IT Security Wireless Access Point Security Requirements

Main Content

Wireless Access Points (AP's) are a convenient tool to facilitate access to the Campus Area Network (CAN) and Internet resources. In places where the wireless access provided by Information Technology is not available, departments have built their own solutions with little to no oversight. In order to protect both departmental and CAN resources, AP's that connect to the SIU CAN must adhere to a minimum security standard or they will be disconnected and blacklisted from the network. These devices will also be required to be registered with Network Engineering through the website provided under the NetEng Portal.

AP's feature a variety of security mechanisms that restrict access and encrypt the data that's being sent and received. In the "out-of-box" state, most access points are open. This means that they utilize no encryption or privacy protection whatsoever. An open access point allows anyone within range to connect to and use the network that the AP is attached to. Open AP's are dangerous both for the department and for the other CAN computing resources. Open AP's allow people not affiliated with SIU to potentially perform a number of malicious activities including theft of campus Internet bandwidth and attempting to attack and compromise SIU computer systems and private data. In addition, an open access point also provides little to no accountability to track users in the event of a security issue or other problem.

Because of these types of issues, IT requires that all AP's use a minimum of WPA2 security with AES encryption.

Most access points also feature a default wireless SSID name, which is usually the name of the device manufacturer (Linksys, Netgear, etc.) Using the default name can signal to an attacker that your access point is insecure or inappropriately configured and may draw undesired attention.

Requirements:

  1. If an open, inappropriately configured, or insecure AP is discovered on the CAN, it will be disconnected from the network until the situation is resolved. Resolution is the responsibility of the department that owns or manages the AP.
  2. The minimum security standard for a wireless AP is WPA2 (Wi-Fi Protected Access version 2) with AES encryption. The plain text pass phrase for the wireless access point should be at least 21 characters in length and compliant with the network ID password policy (using a mix of both uppercase and lower case letters, numbers, and special characters).
  3. Change any default usernames, passwords, and SSID's on the AP. Carefully restrict remote administration of the AP. Purchase only equipment that can be configured not to allow administration of the Access Point from the wireless network.
  4. Disable the broadcasting of the SSID. In order for a user to find such a network, they must know the SSID name and will need to manually enter it into their client system.
  5. Enable logging on your access point. If your AP allows for logging to be submitted to a Syslog server, contact IT and inquire about having this information mirrored to the IT Department for longer term storage and analysis. This will be helpful if you must track user activity in the event of a security incident such as a network intrusion or a stolen laptop.
  6. Any questions about the implementation of newer, not specifically mentioned technologies, should be addressed to both: security@siu.edu and network-engineering@siu.edu.

While these requirements may result in some minimal inconvenience for the end user, the implementation of these procedures will result in a higher level of security for both the department and the Campus.

In addition to these requirements, other recommendations include:

  1. Use MAC address filters wherever possible. This measure is not fool-proof but provides an additional layer of protection by blocking requests from clients that you have not specifically permitted by entering the hardware address of the client computer's wireless card.
  2. The use of an 802.11i solution when available, or WPA2 with certificates. Due to the management overhead, many may elect to use a pre-shared key instead of certificates. Per requirement #2, the pre-shared key should be difficult to guess and be over 20 characters long.
  3. 802.1X based Extensible Authentication Protocol (EAP) techniques may also be used to provide encryption, authentication and other security features to wireless AP's.
  4. A wireless network may also be segmented using a network firewall or Virtual Private Network (VPN) that forces encryption and authentication for any wireless user before anyone may access any departmental or CAN resource. This guideline does not refer to the campus VPN solution. It is only applicable if the department is hosting their own VPN authentication system for the purpose of securing their wireless solution.

The SIU Information Technology Network Security department has the right to perform a technical vulnerability assessment and/or penetration test on any equipment connected to the Campus Area Network in order to determine compliance with these requirements. IT Security or Network Engineering will disconnect equipment found to be insecure or inappropriately configured. Non-compliant equipment will be banned from accessing the CAN. Repeat offenders may permanently lose the ability to use any wireless solution that is not sponsered by IT.