Wireless Security Standard
Purpose
Wireless security requirements define the specifications for the secure deployment and use of wireless networking.
Requirements
Wireless LAN (WLAN) Connectivity on the UMW Network
Authentication & Access Control
WLAN infrastructure must authenticate client devices prior to permitting access to the WLAN;
Cisco Clean Access is deployed on the UMW Wireless Network. Private wireless VLANs, logically separate from wired and voice VLANs, funnel users through Clean Access to install client software upon successful authentication against Active Directory LDAP. Client remediates for the following:
- OS Patch Level up to Date
- Accepted Antivirus Software installed and up to date
Users authenticate against Active Directory LDAP. Only Active users are able to successfully authenticate.
Encryption & Logical Separation
The UMW Wireless Network employs WPA2 Enterprise Encryption with AES to provide end to end encryption of wireless traffic with automated key changes every thirty seconds.
Each UMW Academic or Administrative Building has a separate, distinct wired and wireless VLAN, creating logical separation.
Monitoring
Traffic is monitored periodically on the Packet Shaper and the Cisco ASA. Successful and failed log in attempts are logged on the Clean Access Server, which is also closely monitored for anomalous activity.
WLAN Hotspot (Wireless Internet)
UMW has provided a separate SSID with a private VLAN for Guest Wireless Access. Guest users are funneled through Cisco Clean Access on a logically separate VLAN and User Role that requires Guest Registration.
An Access list on Cisco Clean Access filters traffic, allowing registration, DNS/DHCP, HTTP, and HTTPS only for Guest Users.
Login successes and failures are logged on the Cisco Clean Access Server. The Packet Shaper and MARS logging server are capable of logging granular events.
Network and Computer use policy prohibits the connection of non-UMW devices acting in an infrastructure capacity- i.e. wireless routers or machines connecting in Ad hoc mode.
Wireless Bridging
UMW wireless bridges employee EAP with WPA. The encryption cipher is AES-CCM.
Each UMW Academic or Administrative Building has a separate, distinct wired and wireless VLAN, creating logical separation. Bridges are configured to communicate only to bridge nodes themselves- no other traffic is permitted.
Wireless bridges do not broadcast SSIDs and they are configured to provide ONLY bridging services.
Effective Implementation Date: Will be implemented on January 3, 2011
Approvals and Revisions
Approved 11/16/10 by Vice President for Information Technologies & CIO