1 Survey summary, 2 new surveys -- was Re: [unisog] Survey of effective campus wireless security practices -- your input is requested

H. Morrow Long morrow.long at yale.edu
Tue Jun 1 17:57:31 GMT 2004


1. As promised, I've summarized the results of my informal
     survey (posted to UniSog and the Educause Security Group
     Listserv).  Appended in text format is the raw answer data from
     the (de-identified) responding institutions.  You view the
     summarized answers (as tables & graphs) in the PPT at:
	http://www.yale.edu/its/security/Presentations/ByDate/20040518/ 
SPW04STFEPWSHIED.ppt

2.  Short survey #2: Cyber-risk policies - How many institutions have  
purchased one?

      I'm aware that many institutions have been
      approached by insurance companies, insurance brokers and
      risk managers and advised to look into purchasing new 'cyber'
      risk insurance policies to cover gaps in current coverage.

     How many of your institutions have actually done so?
     	(Answers will be kept anonymous)

3.  Short survey #3: PC S/W firewalls -
	 How many campuses mandate/recommend/provide one?
		*	Does your campus mandate a personal PC firewall (h/w or s/w)?
		*	Does it mandate a particular vendor or brand?
		*	Does it mandate a particular configuration?
		*	Does your campus recommend a personal PC firewall (h/w or s/w)?
		*	Does it mandate a recommend vendor or brand?
		*	Does it mandate a recommend configuration?
		*	Does your campus provide a personal PC firewall (h/w or s/w) for  
free?
		*	Does your campus provide a personal PC firewall (h/w or s/w) for a  
fee?
	Which PC S/W firewall did your institution choose?
	How and/or why?

- H. Morrow Long, CISSP, CISM
   University Information Security Officer
   Director -- Information Security Office
   Yale University, ITS

------------------------------------------------------------------------ 
------------------------------------------------------------------------ 
-----
Survey of effective campus wireless security practices questions         
15 Responding Institutions (de-identified)
[Save the below lines as a file named survey.csv if you wish to bring  
it into Excel]

  Do you provide WiFi access on your campus?  
,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y
  Do you publish your campus SSID on the Web?  
?,N,N,Y,N,Y,N,Y,Y,N,Y,Y,Y,Y,Y,N
  Do you publish campus maps with WiFi  
locations?,Y,N,N,Y,Y,Y,N,Y,N,Y,N,Y,Y,Y,Y
  (*hotspots*) on the Web?,,,,,,,,,,,,,,,

  Is your campus wireless LAN(s) mode:,,,,,,,,,,,,,,,
  IBSS (ad-hoc),N,N,Y,N,N,N,N,N,N,N,N,N,N,N,N
  BSS (Infrastructure),Y,Y,Y,Y,Y,N,Y,N,Y,Y,Y,Y,N,Y,Y
  ESS (Extended Infrastructure),N,N,N,N,N,Y,N,Y,N,Y,N,N,Y,N,N

  Have you implemented:,,,,,,,,,,,,,,,
  802.11a,Y,N,N,Y,N,N,N,N,N,N,N,N,Y,Y,N
  802.11b,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,N,Y
  802.11g,Y,Y,Y,Y,N,N,N,N,Y,N,N,Y,Y,N,N
" Other 802.11 (e.g. Super-G, WiMAX, etc.)  
",N,N,N,N,N,N,N,N,N,N,N,N,N,N,N
  802.11i ,N,N,N,N,N,N,N,N,N,N,N,N,N,N,N
  WEP ,Y,Y,Y,Y,N,Y,Y,N,Y,Y,Y,N,Y,N,N
  WPA ,N,N,Y,N,N,N,N,N,N,N,N,N,N,N,N
  801.X ,Y,Y,Y,N,N,N,Y,N,Y,Y,N,N,Y,N,N
  EAP-MD5,N,Y,N,N,N,N,N,N,N,N,N,N,N,N,N
  LEAP (aka EAP-Cisco),N,N,N,Y,N,N,N,N,Y,Y,N,N,Y,N,N
  PEAP,Y,N,Y,N,N,N,N,N,N,Y,N,N,N,N,N
  EAP over TLS,N,N,N,N,N,N,N,N,N,N,N,N,Y,N,N
  TTLS,N,N,N,N,N,N,Y,N,N,N,N,N,N,N,N
  Other EAP Name: _________ ,N,N,N,N,N,N,N,N,N,N,N,N,N,N,N
  AirDefense,N,N,N,N,N,N,N,N,N,N,N,N,N,N,N
  Bluesocket,N,N,N,N,N,N,N,Y,N,N,N,N,N,N,N
  Ecutel,N,N,N,N,N,N,N,N,N,N,N,N,N,N,N
  ReefEdge,N,N,N,N,N,N,N,N,N,N,N,N,N,N,N
  Vernier,N,N,N,N,N,N,N,N,N,N,N,N,N,N,N
  Other Name: ,Perfigo,,,,,,, , ,,,,,,N

  Network Topology,,,,,,,,,,,,,,,
  -------------------------,,,,,,,,,,,,,,,
  Are your wireless lans ...,, ,,,,,,,,,,,,,
,, ,,,,,,,,,,,,,
  On a separate VLAN from your campus  
network?,Y,N,Y,Y,Y,Y,Y,N,Y,Y,Y,Y,Y,Y,N
  On a private (RFC1918) network separate from your campus  
network?,N,N,Y,Y,Y,N,N,N,N,N,N,N,Y,Y,N
  On a public net or subnet(s) separate from your campus  
network?,N,Y,N,N,N,Y,N,N,Y,N,Y,Y,N,Y,N
  On the same network and/or subnets as your campus  
network?,Y,N,N,Y,N,N,N,Y,N,Y,N,N,Y,N,Y
  Other? Explain ______________________,N,N,N,N,N,N,N,N,N,N,N,N,N,N,N

  Network Access Control,,,,,,,,,,,,,,,
  ---------------------------------,,,,,,,,,,,,,,,
  Do you have a firewall between your wireless LAN(s) and the campus  
network?,N,N,Y,N,N,N,Y,N,Y,N,N,N,N,Y,N
  Do you have a firewall between your wireless  LAN(s) and the  
Internet?,Y,Y,Y,Y,N,Y,Y,N,Y,N,N,N,NY,Y,N
  Do you require the use of a VPN to send traffic  off of your  
WLAN?,N,N,N,N,Y,Y,N,N,N,N,N,N,NY,N,N
  Do you require the use of a VPN to send traffic  from your WLAN into  
your campus net?,Y,N,N,N,Y,Y,N,N,N,N,N,N,N,N,N
,,,,,,, ,,,,,,,,
  Do you have a secure method of keeping out  unregistered MAC addressed  
WLAN cards?,Y,N,N,N,N,N,N,Y,Y,N,Y,N,Y,Y,N
  Do you have protection against ARP spoofing/cache poisoning and  
'dsniff' type attacks?,Y,N,N,N,N,N,N,Y,N,N,N,N,N,N,N
  Is your SSID (network name) kept private?,N,N,Y,N,N,Y,N,N,Y,N,N,N,N,N,N
  Do you disable SSID (network name) info in broadcasts (beacon  
frames)?,N,N,Y,N,N,Y,Y,N,Y,N,Y,N,YN,N,N
  Do you provide wireless users with protection against accidental and  
malicious association,,,,, ,,,, ,,,,,,
  with rogue access points?,N,N,N,Y,N,N,Y,N,N,Y,Y,N,Y,N,N
  Do you monitor for rogue WiFi  
cards/stations?,N,N,Y,N,Y,N,Y,N,Y,N,Y,Y,NY,N,N
  Do you monitor for rogue WiFi Access  
Points?,Y,N,Y,Y,Y,Y,Y,N,Y,N,Y,Y,NY,N,N
  Do you monitor for channel/signal  
interference?,Y,N,Y,Y,Y,Y,Y,N,Y,N,Y,Y,YN,N,Y
  Do you have a wireless management  
system?,N,N,N,Y,Y,N,Y,N,N,Y,N,Y,NY,N,N

  Do you use or have the ability to jam wireless  signals on  
campus?,N,N,N,N,N,N,N,N,N,N,N,N,N,N,N


  Authentication,,,,,,,,,,,,,,,
  --------------------,,,,,,,,,,,,,,,
  Do you allow unauthenticated (open)  
access?,N,N,N,N,N,N,N,N,Y,N,N,N,N,N,N
  Do you require MAC (Hardware Address) registration and DHCP for  
access?,Y,Y,N,N,N,N,N,N,Y,N,Y,Y,Y,Y,Y
  Do you require campus ID signon (e.g. NetID and password) via capture  
and redirection,Y,N,N,N,N,N,Y,Y,N,N,N,Y,N,Y,Y
  to a webpage (web authentication)?,,, ,,,,,,,,,,,,
  Do you require campus ID signon (e.g. NetID and password) via WiFi  
driver authentication?,,, ,,,,,,,,,,,,
" (e.g. supplicant 801.X/*EAP/WPA/802.11i,  
etc.)",Y,Y,N,Y,N,N,Y,N,N,Y,N,NY,Y,N,N
  Do you require X.509 certificates for WiFi  
access?,N,N,N,N,N,N,N,N,N,N,N,N,Y,N,N
  Do you require smartcard auth. for WiFi  
access?,N,N,N,N,N,N,N,N,N,N,N,N,N,N,N
  Do you use a VPN to authenticate for WiFi  
access?,N,N,N,N,Y,Y,N,N,N,N,N,N,N,N,N

  Encryption,,,,,,,,,,,,,,,
  ---------------,,,,,,,,,,,,,,,
  WEP 40/64 bit static,N,N,N,N,N,N,N,N,Y,N,Y,N,N,N,N
  WEP > 40/64 bit static,N,N,N,N,N,Y,N,N,Y,N,N,N,N,N,N
,, ,,,,,,,,, ,,,,
  WEP 40/64 bit dynamic,N,N,N,Y,N,N,N,N,N,N,N,N,N,N,N
  WEP > 40/64 bit dynamic,N,N,N,N,N,N,N,N,N,N,N,N,Y,N,N

  WPA 128 bit 'standalone' ,N,N,N,N,N,N,N,N,N,N,N,N,N,N,N
  WPA 128 bit 'Enterprise' (802.1X  
server),N,N,N,N,N,N,Y,N,N,Y,N,NY,NY,N,N

  Do you require/allow/recommend/don't care about encryption at the ____  
layer on WLANs?, , , , ,,,,,,,,,,,R
  Application (SSH), ,DC,"A,REC",DC,DC,REC,DC,,R,REC,REC,REC,REC,DC,R
  Session (SSL/TLS), ,DC,"A,REC",DC,DC,REC,R,,R,REC,REC,REC,REC,DC,R
  Transport (PPTP VPN), ,DC,"A,REC",DC,R,R,DC,,R,DC,REC,R,NA,DC,R
  Network (IPSEC and/or L2TP VPN),  
,DC,"A,REC",DC,R,R,DC,,R,DC,A,R,REC,DC,R
" Data Link (WEP, WPA)", ,DC,"A,REC",R,DC,R,DC,,R,R,R,DC,REC,DC,R

  Policy,,,,,,,,,,,,,,,
  ---------,,,,,,,,,,,,,,,
  Do you have a policy which reserves WiFi spectrum frequencies to  
UNIV?,Y,N,Y,Y,Y,N,Y,N,N,N,Y,N,Y,Y,N

  Do you allow wireless access points to be set up by:,NR,,,,,,,,,,,,,,
(non-IT) departments? ,N,N,N,N,N,N,N,Y,N,Y,N,Y,Y,N,Y
  any faculty members?,N,N,N,N,N,N,N,Y,N,Y,N,Y,N,N,Y
  students?,N,N,N,N,N,N,N,Y,N,N,N,Y,N,N,Y

  Do you have minimum security configuration standards required for  
non-IT WAPs?,N,N,Y,N,Y,N,N,Y,NA,Y,NA,Y,Y,N,N

  Do you have any other interesting or unique security measures on your  
WLAN?,N,N,,N,N,N,N,Bluesocket,,,Port Kill,,LEAP,,N
,,,,,,,,,,,,,TO,,
,,,,,,,,,,,, ,EAP-TLS,,

							# # #

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3035 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20040601/b82270cc/smime-0004.bin


More information about the unisog mailing list