Greater Saskatoon Catholic
Schools
I.T. Wireless Access Standards
1.0
Overview
Wireless communication is assuming an increasingly important role in the
workplace. In the past, wireless access
was the exception; it has now become the norm in many companies. While wireless access can increase mobility
and productivity of users, it can also introduce security risks to the
network. These risks can be mitigated
with sound Wireless Access standards.
2.0 Purpose
The purpose of this document is to state the standards for wireless access to GSCS's
network. Wireless access can be done
securely if certain steps are taken to mitigate known risks. These standards outline the steps GSCS takes
to secure its wireless infrastructure.
3.0 Scope
The document covers anyone who accesses the network via a wireless
connection. The policy further covers
the wireless infrastructure of the network, including access points, routers,
wireless network interface cards, and anything else capable of transmitting or
receiving a wireless signal.
4.0 Standards
4.1 Physical Guidelines
Unless a directional antenna is used, a
wireless access point typically broadcasts its signal in all directions. For this reason, access points should be
located central to the office space rather than along exterior walls. If it is possible with the technology in use,
signal broadcast strength should be reduced to only what is necessary to cover
the office space. Directional antennas
should be considered in order to focus the signal to areas where it is needed.
Physical security of access points should be considered - access points should
not be placed in public or easily accessed areas if possible.
4.2 Configuration and Installation
The following guidelines apply to the
configuration and installation of wireless networks:
4.2.1 Security Configuration
·
The
wireless access point must utilize MAC (Media Access Control) address filtering
so that only known wireless NICs (Network Interface Card) are able to connect
to the wireless network.
·
The
wireless access point must not connect to GSCS's trusted network without a
firewall or other form of access control separating the two networks.
·
The
encryption WPA2-PSK must be used to secure wireless communications.
·
Administrative
access to wireless access points must utilize strong passwords.
·
All
logging features must be enabled on GSCS's access points.
·
Wireless
networking should require users to authenticate against a centralized
server. These connections should be
logged, with IT staff reviewing the log regularly for unusual or unauthorized
connections.
·
Wireless
LAN management software will be used to enforce wireless security
policies. The software must have the
capability to detect rogue access points.
·
Users
accessing the wireless network must be provided a personal software firewall to
secure their computers.
4.2.2 Installation
·
Software
and/or firmware on the wireless access points and wireless network interface
cards (NICs) must be updated prior to deployment.
·
Wireless
networking must not be deployed in a manner that will circumvent GSCS's
security controls.
·
Wireless
devices must be installed only by GSCS's IT department.
·
Channels
used by wireless devices must be evaluated to ensure that they do not interfere
with GSCS equipment.
4.4 Audits
The wireless network must be audited quarterly
to ensure that this policy is being followed.
Specific audit points should be: location of access points, signal
strength, SSID, SSID broadcast, and use of strong encryption.
5.0 Enforcement
This policy will be enforced by Superintendents of Education. Violations may
result in disciplinary action, which may include suspension, restriction of
access, or more severe penalties up to and including termination of employment.
Where illegal activities or theft of GSCS property (physical or intellectual)
are suspected, GSCS may report such activities to the applicable authorities.
6.0 Definitions
Mac Address-Short for Media Access Control Address. The unique hardware address of a network
interface card (wireless or wired). Used
for identification purposes when connecting to a computer network.
NIC-A Network Interface Card (NIC) that connects to wireless, rather
than wired, networks.
SSID-Stands for Service
Set Identifier. The name that uniquely
identifies a wireless network.
WEP-Stands for Wired Equivalency Privacy. A security protocol for wireless networks
that encrypts communications between the computer and the wireless access
point. WEP can be cryptographically
broken with relative ease.
WiFi-Short for Wireless Fidelity.
Refers to networking protocols that are broadcast wirelessly using the
802.11 family of standards.
Wireless Access Point-A central device that broadcasts a wireless signal
and allows for user connections. A
wireless access point typically connects to a wired network.
WPA-Stands for WiFi Protected Access.
A security protocol for wireless networks that encrypts communications
between the computer and the wireless access point. Newer and considered more secure than WEP.
7.0
Revision History
Revision 1.0, 8/9/2011
Revision
2.0, 8/13/2012