South Plains College
Information Services (SPC-IS)
802.11 Wireless Network Security Standard: I-D(f)
Purpose and Benefits
This standard establishes controls for 802.11 wireless networks to minimize risks to the confidentiality, integrity, and availability of information and to support secure access to resources and services over wireless networks.
802.11 wireless networks enable users of wireless devices the flexibility to physically move throughout a wireless environment while maintaining connectivity to the network. While 802.11 wireless networks are exposed to many of the same risks as wired networks, they are also exposed to additional risks unique to wireless technologies. This standard outlines the additional controls required for the use of wireless networks.
Scope
This standard applies to all 802.11 wireless networks that store, process, or transmit data or connect to a network or system, including networks managed and hosted by third parties on behalf of South Plains College.
The types of 802.11 wireless networks in scope include:
- Internal – These wireless networks are directly connected to the internal information technology resources and are only available to authenticated users. (i.e. SPCnet)
- Public (authenticated) – These wireless networks are not connected to internal information technology resources and access is limited to authenticated users. (i.e. SPCnet-IoT, SPCnet-ResHall, SPCnet-Enrollment)
- Public (non-authenticated) – These wireless networks are not connected to internal information technology resources and are available for anyone to use without authentication. (i.e. SPCnet-Guest)
Information Statement
- 11 wireless networks must comply with all requirements of the Information Security Policy: I-A, including a risk assessment before implementation.
- The SPC ISO must authorize all wireless installations.
- Security plan documentation, as required by the Secure System Development Lifecycle Standard: I-E, must include, at a minimum, the department name, all AP locations, all supporting wireless infrastructure locations, the subnet on the wired network, the VLAN on the wired network, and the Service Set Identifier (SSID).
- APs and other supporting wireless devices must be placed in a physically protected location that minimizes the opportunity for theft, damage, or unauthorized access.
- Wireless network coverage must be managed to restrict the ability to connect outside the approved boundary.
- The SSID of 802.11 wireless networks must be changed from the factory default setting.
- The SSID must not include information that indicates the location, technology, or manufacturer details of the wireless network (e.g., Server-Rm-WiFi-Access, Wifi-Rm70, and Cisco-2400-WiFi). It also must not include information that indicates the type of data traversing the network.
- All internal wireless networks must utilize A wireless intrusion detection system (IDS).
- Public wireless networks must be physically separated from the internal network or configured to tunnel to a secure endpoint outside the internal network. The design must be included in the documented security plan.
- The logical addressing schemas used for the wireless network must differ from those used for the wired network to distinguish client connections between the two networks effectively.
- While servers and information stores may be accessible over a wireless network, they must not directly connect to it.
- APs on public authenticated or internal wireless networks must be configured to provide the most substantial encryption settings. At a minimum, Wi-Fi Protected Access (WPA) 2 – Advanced Encryption Standard (AES) must be utilized.
- WPA2 personal mode must not be used for internal networks.
- WPA2 personal mode, with Wi-Fi Protected Access (WPS) disabled, may be used for public authenticated access points that do not connect to internal networks.
- APs that utilize passphrases (such as APs configured to use WPA2 personal mode) must use passphrases that conform to the Account Management/Access Control Standard: I-D.
- Passphrases used by APs must be changed from the factory default setting.
- The wireless network administration console must not be directly accessible from the wireless network.
- 1X authentication, specifically the Extensible Authentication Protocol (EAP), must be used for all devices connecting to the internal wireless networks. SEs must use the EAP-TLS method whenever possible. Use of Lightweight EAP (LEAP) or use of the following EAP authentication mechanisms is not allowed: EAP-MD5 (Message Digest), EAP-OTP (One Time Password), and EAP-GTC (Generic Token Card).
- Wireless client devices that connect to internal wireless networks must be configured to validate certificates issued by the authentication server during the authentication process.
- Where technically feasible, wireless client devices must be configured to utilize identity privacy settings during authentication.
- Internal wireless networks require individual user authentication, per the Account Management/Access Control Standard: I-D(a).
Compliance
This standard shall take effect upon publication. Compliance is expected with all enterprise policies and standards. Policies and standards may be amended at any time; compliance with amended policies and standards is expected.
If compliance with this standard is not feasible or technically possible, or if deviation from this policy is necessary to support a business function, entities shall request an exception through the Chief Information Security Officer’s exception process.
Related Documents
1 TAC § 202.74 (a)(2)
Encryption Standard: I-B(c)
An index of approved SPC-IS policies can be found on the SPC Policies website at http://www.southplainscollege.edu/human_resources/policy_procedure/?%20. The SPC Information Security Program and SPC Information Security User Guide are also available on the Information Technology Services Policies website.
Texas Security Controls Standards Catalog Control Group: A-18,
NIST Function Groups: PR.AC-5