Now that the novelty of wireless networking is wearing off, administrators are starting to turn their attention to the security ramifications of wireless networks.
Even if your organization has yet to adopt wireless networking, it's a prudent idea to begin thinking about the formulation of a wireless networking policy. Chances are good that you'll face a wireless networking business requirement in the near future and you'll be glad you have a policy in place when management and users come asking questions. If you're positive that wireless networking will not provide adequate benefits to your organization to justify the risks, you should still spell that decision out in a security policy. This opens the process to internal dialogue and permits functional managers and technical employees to weigh in with their opinions.
There are a few critical elements that you should include in your policy:
- Statement of Purpose and Scope. Every security policy should clearly state the reason it is necessary and the scope of its reach within the organization.
- Procedure for Adding New Access Points. You clearly don't want rogue access points showing up on your Wireless LAN (WLAN). The policy should provide a clear description of the approval process and the identity of those individual(s) with the authority to inspect and authorize a new access point.
- Access Point Placement. Wireless access points represent the heart of the WLAN. Access points should be placed in a manner that maximizes their performance capability but minimizes the risk of eavesdropping and other malicious activities. (Keep in mind that the positioning of access points should never be the sole protection against these types of attacks!)
- Procedure for Adding New Wireless Systems. Normally you'll have less stringent requirements for the addition of a new wireless workstation than a new access point. However, your policy should still state the types of systems that may be granted wireless access, the business requirements that justify the provision of wireless access and the appropriate approval procedure.
- Approved Technologies. The policy should provide guidance on the types of technology authorized for use on the network. This may include a list of appropriate wireless protocols, hardware vendors, specific hardware devices, authentication techniques and other technical specifications. To avoid constant modification of the policy document itself, many organizations simply have the policy reference an external list and provide the procedures for modifying those lists.
- Audit Procedures. Your network monitoring and logging mechanisms should be configured to provide adequate auditing of WLAN activity. The wireless networking policy should provide the requirements for this auditing.
As with any security policy, your wireless networking security policy should be developed through the use of a validated policy development process. You should also review and update, if necessary, your policy on a periodic basis to ensure that it complies with changing business requirements and is flexible enough to accommodate new technologies.
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the author of the About.com Guide to Databases.
