SANS Wireless Communication Policy

workablejeansΚινητά – Ασύρματες Τεχνολογίες

21 Νοε 2013 (πριν από 3 χρόνια και 8 μήνες)

56 εμφανίσεις

Wireless
Communication

Policy

By Lauren Williams

Brief Overview of WiFi
Networks


Technology is similar to walkie
-
talkies


Ability to transmit and receive radio signals


Transmit @ much higher frequencies


Simple to implement


WiFi card or built
-
in


Find hotspot once hardware/software installed

Relevant Definitions


Hotspot


Connection point for WiFi network


LAN


Local Area Network


WEP key


Wired Equivalent Privacy


Needed to gain access to a network


2 variations: 64
-
bit encryption (really 40
-
bit) and
128
-
bit encryption (really 104
-
bit)

Definitions Continued


VPN


Virtual Private Network


makes use of a public network (such as the
Internet), while maintaining security and privacy
through encryption and security procedures


SSID


Service Set Identifier


identifies a Wi
-
Fi network (manufacturer default)


secret key set by the network admin


must know the SSID to join an 802.11 network


Purpose & Scope of SANS Policy


Purpose is to prohibit access to company
networks via unsecured wireless communication


Policy should cover all data communication
devices on all internal networks:


PCs, cell phones, PDAs, etc.


Anything capable of transmitting packet data

Recommendations for
Implementing Policy

1. Register access points and cards


All wireless access points (WAPs) connected to network
to be registered and approved by InfoSec


Subject to penetration tests and audits


All network interface cards (NICs) in use must also be
registered

2. Approved Technology


All LAN access must use corporate approved vendor
products and security configurations


Recommendations Continued

3. VPN Encryption & Authentication


Use corporate approved VPN to drop all
unauthenticated and unencrypted traffic


Must use point to point hardware encryption of at
least 56 bits


Must support hardware address that can be
registered and tracked (MAC address)

Recommendations Continued

4. Setting the SSID


Should not contain any identifying information about
the organization


Company name, division, employee name

5. Enforcement


Employees may face disciplinary action or
termination if policy is violated