Re: wireless policies

[Alessandro Bottonelli <a.bottonelli () axis-net it>]

On Tuesday 11 November 2003 23:44, netethix () iprimus com au wrote:
> I'm in the process of assisting in the creation of a wireless policy for
> a large company. I'm interested in hearing people's experiences in a)
> putting together an effective wireless policy and b) how they have gone
> about securely implementing a wireless solution. It's a broad topic - and
> so answers can be as broad or specific as you like.
I am supporting a military client of mine on a very similar task. 

What happens here is that the key points to define are:

  When and where WLANs are acceptable, ie:
    -1- For Unclassified networks only
    -2- When wired arrangements are not possible
         for example: in buildings of historical value
                            for temporary networks
    -3- Where in-campus mobility is a requirement

   How they are to be implemented, ie:
    -1- Only encrypted traffic 
    -2- Cipher of at least N bits
    -3- Key changes every N days
    -4- Strong (two-factor) user authentication
    -5- Must be approved by the Security Officer
    -6- Must be audited N time(s) a year

This is just a starting point, these concepts need to be developed further on 
the specific client environment. Any statement in the policy means MONEY, so 
you must carefully balance actual risk with protection levels really needed 
by the client.

-- 
Alessandro Bottonelli
CISSP & BS7799 Lead Auditor
Information Security Consultant
www.axis-net.it

---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------