Educause Security Discussion mailing list archives
1 Survey summary, 2 new surveys -- was Re: [unisog] Survey of effective campus wireless security practices -- your input is requested
From: "H. Morrow Long" <morrow.long () YALE EDU>
Date: Tue, 1 Jun 2004 13:57:31 -0400
1. As promised, I've summarized the results of my informal
survey (posted to UniSog and the Educause Security Group
Listserv). Appended in text format is the raw answer data from
the (de-identified) responding institutions. You view the
summarized answers (as tables & graphs) in the PPT at:
http://www.yale.edu/its/security/Presentations/ByDate/20040518/
SPW04STFEPWSHIED.ppt
2. Short survey #2: Cyber-risk policies - How many institutions have
purchased one?
I'm aware that many institutions have been
approached by insurance companies, insurance brokers and
risk managers and advised to look into purchasing new 'cyber'
risk insurance policies to cover gaps in current coverage.
How many of your institutions have actually done so?
(Answers will be kept anonymous)
3. Short survey #3: PC S/W firewalls -
How many campuses mandate/recommend/provide one?
* Does your campus mandate a personal PC firewall (h/w or s/w)?
* Does it mandate a particular vendor or brand?
* Does it mandate a particular configuration?
* Does your campus recommend a personal PC firewall (h/w or s/w)?
* Does it mandate a recommend vendor or brand?
* Does it mandate a recommend configuration?
* Does your campus provide a personal PC firewall (h/w or s/w) for
free?
* Does your campus provide a personal PC firewall (h/w or s/w) for a
fee?
Which PC S/W firewall did your institution choose?
How and/or why?
- H. Morrow Long, CISSP, CISM
University Information Security Officer
Director -- Information Security Office
Yale University, ITS
------------------------------------------------------------------------
------------------------------------------------------------------------
-----
Survey of effective campus wireless security practices questions
15 Responding Institutions (de-identified)
[Save the below lines as a file named survey.csv if you wish to bring
it into Excel]
Do you provide WiFi access on your campus?
,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y
Do you publish your campus SSID on the Web?
?,N,N,Y,N,Y,N,Y,Y,N,Y,Y,Y,Y,Y,N
Do you publish campus maps with WiFi
locations?,Y,N,N,Y,Y,Y,N,Y,N,Y,N,Y,Y,Y,Y
(*hotspots*) on the Web?,,,,,,,,,,,,,,,
Is your campus wireless LAN(s) mode:,,,,,,,,,,,,,,,
IBSS (ad-hoc),N,N,Y,N,N,N,N,N,N,N,N,N,N,N,N
BSS (Infrastructure),Y,Y,Y,Y,Y,N,Y,N,Y,Y,Y,Y,N,Y,Y
ESS (Extended Infrastructure),N,N,N,N,N,Y,N,Y,N,Y,N,N,Y,N,N
Have you implemented:,,,,,,,,,,,,,,,
802.11a,Y,N,N,Y,N,N,N,N,N,N,N,N,Y,Y,N
802.11b,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,N,Y
802.11g,Y,Y,Y,Y,N,N,N,N,Y,N,N,Y,Y,N,N
" Other 802.11 (e.g. Super-G, WiMAX, etc.)
",N,N,N,N,N,N,N,N,N,N,N,N,N,N,N
802.11i ,N,N,N,N,N,N,N,N,N,N,N,N,N,N,N
WEP ,Y,Y,Y,Y,N,Y,Y,N,Y,Y,Y,N,Y,N,N
WPA ,N,N,Y,N,N,N,N,N,N,N,N,N,N,N,N
801.X ,Y,Y,Y,N,N,N,Y,N,Y,Y,N,N,Y,N,N
EAP-MD5,N,Y,N,N,N,N,N,N,N,N,N,N,N,N,N
LEAP (aka EAP-Cisco),N,N,N,Y,N,N,N,N,Y,Y,N,N,Y,N,N
PEAP,Y,N,Y,N,N,N,N,N,N,Y,N,N,N,N,N
EAP over TLS,N,N,N,N,N,N,N,N,N,N,N,N,Y,N,N
TTLS,N,N,N,N,N,N,Y,N,N,N,N,N,N,N,N
Other EAP Name: _________ ,N,N,N,N,N,N,N,N,N,N,N,N,N,N,N
AirDefense,N,N,N,N,N,N,N,N,N,N,N,N,N,N,N
Bluesocket,N,N,N,N,N,N,N,Y,N,N,N,N,N,N,N
Ecutel,N,N,N,N,N,N,N,N,N,N,N,N,N,N,N
ReefEdge,N,N,N,N,N,N,N,N,N,N,N,N,N,N,N
Vernier,N,N,N,N,N,N,N,N,N,N,N,N,N,N,N
Other Name: ,Perfigo,,,,,,, , ,,,,,,N
Network Topology,,,,,,,,,,,,,,,
-------------------------,,,,,,,,,,,,,,,
Are your wireless lans ...,, ,,,,,,,,,,,,,
,, ,,,,,,,,,,,,,
On a separate VLAN from your campus
network?,Y,N,Y,Y,Y,Y,Y,N,Y,Y,Y,Y,Y,Y,N
On a private (RFC1918) network separate from your campus
network?,N,N,Y,Y,Y,N,N,N,N,N,N,N,Y,Y,N
On a public net or subnet(s) separate from your campus
network?,N,Y,N,N,N,Y,N,N,Y,N,Y,Y,N,Y,N
On the same network and/or subnets as your campus
network?,Y,N,N,Y,N,N,N,Y,N,Y,N,N,Y,N,Y
Other? Explain ______________________,N,N,N,N,N,N,N,N,N,N,N,N,N,N,N
Network Access Control,,,,,,,,,,,,,,,
---------------------------------,,,,,,,,,,,,,,,
Do you have a firewall between your wireless LAN(s) and the campus
network?,N,N,Y,N,N,N,Y,N,Y,N,N,N,N,Y,N
Do you have a firewall between your wireless LAN(s) and the
Internet?,Y,Y,Y,Y,N,Y,Y,N,Y,N,N,N,NY,Y,N
Do you require the use of a VPN to send traffic off of your
WLAN?,N,N,N,N,Y,Y,N,N,N,N,N,N,NY,N,N
Do you require the use of a VPN to send traffic from your WLAN into
your campus net?,Y,N,N,N,Y,Y,N,N,N,N,N,N,N,N,N
,,,,,,, ,,,,,,,,
Do you have a secure method of keeping out unregistered MAC addressed
WLAN cards?,Y,N,N,N,N,N,N,Y,Y,N,Y,N,Y,Y,N
Do you have protection against ARP spoofing/cache poisoning and
'dsniff' type attacks?,Y,N,N,N,N,N,N,Y,N,N,N,N,N,N,N
Is your SSID (network name) kept private?,N,N,Y,N,N,Y,N,N,Y,N,N,N,N,N,N
Do you disable SSID (network name) info in broadcasts (beacon
frames)?,N,N,Y,N,N,Y,Y,N,Y,N,Y,N,YN,N,N
Do you provide wireless users with protection against accidental and
malicious association,,,,, ,,,, ,,,,,,
with rogue access points?,N,N,N,Y,N,N,Y,N,N,Y,Y,N,Y,N,N
Do you monitor for rogue WiFi
cards/stations?,N,N,Y,N,Y,N,Y,N,Y,N,Y,Y,NY,N,N
Do you monitor for rogue WiFi Access
Points?,Y,N,Y,Y,Y,Y,Y,N,Y,N,Y,Y,NY,N,N
Do you monitor for channel/signal
interference?,Y,N,Y,Y,Y,Y,Y,N,Y,N,Y,Y,YN,N,Y
Do you have a wireless management
system?,N,N,N,Y,Y,N,Y,N,N,Y,N,Y,NY,N,N
Do you use or have the ability to jam wireless signals on
campus?,N,N,N,N,N,N,N,N,N,N,N,N,N,N,N
Authentication,,,,,,,,,,,,,,,
--------------------,,,,,,,,,,,,,,,
Do you allow unauthenticated (open)
access?,N,N,N,N,N,N,N,N,Y,N,N,N,N,N,N
Do you require MAC (Hardware Address) registration and DHCP for
access?,Y,Y,N,N,N,N,N,N,Y,N,Y,Y,Y,Y,Y
Do you require campus ID signon (e.g. NetID and password) via capture
and redirection,Y,N,N,N,N,N,Y,Y,N,N,N,Y,N,Y,Y
to a webpage (web authentication)?,,, ,,,,,,,,,,,,
Do you require campus ID signon (e.g. NetID and password) via WiFi
driver authentication?,,, ,,,,,,,,,,,,
" (e.g. supplicant 801.X/*EAP/WPA/802.11i,
etc.)",Y,Y,N,Y,N,N,Y,N,N,Y,N,NY,Y,N,N
Do you require X.509 certificates for WiFi
access?,N,N,N,N,N,N,N,N,N,N,N,N,Y,N,N
Do you require smartcard auth. for WiFi
access?,N,N,N,N,N,N,N,N,N,N,N,N,N,N,N
Do you use a VPN to authenticate for WiFi
access?,N,N,N,N,Y,Y,N,N,N,N,N,N,N,N,N
Encryption,,,,,,,,,,,,,,,
---------------,,,,,,,,,,,,,,,
WEP 40/64 bit static,N,N,N,N,N,N,N,N,Y,N,Y,N,N,N,N
WEP > 40/64 bit static,N,N,N,N,N,Y,N,N,Y,N,N,N,N,N,N
,, ,,,,,,,,, ,,,,
WEP 40/64 bit dynamic,N,N,N,Y,N,N,N,N,N,N,N,N,N,N,N
WEP > 40/64 bit dynamic,N,N,N,N,N,N,N,N,N,N,N,N,Y,N,N
WPA 128 bit 'standalone' ,N,N,N,N,N,N,N,N,N,N,N,N,N,N,N
WPA 128 bit 'Enterprise' (802.1X
server),N,N,N,N,N,N,Y,N,N,Y,N,NY,NY,N,N
Do you require/allow/recommend/don't care about encryption at the ____
layer on WLANs?, , , , ,,,,,,,,,,,R
Application (SSH), ,DC,"A,REC",DC,DC,REC,DC,,R,REC,REC,REC,REC,DC,R
Session (SSL/TLS), ,DC,"A,REC",DC,DC,REC,R,,R,REC,REC,REC,REC,DC,R
Transport (PPTP VPN), ,DC,"A,REC",DC,R,R,DC,,R,DC,REC,R,NA,DC,R
Network (IPSEC and/or L2TP VPN),
,DC,"A,REC",DC,R,R,DC,,R,DC,A,R,REC,DC,R
" Data Link (WEP, WPA)", ,DC,"A,REC",R,DC,R,DC,,R,R,R,DC,REC,DC,R
Policy,,,,,,,,,,,,,,,
---------,,,,,,,,,,,,,,,
Do you have a policy which reserves WiFi spectrum frequencies to
UNIV?,Y,N,Y,Y,Y,N,Y,N,N,N,Y,N,Y,Y,N
Do you allow wireless access points to be set up by:,NR,,,,,,,,,,,,,,
(non-IT) departments? ,N,N,N,N,N,N,N,Y,N,Y,N,Y,Y,N,Y
any faculty members?,N,N,N,N,N,N,N,Y,N,Y,N,Y,N,N,Y
students?,N,N,N,N,N,N,N,Y,N,N,N,Y,N,N,Y
Do you have minimum security configuration standards required for
non-IT WAPs?,N,N,Y,N,Y,N,N,Y,NA,Y,NA,Y,Y,N,N
Do you have any other interesting or unique security measures on your
WLAN?,N,N,,N,N,N,N,Bluesocket,,,Port Kill,,LEAP,,N
,,,,,,,,,,,,,TO,,
,,,,,,,,,,,, ,EAP-TLS,,
# # #
**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/cg/.
Attachment:
smime.p7s
Description:
Current thread:
- 1 Survey summary, 2 new surveys -- was Re: [unisog] Survey of effective campus wireless security practices -- your input is requested H. Morrow Long (Jun 01)