Wireless Policies

Krulewitch, Sean V krulewit at iu.edu
Thu Aug 16 20:44:30 GMT 2001


Jim,

As we were planning our wireless infrastructure we knew we didn't want to
rely on 
WEP and we knew it was going to be difficult to enforce restrictions 
on the wireless networks.  To solve this, we placed all of our 
wireless access points on one big VLAN and we only hand out 10 addresses 
to the clients.  Further, the only way off of the wireless VLAN is through 
our VPN concentrator, so each user creates an encrypted tunnel to get out 
to the rest of campus (and/or the Internet).  So far this has worked 
extremely well for us.

-Sean 
-- 
Sean Krulewitch, Security Engineer, MCSE, MCP+I
IT Security Office, Office of the VP for Information Technology 
Indiana University 
For PGP Key:  https://www.itso.iu.edu/staff/krulewit/  

-----Original Message-----
From: Jim Dillon [mailto:jim.dillon at cusys.edu] 
Sent: Monday, August 13, 2001 12:01 PM
To: unisog at sans.org
Subject: Wireless Policies


Now that WEP is a proven 15 minute bust, and MAC addresses are proven 
spoofable (according to traffic on this list), do any of you address 
content exposure through policies or guidelines at your .EDU's?  If you 
have anything remotely like any of the rudimentary examples below, I'd like 
to know what they are and that you have them.

Examples:
- For Wireless Subnets, only non-sensitive applications should be hosted.
- No E-Commerce applications or any form of financial transaction is 
allowed to be hosted from OurSchools.EDU wireless subnet.
- No machines on Wireless subnets should store or transmit data of a 
sensitive nature such as credit card numbers, private student information, 
legal or attorney privileged data, or any FERPA/HIPAA controlled privacy 
element.
- Potential users of Wireless subnet A should use the sensitive and 
critical data evaluation checklist to determine if their data might be 
sensitive to public exposure.
- All users of Wireless subnet A must acknowledge these policies and agree 
to abide by them before access is granted to Wireless subnet A.
- No interfaces should be developed or trusts should be granted from within 
wireless subnet A to any of the schools Systems of Record. (Such as ....)
- Any exceptions to the above must be approved by Tech Authority A, 
Chancellor B, and Security Officer C, etc.
- Wireless technology may be used/shouldn't be used for the following 
purposes or applications: ... (whatever the list may be, servers, mail 
servers, computer hosted testing, personnel records, grade books, etc.)

Granted, such policies would be difficult to enforce, except through stiff 
big-brother tactics and clear authority, and violations would be 
exceedingly difficult to locate through monitoring, but perhaps such 
policies could enlighten a few of the user community to their 
exposures?  Of course this assumes a tighter/better wired option is 
available for such things, and this is a questionable assumption at best.

Second question: Apart from the difficulty in identifying an undesired 
participant through a plug/port, and performance issues, anyone want to 
propose a list of wireless problems/exposures that are greater than the 
exposures in a wired network?  Apart from mobility and the cost advantage 
of trying to back-fit cables and closets into an unfit building, any truly 
key/revolutionary advantages?

Thanks for your help.  Personal contact info is in the signature block
below.

Jim Dillon



======================================
Jim Dillon, CISA
IT Audit Manager
jim.dillon at cusys.edu
Phone: 303-492-9734
Dept. Phone: 303-492-9730
Fax: 303-492-9737
======================================



More information about the unisog mailing list