Wireless Networks

Introduction

  1. UBC has a large and complex wireless network that plays an integral role in the operations of the University. Consequently, intruders and hackers may consider the wireless network an attractive target to breach the security of UBC Electronic Information and Systems.
  2. This standard defines requirements to ensure that wireless devices, such as Wireless Access Points (WAPs), which allow wireless devices to connect to a wired network, are deployed in a secure, controlled and centrally managed way to reduce the likelihood of a security breach. Unless otherwise indicated, the UBC IT Infrastructure Team (the "Infrastructure Team") is responsible for ensuring compliance with this standard.
  3. In addition to this standard, UBC IT wireless networks provisioned by UBC IT are governed by Policy 130, Management of the Wireless Network. In particular, all new WAPs must be authorized under the terms of that policy.
  4. The Chief Information Officer has issued this document under the authority of Policy 104, Acceptable Use and Security of UBC Electronic Information and Systems. Questions about this standard may be referred to information.security@ubc.ca.

Physical Protection

  1. WAP hardware must be protected to ensure physical security mechanisms (e.g. locked cabinet, high ceiling mount, etc.) are in place to prevent theft, alteration, or misuse.

Secure Configuration

  1. All WAPs should be secured using Wi-Fi Protected Access (WPA2) with a minimum of AES 128-bit encryption.
  2. Wired Equivalent Privacy (WEP) is prohibited for wireless network security, as it is insecure.
  3. It is recommended that Users connecting to WAPs, providing access to the UBC LAN, be configured to use the "AutoConnect" ubcsecure automated client configuration tool. This will help prevent connecting to rogue WAPs, which have been setup with the same name (spoofing) to steal credentials.
  4. Console access must be password protected in compliance with the Password and Passphrase Protection standard.
  5. WAP and wireless controller management must be handled as follows:
    1. utilize secure protocols such as HTTPS, SSH, and CAPWAP;
    2. management must only be over the LAN interface;
    3. if SNMP is used in the management environment, all default SNMP community strings must be changed, otherwise it must be disabled;
    4. vendor defaults such as encryption keys, and administrative passwords must be changed.
  6. The use of Telnet or other insecure protocols is prohibited.

Security Updates

  1. The operating system or software code on WAP and wireless controllers should be patched and kept current to ensure proper protection from the latest security vulnerabilities.

Additional Wireless Requirements for Payment Card Industry (PCI) Information

  1. Users responsible for Merchant Systems must:
    1. ensure that a perimeter firewall is in place between any wireless network and Merchant Systems processing Payment Card Industry (PCI) Information. These firewalls must be configured to deny or control any traffic from the wireless environment to Merchant Systems;
    2. test for the presence of unauthorized WAPs on a quarterly basis. Note: Methods that may be used in the process include, but are not limited to, wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS; and
    3. Report any unauthorized WAPs as a security incident, in compliance with the Reporting Information Security Incidents standard.

Related Documents