countermeasures such as strategically locating access points, ensuring firewall filtering, and blocking and the installation of antivirus software should be implemented
  • Ensure that all access points are administered from the wired LAN and never the wireless network

Wireless Security Plan

The Wireless Security Plan must do the following:

  • Identify who may use the technology
  • Identify whether Internet access is required
  • Describe who can install access points and other wireless equipment
  • Provide guidelines on the location of and physical security for access points
  • Describe the type of information that may be sent over wireless links
  • Define standard security settings for access points
  • Describe limitations on how the wireless devices may be used
  • Provide guidelines on reporting wireless security incidents
  • Define the frequency and scope of security assessments to include access point discovery

Access Point Configuration

  • All default passwords should be changed
  • If SNMP is not required, the institution should disable it
  • If SNMP is required, institutions should use SMNPv3 or higher

Authentication

  • Wireless networks should authenticate the identity of all users, where necessary

Intrusion Detection Systems

  • Institutions should monitor wireless networks to identify potentially infected devices