Recommended Wireless LAN Security Policies

Recommended Wireless LAN Security Policies

The particular wireless LAN security policies followed by an organization depend heavily on the need for security in that organization. The following list contains recommended security policies that would apply in many organizations. This list can be used as a starting point, and pared down or built up to meet specific needs.

All wireless Access Points / Base Stations connected to the corporate network must be registered and approved by the organization’s computer security team. These Access Points / Base Stations are subject to periodic penetration tests and audits. Unregistered Access Points / Base Stations on the corporate network are strictly forbidden.
All wireless Network Interface Cards (i.e., PC cards) used in corporate laptop or desktop computers must be registered with the corporate security team.
All wireless LAN access must use corporate-approved vendor products and security configurations.
All computers with wireless LAN devices must utilize a corporate-approved Virtual Private Network (VPN) for communication across the wireless link. The VPN will authenticate users and encrypt all network traffic.
Wireless Access Points / Base Stations must be deployed so that all wireless traffic is directed through a VPN device before entering the corporate network. The VPN device should be configured to drop all unauthenticated and unencrypted traffic.
The wireless Service Set IDentifier (SSID) provides no security, and should not be used as a password. Furthermore, wireless card Medium Access Control (MAC) addresses can be easily gathered and spoofed by an attacker. Therefore, security schemes should not be based solely on filtering wireless MAC addresses, as they do not provide adequate protection for most uses.
Wired Equivalency Privacy (WEP) keys can be broken. WEP may be used to identify users, but only together with a VPN solution.
The transmit power for Access Points / Base Stations near a building’s perimeter (such as near exterior walls or top floors) should be turned down. Alternatively, wireless systems in these areas could use directional antennas to control signal bleed out of the building.