|
Enterprises of all sizes are deploying wireless LANs for their many productivity and mobility benefits that come from employees seamlessly connecting to IT resources and performing daily tasks without requiring a wired connection. But just like wired networks, 802.11 wireless LANs require network policies that are designed, implemented, and enforced to maximize network performance and reduce exposure to the inherent security flaws in 802.11 wireless LANs. The many benefits and expected return on investment of a wireless LAN can be wiped out if a security and management policy is not in place and enforced. This paper is designed to guide network administrators and security managers to design, implement, and enforce wireless LAN security policies that enable every organization to fully reap the benefits of wireless LANs without experiencing undue management pains and security holes.
As wireless networks proliferate, the everpresent danger of new, more sophisticated hacking tools is also on the upswing. Hackers, armed with new tools such as AirJack, AirSnarf, Hunter_Killer, etc are launching more sophisticated attacks on the network -- networks that a year ago were said to be unbreakable. When an organization's network is left exposed by insecure wireless LAN devices, hackers can compromise an organization's network backbone, rendering the investment in IT security useless. Not only are there financial implications from a security standpoint, but the breach can potentially impact the company's reputation and proprietary and regulatory information. These scenarios can lead to additional financial loss and legal ramifications. Hence various regulatory bodies have defined policies that have to be complied with by organizations. Regardless of the WLAN deployment status, organizations have to ensure that they track all wireless activity and prevent the transmission of wireless data in clear text. The Department of Defense issued a wireless directive, Number 8100.2 on April 14, 2004.
This directive establishes policy and assigns responsibilities for the use of commercial wireless devices, services, and technologies in the DoD Global Information Grid. Healthcare organizations have to main the sanctity of patient data by complying with the HIPAA regulations. Various regulations e.g. OCC Wireless Advisory, GLBA ? Safeguards Rule etc have been defined for banking and financial institutions. A new section of the Sarbanes- Oxley Act, Section 404, requires all publicly traded firms to file an internal control statement which must attest to management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company. While corporate officers are accountable, IT systems and infrastructure are critical to the financial reporting process and the burden falls on the IT department to ensure integrity of the established processes. The IT department must document, test, monitor and report the effectiveness of internal control processes. In addition to the regulatory policies, organizations must define their enterprise policy and monitor for compliance. This process is described in detail in the next section.
*Policies for an 802.11 wireless LAN should become part of the greater enterprise network policy and mirror the standard six-step policy process.
1.) Policies are first defined and documented.
2.) Management must then buy-into the documented policies.
3.) The policy should then be communicated to all employees, contractors, on-site vendors, and anyone else expected to comply with the policy.
4.) The wireless LAN should then be monitored to audit for policy compliance.
5.) To deal with devices and individuals found violating the policy, enterprises should have an established procedure to take corrective actions for network devices or individuals found in non-compliance.
6.) Finally, a process to revise and fine tune the wireless LAN policy should be in place to handle evolving security standards, user behavior, and physical changes in the network.
Here is the detailed information on each of the aforementioned steps with example policies and thresholds.
In establishing a documented wireless LAN policy, enterprises should consider four key components of the policy: WLAN Usage, Network Configuration, Security, and Network Performance. As every enterprise wireless LAN is different, polices for these four areas will vary for organizations and may overlap. For example, the proper configuration of an access point has a direct effect on the security of the wireless LAN.
|
