Educause Security Discussion mailing list archives
Survey of effective campus wireless security practices -- your input is requested
From: "H. Morrow Long" <morrow.long () YALE EDU>
Date: Wed, 21 Apr 2004 02:02:57 -0400
Higher Ed IT Security folks -
In preparation for a talk at the Educause Security Practiceoners Workshop
in DC in May I'd like to solicit input from Higher Ed IT security and network
security staff regarding any wireless security mechanisms which you have
implemented on your campus.
In particular I'm interested in receiving e-mail from both those who are willing
to fill in and return a short survey (form follows) as well as those who are
willing to write to me with longer descriptions of their wireless network and
the particular approaches (commercial, non-commercial and home-grown)
that they've taken towards securing wireless LANs (aka WiFi aka 802.11a/b/g).
If you have documents which are already written as well as network diagrams
and/or PowerPoint slides documenting your wireless network security that would
also be appreciated. However -- only send material which is not considered
confidential and which can be included in a public talk (sanitize any details you wish
kept private). Send to : morrow.long () yale edu
Short survey on effective wireless security practices (data gathered in the survey
will be kept confidential -- unless you post it to a public mailing list.... -- results will
be summarized and published):
General
-----------
Do you provide WiFi access on your campus? Y _ N _
Do you publish your campus SSID on the Web? Y _ N _
Do you publish campus maps with WiFi locations Y _ N _
(*hotspots*) on the Web?
Is your campus wireless LAN(s) mode:
IBSS (ad-hoc) Y _ N _
BSS (Infrastructure) Y _ N _
ESS (Extended Infrastructure) Y _ N _
Have you implemented:
802.11a Y _ N _
802.11b Y _ N _
802.11g Y _ N _
Other 802.11 (e.g. Super-G, WiMAX, etc.) Y _ N _
802.11i Y _ N _
WEP Y _ N _
WPA Y _ N _
801.X Y _ N _
EAP-MD5 Y _ N _
LEAP (aka EAP-Cisco) Y _ N _
PEAP Y _ N _
EAP over TLS Y _ N _
TTLS Y _ N _
Other EAP Name: _________ Y _ N _
AirDefense Y _ N _
Bluesocket Y _ N _
Ecutel Y _ N
ReefEdge Y _ N _
Vernier Y _ N _
Other Name: ________________
Network Topology
-------------------------
Are your wireless lans ...
On a separate VLAN from your campus network? Y _ N _
On a private (RFC1918) network separate from
your campus network? Y _ N _
On a public net or subnet(s) separate from
your campus network? Y _ N _
On the same network and/or subnets as your
campus network? Y _ N _
Other? Explain ______________________
Network Access Control
---------------------------------
Do you have a firewall between your wireless
LAN(s) and the campus network? Y _ N _
Do you have a firewall between your wireless
LAN(s) and the Internet? Y _ N _
Do you require the use of a VPN to send traffic
off of your WLAN? Y _ N _
Do you require the use of a VPN to send traffic
from your WLAN into your campus net? Y _ N _
Do you have a secure method of keeping out
unregistered MAC addressed WLAN cards? Y _ N _
Do you have protection against ARP spoofing/
cache poisoning and 'dsniff' type attacks? Y _ N _
Is your SSID (network name) kept private? Y _ N _
Do you disable SSID (network name) info in
broadcasts (beacon frames)? Y _ N _
Do you provide wireless users with protection
against accidental and malicious association
with rogue access points? Y _ N _
Do you monitor for rogue WiFi cards/stations? Y _ N _
Do you monitor for rogue WiFi Access Points? Y _ N _
Do you monitor for channel/signal interference? Y _ N _
Do you have a wireless management system? Y _ N _
Do you use or have the ability to jam wireless
signals on campus? Y _ N _
Authentication
--------------------
Do you allow unauthenticated (open) access? Y _ N _
Do you require MAC (Hardware Address)
registration and DHCP for access? Y _ N _
Do you require campus ID signon (e.g. NetID
and password) via capture and redirection
to a webpage (web authentication)? Y _ N _
Do you require campus ID signon (e.g. NetID
and password) via WiFi driver authentication?
(e.g. supplicant 801.X/*EAP/WPA/802.11i, etc.) Y _ N _
Do you require X.509 certificates for WiFi access? Y _ N _
Do you require smartcard auth. for WiFi access? Y _ N _
Do you use a VPN to authenticate for WiFi access? Y _ N _
Encryption
---------------
WEP 40/64 bit static Y _ N _
WEP > 40/64 bit static Y _ N _
WEP 40/64 bit dynamic Y _ N _
WEP > 40/64 bit dynamic Y _ N _
WPA 128 bit 'standalone' Y _ N _
WPA 128 bit 'Enterprise' (802.1X server) Y _ N _
Do you require/allow/recommend/don't care about encryption at the ____ layer on WLANs?
Application (SSH) R _ A _ REC _ DC _
Session (SSL/TLS) R _ A _ REC _ DC _
Transport (PPTP VPN) R _ A _ REC _ DC _
Network (IPSEC and/or L2TP VPN) R _ A _ REC _ DC _
Data Link (WEP, WPA) R _ A _ REC _ DC _
Policy
---------
Do you have a policy which reserves WiFi spectrum
frequencies to official University purposes? Y _ N _
Do you allow wireless access points to be set up by:
(non-IT) departments? Y _ N _
any faculty members? Y _ N _
students? Y _ N _
Do you have minimum security configuration standards required
for non-IT managed wireless access points? Y _ N _
Comments:
Do you have any other interesting or unique security measures on
your wireless LAN implementations?
___________________________________________________
___________________________________________________
# # #
- H. Morrow Long, CISSP, CISM
University Information Security Officer
Director -- Information Security Office
Yale University, ITS
Attachment:
smime.p7s
Description:
Current thread:
- Survey of effective campus wireless security practices -- your input is requested H. Morrow Long (Apr 20)