IT Security Wireless Access point security guidelines

5-18-06

Wireless access points are a convenient tool to facilitate access to Campus Area Network (CAN) and Internet resources. In places where the wireless access provided by Information Technology is not available, departments have built their own solutions with little to no oversight. In order to protect our departmental and CAN resources, wireless Access Points (AP's) that connect to the SIUC CAN must adhere to a minimum security standard or they will be disconnected and blacklisted from the network.

AP's feature a variety of security mechanisms that restrict access and encrypt the data that's being sent and received. In the out-of-the-box state, most access points are open, which means that they utilize no encryption or privacy protection whatsoever. An open access point allows anyone within range to connect to and use the network that the AP is attached to. This is dangerous both for the department and for the other CAN computing resources. This allows people not affiliated with SIUC to potentially perform a number of malicious activities including theft of campus Internet bandwidth and attempting to attack and compromise SIUC computer systems and private data. In addition, an open access point also provides little to no accountability to track users in the event of a security or other problem.

1) If an open AP is discovered on the CAN, it will be disconnected from the network until the situation is resolved. Resolution is the responsibility of the department.

2) The minimum security standard for a wireless access point is the strongest WEP (Wired Equivalent Privacy) that the AP can provide. 128 bit WEP is better than 40 bit. WEP is a very weak form of protection and should not be used unless there is no other functional option. While very weak, WEP is better than running an open access point. The WEP key must be distributed to each client computer that connects to the access point. The WEP key must not be easily guessed and should not be the same as any other information that a computer user can determine about the AP in question.

3) The recommended option is the use of an 802.11i solution when available, or WPA2 (wi-fi protected access) or WPA with a pre-shared key or certificates. Due to the management overhead, many may elect to use a pre-shared key instead of certificates. The pre-shared key should be difficult to guess and be over 20 characters long. As with WEP, key distribution is a manual process.

4) 802.1X based Extensible Authentication Protocol (EAP) techniques may also be used to provide encryption, authentication and other security features to wireless AP's.

5) A wireless network may also be segmented using a network firewall or Virtual Private Network (VPN) that forces encryption and authentication for any wireless user before anyone may access any departmental or CAN resource.

6) In the absence of the specifically mentioned technologies, a departmental wireless network may use any new or emerging wireless security framework, as long as the access point is not considered "open".

7) Change any default passwords on the AP and carefully restrict remote administration of the AP. If possible, do not allow administration of the Access Point from the wireless network.

In addition to these requirements, other suggested changes include:

8) Change the default SSID (the wireless access point identifier) and disable the broadcasting option. In order for a user to find such a network, they must know the SSID name and will need to manually enter it into their client system. This is inconvenient for the user but provides a higher level of security.

9) Use MAC address filters if possible. This measure is not fool-proof but provides an additional layer of protection.

10) Enable logging on your access point. This will be helpful if you must track user activity in the event of a security incident such as a network intrusion or a stolen laptop.

The SIUC Information Technology Network Security department has the right to perform a technical vulnerability assessment and/or penetration test on any departmental wireless Access Point at any time to determine compliance with these guidelines. IT Security or Network Engineering will disconnect non-compliant Access Points as they are discovered. Repeat offenders may permanently lose the ability to use non-IT wireless access solutions.