Krulewitch, Sean V
krulewit at iu.edu
Thu Aug 16 20:44:30 GMT 2001
As we were planning our wireless infrastructure we knew we didn't want to
WEP and we knew it was going to be difficult to enforce restrictions
on the wireless networks. To solve this, we placed all of our
wireless access points on one big VLAN and we only hand out 10 addresses
to the clients. Further, the only way off of the wireless VLAN is through
our VPN concentrator, so each user creates an encrypted tunnel to get out
to the rest of campus (and/or the Internet). So far this has worked
extremely well for us.
Sean Krulewitch, Security Engineer, MCSE, MCP+I
IT Security Office, Office of the VP for Information Technology
For PGP Key: https://www.itso.iu.edu/staff/krulewit/
From: Jim Dillon [mailto:jim.dillon at cusys.edu]
Sent: Monday, August 13, 2001 12:01 PM
To: unisog at sans.org
Subject: Wireless Policies
Now that WEP is a proven 15 minute bust, and MAC addresses are proven
spoofable (according to traffic on this list), do any of you address
content exposure through policies or guidelines at your .EDU's? If you
have anything remotely like any of the rudimentary examples below, I'd like
to know what they are and that you have them.
- For Wireless Subnets, only non-sensitive applications should be hosted.
- No E-Commerce applications or any form of financial transaction is
allowed to be hosted from OurSchools.EDU wireless subnet.
- No machines on Wireless subnets should store or transmit data of a
sensitive nature such as credit card numbers, private student information,
legal or attorney privileged data, or any FERPA/HIPAA controlled privacy
- Potential users of Wireless subnet A should use the sensitive and
critical data evaluation checklist to determine if their data might be
sensitive to public exposure.
- All users of Wireless subnet A must acknowledge these policies and agree
to abide by them before access is granted to Wireless subnet A.
- No interfaces should be developed or trusts should be granted from within
wireless subnet A to any of the schools Systems of Record. (Such as ....)
- Any exceptions to the above must be approved by Tech Authority A,
Chancellor B, and Security Officer C, etc.
- Wireless technology may be used/shouldn't be used for the following
purposes or applications: ... (whatever the list may be, servers, mail
servers, computer hosted testing, personnel records, grade books, etc.)
Granted, such policies would be difficult to enforce, except through stiff
big-brother tactics and clear authority, and violations would be
exceedingly difficult to locate through monitoring, but perhaps such
policies could enlighten a few of the user community to their
exposures? Of course this assumes a tighter/better wired option is
available for such things, and this is a questionable assumption at best.
Second question: Apart from the difficulty in identifying an undesired
participant through a plug/port, and performance issues, anyone want to
propose a list of wireless problems/exposures that are greater than the
exposures in a wired network? Apart from mobility and the cost advantage
of trying to back-fit cables and closets into an unfit building, any truly
Thanks for your help. Personal contact info is in the signature block
Jim Dillon, CISA
IT Audit Manager
jim.dillon at cusys.edu
Dept. Phone: 303-492-9730
More information about the unisog