Wireless networks have become mainstream and are being widely deployed throughout many different environments; however, special considerations should be made in deploying a wireless network. In this article, I will provide security guidance and best practices when deploying or implementing a wireless access point and network. You may use the ideas and recommendations in this article to generate your own wireless access policy for your organization.
Corporate Wireless Access Control
Wireless access on systems utilized for business purposes only should be configured to allow access only to authorized wireless networks. For devices that do not have an essential wireless business purpose, wireless access should be disabled within the hardware configuration such as through the basic input/output system (BIOS) or through the extensible firmware interface. File sharing should be disabled on wireless enabled devices.
Guest Wireless Access Control
Appropriate technical safeguards should be implemented on wireless access points to protect the confidentiality, integrity, and availability of its data and systems. If wireless access is supported in the corporate environment, it should be based on documented implementation and baseline standards. Guest wireless access should be provided to third parties with internet access only. The guest wireless network should be completely segmented from the internal network and does not provide any access to resources. Wireless access to systems containing sensitive information should be protected by authenticating both users and devices.
Vendor Default Settings
Vendor default settings for wireless access points should be changed prior to authorizing the implementation of the access point. Wireless access points should be configured with strong encryption (WPA at a minimum). Wireless access points should be placed in secure locations, such as in a cage or screwed into the ceiling.
Scanning for Rogue Wireless Access Points
Quarterly scans should be performed to identify unauthorized or rogue wireless access points. Appropriate actions should be taken if any unauthorized access points are discovered.
Wireless Access Point Security Checklist
The following controls should be implemented to protect the wireless access network:
- Maintain/update an inventory of all Access Points (AP) and wireless devices to include maintaining an updated logical/physical network diagram that documents all wireless connections.
- A firewall should be implemented between the wireless network and the internal network infrastructure (wired).
- Default vendor configurations should be changed on all wireless access points.
- Default vendor encryption keys should be changed.
- Default passwords/passphrases should be changed on all wireless access points and strong administrative passwords should be utilized.
- Any other security-related vendor default settings should be changed, as applicable, on all wireless access points.
- Server Set Identifier (SSID) should be set to a unique identifier.
- WPA2 with AES 128-bit or higher encryption technology should be utilized. If the wireless devices do not support strong encryption for authentication/transmission over wireless networks, the firmware on these devices should be upgraded or these devices should not be utilized within the wireless network.
- Pre-Shared Key (PSK), BYOD/802.1x type authentication, as well as device analysis should be utilized.
- Anytime anyone with knowledge of the keys leave or changes positions, the encryption keys should be changed.
- If wireless access points are enabled with SNMP for business purposes, any default SNMP community strings should be changed to a complex text string. SNMPv3 and/or SSL/TLS for Web-based management of access points should be utilized.
- Software security patches are tested and deployed on a regular basis.
- If the reset function is ever utilized on a wireless access point, the access point should be restored to the latest security settings.
- Wireless access points should be placed in secure locations with restricted access.
- Intrusion Detection Systems (IDS) should be deployed on the wireless network to report suspected activities.
- Wireless audit logs should be reviewed on a regular basis and maintained securely on a log server.
- Rogue wireless access points should be routinely searched, at least on a quarterly basis, and any suspicious devices discovered should be promptly reported to the security team in accordance with the incident response plan, process and procedure.
- All wireless clients should have anti-virus installed, personal firewalls configured, and all file sharing on wireless enabled devices should be disabled.
- All personnel should obtain authorization prior to utilizing the wireless access point and should agree to the liability disclaimer prior to utilizing this resource.
If you need help creating this policy or developing other policies and procedures, we can help. Contact us today!