Greater Saskatoon Catholic Schools

I.T. Wireless Access Standards

1.0 Overview

Wireless communication is assuming an increasingly important role in the workplace. In the past, wireless access was the exception; it has now become the norm in many companies. While wireless access can increase mobility and productivity of users, it can also introduce security risks to the network. These risks can be mitigated with sound Wireless Access standards.


2.0 Purpose

The purpose of this document is to state the standards for wireless access to GSCS's network. Wireless access can be done securely if certain steps are taken to mitigate known risks. These standards outline the steps GSCS takes to secure its wireless infrastructure.


3.0 Scope

The document covers anyone who accesses the network via a wireless connection. The policy further covers the wireless infrastructure of the network, including access points, routers, wireless network interface cards, and anything else capable of transmitting or receiving a wireless signal.


4.0 Standards

4.1 Physical Guidelines

Unless a directional antenna is used, a wireless access point typically broadcasts its signal in all directions. For this reason, access points should be located central to the office space rather than along exterior walls. If it is possible with the technology in use, signal broadcast strength should be reduced to only what is necessary to cover the office space. Directional antennas should be considered in order to focus the signal to areas where it is needed.

Physical security of access points should be considered - access points should not be placed in public or easily accessed areas if possible.


4.2 Configuration and Installation

The following guidelines apply to the configuration and installation of wireless networks:


4.2.1 Security Configuration

         The wireless access point must utilize MAC (Media Access Control) address filtering so that only known wireless NICs (Network Interface Card) are able to connect to the wireless network.

 

         The wireless access point must not connect to GSCS's trusted network without a firewall or other form of access control separating the two networks.

 

         The encryption WPA2-PSK must be used to secure wireless communications.

 

         Administrative access to wireless access points must utilize strong passwords.

 

         All logging features must be enabled on GSCS's access points.

 

         Wireless networking should require users to authenticate against a centralized server. These connections should be logged, with IT staff reviewing the log regularly for unusual or unauthorized connections.

 

         Wireless LAN management software will be used to enforce wireless security policies. The software must have the capability to detect rogue access points.

 

         Users accessing the wireless network must be provided a personal software firewall to secure their computers.


4.2.2 Installation

         Software and/or firmware on the wireless access points and wireless network interface cards (NICs) must be updated prior to deployment.

         Wireless networking must not be deployed in a manner that will circumvent GSCS's security controls.

         Wireless devices must be installed only by GSCS's IT department.

         Channels used by wireless devices must be evaluated to ensure that they do not interfere with GSCS equipment.



4.4 Audits

The wireless network must be audited quarterly to ensure that this policy is being followed. Specific audit points should be: location of access points, signal strength, SSID, SSID broadcast, and use of strong encryption.


5.0 Enforcement

This policy will be enforced by Superintendents of Education. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of GSCS property (physical or intellectual) are suspected, GSCS may report such activities to the applicable authorities.


6.0 Definitions

Mac Address-Short for Media Access Control Address. The unique hardware address of a network interface card (wireless or wired). Used for identification purposes when connecting to a computer network.

NIC-A Network Interface Card (NIC) that connects to wireless, rather than wired, networks.

 

SSID-Stands for Service Set Identifier. The name that uniquely identifies a wireless network.

WEP-Stands for Wired Equivalency Privacy. A security protocol for wireless networks that encrypts communications between the computer and the wireless access point. WEP can be cryptographically broken with relative ease.

WiFi-Short for Wireless Fidelity. Refers to networking protocols that are broadcast wirelessly using the 802.11 family of standards.

Wireless Access Point-A central device that broadcasts a wireless signal and allows for user connections. A wireless access point typically connects to a wired network.

WPA-Stands for WiFi Protected Access. A security protocol for wireless networks that encrypts communications between the computer and the wireless access point. Newer and considered more secure than WEP.

7.0 Revision History

Revision 1.0, 8/9/2011

Revision 2.0, 8/13/2012