Creating a wireless security policy
Lisa Phifer
05.19.2005
Rating: -4.33- (out of 5)
Deploying a wireless LAN without security policy is like piloting an airplane without instruction. You'll probably get off the ground, but what happens next is largely a matter of chance, and someone will very likely get hurt. Many organizations realize that they need a WLAN security policy, but don't know how to go about creating one. In this tip, we'll discuss what WLAN security policies are, the kinds of information they should contain, and where to find policy templates and further guidance.
Purpose
As defined by RFC 2196, the IETF's Site Security Handbook, a security policy is a formal statement of the rules by which people who are given access to an organization's technology and information assets must abide.
There are many kinds of security policies, including Password Policies, Remote Access Policies, Mobile Device Policies, Vulnerability Assessment Policies, Acceptable Use Policies -- and Wireless Communication Policies. The assets protected by each policy may differ, but all share common goals:
There may be relationships between security policies. For example, wireless may be used for both internal and remote network access, with password authentication. New policies are best designed as an extension to existing policies, to reduce duplicated effort and conflicting rules. When creating a WLAN security policy, reusing relevant parts of your wired network and system security policies can help you achieve consistent protection. WLANs may pose unique security risks and require some different measures, but don't needlessly reinvent the wheel.
Content
Every security policy should strive to strike a good balance between being specific and implementable, yet concise and easy to understand. Lengthy policies filled with terms understood by just a few security experts won't be effective, but neither will brief pamphlets that simply say "make sure the [ network | host | router | data ] is secure."
What exactly should
To continue reading for free, register below or login
To read more you must become a member of SearchMobileComputing.com
your WLAN security policy include? Unfortunately, there's no one-size-fits-all policy. Your policy must identify your organization's assets, quantify your organization's risks, and your organization's consensus on methods to mitigate those risks in accordance with your priorities. But we can identify some topics that are commonly covered by WLAN security policies:
This list certainly isn't exhaustive; you'll find security policies that include more -- and less. But it's a starting point to get you thinking about what to include in your own WLAN security policy.
Examples and templates
You can also kick-start your own WLAN security policy by looking at policies created by other organizations, like:
and working from published policy templates, such as:
Some of these focus on WLANs, others on wireless communication in general, and still others on related policies for mobile devices and remote access. Examples and templates like these can be a handy springboard, but don't get stuck on format -- just create a security policy that makes sense for your organization. Remember to look inside your company for existing policies, and consult those responsible for them to find out what works well and what they might do differently if starting over again.
For more information
To learn more about security policy development in general, consult these resources:
SANS Security Policy Page
SecurityFocus Wireless Network Policy Development (Part 1)
SecurityFocus Wireless Network Policy Development (Part 2)
IETF RFC 2196: Site Security Handbook
Australian CERT Site Security Policy Development
WindowsSecurity How to develop a Network Security Policy
[TABLE]About the author: Lisa Phifer is vice president of Core Competence Inc., a consulting firm specializing in network security and management technology. Phifer has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for nearly 20 years. She teaches about wireless LANs and virtual private networking at industry conferences and has written extensively about network infrastructure and security technologies for numerous publications. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.
|
|
|
|
|
|
