Wireless Network Security Position Paper. Overview for CEO s



Similar documents
Wireless Network Security Position Paper - Technical

INFORMATION TECHNOLOGY MANAGEMENT COMMITTEE LIVINGSTON, NJ ITMC TECH TIP ROB COONCE, MARCH 2008

HANDBOOK 8 NETWORK SECURITY Version 1.0

Security Requirements for Wireless Local Area Networks

How To Manage An Wireless Network At A University

Deploying secure wireless network services The Avaya Identity Engines portfolio offers flexible, auditable management for secure wireless networks.

How To Secure Wireless Networks

WIRELESS LOCAL AREA NETWORK (WLAN) IMPLEMENTATION

Potential Security Vulnerabilities of a Wireless Network. Implementation in a Military Healthcare Environment. Jason Meyer. East Carolina University

How To Protect A Wireless Lan From A Rogue Access Point

WIRELESS NETWORKING SECURITY

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security

INFORMATION & COMMUNICATIONS TECHNOLOGY (ICT) PHYSICAL & ENVIRONMENTAL SECURITY POLICY

Wireless Local Area Networking (WLAN) Security Assessment And Countermeasures

NSW Government Digital Information Security Policy

Notes on Network Security - Introduction

DEPARTMENT OF TRAINING AND WORKFORCE DEVELOPMENT

PwC. Outline. The case for wireless networking. Access points and network cards. Introduction: OSI layers and 802 structure

Industrial Communication. Securing Industrial Wireless

Guideline for department and agency implementation of the Information Security Penetration Testing standard SEC/STD/03.

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

WLAN Security Why Your Firewall, VPN, and IEEE i Aren t Enough to Protect Your Network

Wireless Local Area Network Deployment and Security Practices

XX-XXX Wireless Local Area Network Guidelines. Date: August 13, 2003 Date Adopted by NITC: Other:

ITL BULLETIN FOR AUGUST 2012

THE IMPORTANCE OF CRYPTOGRAPHY STANDARD IN WIRELESS LOCAL AREA NETWORKING

UF IT Risk Assessment Standard

THE BCS PROFESSIONAL EXAMINATIONS BCS Level 5 Diploma in IT. October 2009 EXAMINERS' REPORT. Computer Networks

Security in Wireless Local Area Network

CS 356 Lecture 29 Wireless Security. Spring 2013

AUDITOR GENERAL S REPORT. Protection of Critical Infrastructure Control Systems. Report 5 August 2005

Wireless Intrusion Detection Systems (WIDS)

A COMPARITIVE ANALYSIS OF WIRELESS SECURITY PROTOCOLS (WEP and WPA2)

Cloud Computing and Records Management

Security Analysis on Wireless LAN protocols

Wireless Threats To Corporate Security A Presentation for ISACA UK Northern Chapter

WLAN Attacks. Wireless LAN Attacks and Protection Tools. (Section 3 contd.) Traffic Analysis. Passive Attacks. War Driving. War Driving contd.

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Chapter 6: Fundamental Cloud Security

Guideline on Wireless Security

WHITEPAPER. Wireless LAN Security for Healthcare and HIPAA Compliance

NSW Government Digital Information Security Policy

ICANWK406A Install, configure and test network security

All vulnerabilities that exist in conventional wired networks apply and likely easier Theft, tampering of devices

Running Head: WIRELESS DATA NETWORK SECURITY FOR HOSTPITALS

Newcastle University Information Security Procedures Version 3

Running Head: WIRELESS NETWORKING FOR SMALL BUSINESSES. Wireless Networking for Small Businesses. Russell Morgan. East Carolina University

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Closing Wireless Loopholes for PCI Compliance and Security

Security and Risk Analysis of VoIP Networks

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Particularities of security design for wireless networks in small and medium business (SMB)

Wireless Security and Healthcare Going Beyond IEEE i to Truly Ensure HIPAA Compliance

NSW Government. Wireless services (WiFi) Standard

FREQUENTLY ASKED QUESTIONS

ADDENDUM 12 TO APPENDIX 8 TO SCHEDULE 3.3

How To Protect Decd Information From Harm

Wireless Security. New Standards for Encryption and Authentication. Ann Geyer

HIPAA Security Considerations for Broadband Fixed Wireless Access Systems White Paper

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

G-Cloud Service Definition. Atos Information Security Wireless Scanning Service

COMPARISON OF WIRELESS SECURITY PROTOCOLS (WEP AND WPA2)

Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline

CNA NetProtect Essential SM. 1. Do you implement virus controls and filtering on all systems? Background:

Storage, Retrieval and Destruction for Paper and Electronic Records 29 March 2005 to 28 March 2016

University of Sunderland Business Assurance Information Security Policy

UIIPA - Security Risk Management. June 2015

Wireless LAN Security: Securing Your Access Point

Service Children s Education

Ensuring HIPAA Compliance in Healthcare

Wireless Network Policy

Wireless in the Data Centre becomes best practice!

Enterprise Computing Solutions

TOWARDS STUDYING THE WLAN SECURITY ISSUES SUMMARY

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

ENISA s ten security awareness good practices July 09

United States Trustee Program s Wireless LAN Security Checklist

Wireless Network Security

AN OVERVIEW OF VULNERABILITY SCANNERS

06100 POLICY SECURITY AND INFORMATION ASSURANCE

University of Brighton School and Departmental Information Security Policy

Information Security Team

ECC/DEC/(04)08 ELECTRONIC COMMUNICATIONS COMMITTEE

Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

Transcription:

Wireless Network Security Position Paper Overview for CEO s VERSION 1.1 December 2007

Acknowledgement This document was written with the assistance of the Department of the Premier and Cabinet.

Table of Contents 1. Purpose and Scope...4 2. Position Statement...5 3. Introduction...6 4. What are the Risks?...7 5. What Should be Done?...8 5.1 Be aware of the technical and security implications...8 5.2 Carefully plan the deployment of any wireless technology...8 6. Recommendations...9 Recommendation 1 Develop a Strategy...9 Recommendation 2 Develop a Business Case...9 Recommendation 3 Develop Policies and Ensure Compliance...9 Recommendation 4 Monitor for Wireless Devices...10 Recommendation 5 Use only Best Practice WLAN Mode...10 7. Conclusion...11 Department of Finance 3

1. Purpose and Scope The purposes of this paper are to raise awareness of security risks posed by wireless computer networks, and to provide some high-level guidance for establishing secure wireless networks. This paper targets security for Wireless Local Area Networks (WLANs) using the standard typically used to install WLANs in Western Australian Government agencies (IEEE 802.11). Other wireless technologies and external networks, such as public Internet access points ( hot spots ) are outside the scope of this paper. A Wireless Network Security Position Paper - Technical has also been developed to provide more detailed guidance on the management, operational and technical issues and recommendations for the secure deployment of wireless local area networks to agencies management and technical staff. This paper and the Wireless Network Security Position Paper Technical have been developed in response to the Auditor General's Second Public Sector Performance Report 2007, Report 3 April 2007. Department of Finance 4

2. Position Statement Key findings of the Auditor General's Second Public Sector Performance Report 2007, Report 3 April 2007 show serious weaknesses at the strategic, policy and operational levels in almost all agencies audited that had deployed wireless networks. Premier s Circular 2004/09 (Computer Information and Internet Security) noted that on 20 January 2003, Cabinet directed that the Chief Executive Officer of each agency is responsible for ensuring their agency implements an appropriate level of information and Internet security. In light of the Auditor General s findings, agencies should consider and implement the recommendations laid out in this paper for new and existing wireless networks. Department of Finance 5

3. Introduction Wireless communications offer agencies and users many benefits, such as portability, flexibility, increased productivity, and lower installation costs. Wireless technologies cover a broad range of differing capabilities oriented toward different uses and needs. Wireless local area network (WLAN) devices, for instance, allow users to move their laptops from place to place within their offices without the need for wires and without losing network connectivity. Less wiring means greater flexibility, increased efficiency and reduced wiring costs. However, risks are inherent in any wireless technology. Some of these risks are similar to those of wired networks; some are exacerbated by wireless connectivity; some are new. Perhaps the most significant source of risks in wireless networks is that the technology s underlying communication medium, the airwave, is open to intruders, making it the equivalent of installing a wired network connection outside your building that anyone can access. Despite the additional security risks to networks, the use of wireless devices and WLANs is growing rapidly. In fact, many devices today such as laptops are now wireless enabled by default. Department of Finance 6

4. What are the Risks? The loss of confidentiality and integrity and the threat of denial of service attacks are risks typically associated with wireless communications. Unauthorised users may easily gain access to an agency s systems and information, corrupt data, consume network bandwidth, degrade network performance, launch attacks that prevent authorised users from accessing the network, or use the agency s resources to launch attacks on other networks. A particular danger with wireless technologies highlighted by the Auditor General is that they can be easily procured and installed without the knowledge of management. As well, laptops connected to the wired network with the wireless card enabled pose an ongoing risk to agencies networks. Department of Finance 7

5. What Should be Done? 5.1 Be aware of the technical and security implications Although wireless technologies offer significant benefits, they also pose unique security challenges over and above those posed by wired networks. The coupling of relative immaturity of the technology with poor legacy security standards, flawed implementations, limited user awareness, and lax security and administrative practices forms an especially challenging combination. In a wireless environment, data is broadcast through the air. There are no physical controls over the boundaries of transmissions or the ability to use the physical security controls typically available with wired connections. As a result, data may be captured beyond the physical location that the wireless network was intended to serve. Because of differences in building construction, wireless frequencies and attenuation, and the capabilities of high-gain antennas, the distances necessary for positive control for wireless technologies to prevent eavesdropping can vary considerably. 5.2 Carefully plan the deployment of any wireless technology To be effective, WLAN security should be incorporated throughout the life cycle of all WLAN solutions, involving everything from strategy and policy, through to procurement, operations and disposal. Department of Finance 8

6. Recommendations Implementing the recommendations presented in this paper for a new or existing WLAN will ensure that accepted wireless networking best practice is met, and will provide reasonable assurance that an agency is protected against most currently known WLAN security threats. Recommendation 1 Develop a Strategy Agencies wishing to deploy wireless devices must be able to provide an overall documented vision for how the WLAN would support their business mission, creating a high-level strategy for the WLAN s implementation. Recommendation 2 Develop a Business Case In light of the security issues, any deployment of wireless technology on an agency's computing network must be subject to usual risk management processes and underpinned by a sound business case as to why this technology should be used. Recognising and documenting the benefits, costs and risks in a business case is something that can be done relatively easily and does not require voluminous documentation. A business case should specify business and functional requirements for a WLAN solution. A business case for a WLAN is strengthened if it can link to an overall WLAN strategy. Recommendation 3 Develop Policies and Ensure Compliance The cornerstone of an effective WLAN security strategy involves documenting, deploying and enforcing WLAN security policies and practices. A security policy, and compliance therewith, is the foundation on which other operational and technical countermeasures are rationalised and implemented. Department of Finance 9

Recommendation 4 Monitor for Wireless Devices All agencies should develop, and exercise, the capability to monitor for rogue wireless networks. Even agencies that do not believe they have any wireless devices on their network should have the capability to detect any rogue wireless devices that may have been installed without the knowledge or authority of the persons responsible for such matters. Creating a wireless access point or intercepting wireless signals can be done simply and cheaply and must therefore be monitored. As well, laptops connected to the wired network with the wireless card enabled pose an ongoing risk to agencies networks and should be monitored for by wireless or wired network detection capabilities. Agencies with WLANs installed should also periodically review security arrangements such as the strength of transmission signals and co-channel interference from other wireless networks in the vicinity. Recommendation 5 Use only Best Practice WLAN Mode An IEEE802.11i RSN using AES-CCMP with IEEE 802.1X and EAP-TLS authentication should be the only mode used for any government WLANs. The technical details of this mode are detailed in the Wireless Network Security Position Paper Technical. At the time of writing, this is consistent with the mode required for the transmission of classified information (below Top Secret) in Commonwealth Government agencies that are bound by the security specifications set out in the Defence Signals Directorate Australian Government Information Security Manual (ISM). Whilst State Government agencies are not bound by the ISM it is regarded as best practice to follow the security instructions from this manual. Department of Finance 10

7. Conclusion The deployment of insecure wireless networks poses new security threats to agencies computer networks and information. The Auditor General has identified serious weaknesses at the strategic, policy and operational levels in almost all agencies audited that had deployed wireless networks. The Chief Executive Officer of each agency is responsible for ensuring their agency implements an appropriate level of information and Internet security. To this end, agencies should consider and implement the recommendations above. More detailed and technical information is available in the Wireless Network Security Position Paper Technical. Any queries on the issues discussed in this paper or general requests for further information can be directed to: Gail Holt, Principal Policy Officer, Department of Finance on 6551 1576. Department of Finance 11

Optima Centre 16 Parkland Road, Osborne Park WA 6017 Postal Address: Locked Bag 11, Cloisters Square, Perth WA 6850 E: cyber.security@finance.wa.gov.au W: www.finance.wa.gov.au

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information