Hello security-basics,
I'm working out the last kinks in our Policy and Procedures for
Wireless Networking within our department. Can any of you all see
anything that I should change or that I missed?
I am already aware that some of this will change once 802.11i becomes
ratified and silicon is available (if AES requires a co-processor).
Additionally, we have some legacy machines that do not support WPA, so
we can't quite go there just yet.
Thanks in advance.
P.S. This Policy and Procedure is being developed by a State agency,
it is public domain. If you find anything that you want to include in
your own. Feel free.
A. Minimum settings required for APs and client NICs
1. SSID beaconing must be disabled.
2. SSID should be non-descriptive (i.e. not Corp3rdFloorFinance).
3. AP and NICs must support a minimum of 128-bit WEP encryption.
4. WAP must be configured with MAC address level controls.
5. A firewall must be installed between the WAP and the wired
network. (Note: Should WAPs with a built in firewall be
acceptable?)
6. Minimize perimeter leakage as much as possible by keeping the
WAP as centrally located in the building as possible.
7. Default AP logon access accounts should be renamed and strong
passwords must be used.
8. Minimum wireless standards must not be compromised in order to
accommodate other wireless devices such as PDAs and cell phones.
9. WEP keys must be rotated every five hours.
10. End users will only have read access to Wi-Fi settings.
11. AD-HOC mode must be disabled.
12. Monitoring for rogue APs will be performed on a weekly basis
and should be a randomly chosen day each week.
13. Inspect outer perimeter of building for warchalk markings on a
weekly basis.
14. If feasible, the WAP should be turned off at the end of the
day, but NICs should not be removed from the client machines
(to prevent zeroizing the IV), unless they need to be
physically secured.
B. Minimum capabilities and limitations of AP and client NIC hardware
1. WAP and NICs must be capable of utilizing dynamic WEP keys.
2. Wi-Fi NICs must be capable of disabling ad-hoc functionality.
C. Authentication methodology
1. To ensure standard configuration for mobile users traveling
within the state to other facilities, and to ensure compliancy with
the minimum security practices for wi-fi networks, the wireless
network authentication will be centralized on a Cisco ACS server
located at the Corp building.
2. Cisco Aironet 1200 APs and Cisco client NICs will be hardened
utilizing Cisco’s LEAP authentication technology.
(Note: Section C is preliminary at this point. We are also
evaluating a Cranite solution. <http://www.cranite.com>)
D. Implementation Standards
1. Acceptable
a. These are the minimum acceptable standards for implementing a
wireless network for a period exceeding two weeks. This level of
security is achievable using a standard Windows 2000 server
install.
i. Must include the settings and procedures presented in
section A.
ii. Must use VPN tunneling and IPSEC.
iii. All failed login attempts must be logged, and the log
will be reviewed daily
iv. Monitor public warchalk websites for listings of our
sites. (possibly assigned to an oversight person).
2. Optimum
a. These are the optimal standards for implementing a wireless
network as a permanent installation. This level of security is
achievable using a standard Windows 2000 server install
implementing 802.1x EAP-TLS (Requires a CA server).
i. Must include the settings and procedures presented in
section A.
ii. Fast Packet Keying must be implemented.
iii. You must implement 802.1x/EAP utilizing user credentials
(RADIUS and TLS/TTLS).
iv. All failed login attempts must be logged, and the log
will be reviewed daily.
v. Monitor public warchalk websites for listings of our
sites (possibly assigned to an oversight person).
--
Leif
