Wireless Security Ensuring Compliance HIPAA, PCI, GLBA, SOX, DoD 8100.2 & Enterprise Policy

This article is designed to provide an overview to network administrators and security managers to design, implement, and enforce wireless LAN security policies that enable every organization to fully reap the benefits of wireless LANs without experiencing undue management pains and security holes.

As wireless networks proliferate, the ever-present danger of new, more sophisticated hacking tools is also on the upswing. Hackers, armed with new tools such as AirJack, AirSnarf, Hunter_Killer, etc are launching more sophisticated attacks on the network — networks that a year ago were said to be unbreakable. When an organization’s network is left exposed by insecure wireless LAN devices, hackers can compromise an organization’s network backbone, rendering the investment in IT security useless. Not only are there financial implications from a security standpoint, but the breach can potentially impact the company’s reputation and proprietary and regulatory information. These scenarios can lead to additional financial loss and legal ramifications.

Hence various regulatory bodies have defined policies that have to be complied with by organizations. Regardless of the WLAN deployment status, organizations have to ensure that they track all wireless activity and prevent the transmission of wireless data in clear text.

The Policy Process

Policies for an 802.11 wireless LAN should become part of the greater enterprise network policy and mirror the following standard six-step policy process:

Step 1: Define & Document the Policy

In establishing a documented wireless LAN policy, enterprises should consider four key components of the policy: WLAN Usage, Network Configuration, security, and Network Performance. As every enterprise wireless LAN is different, polices for these four areas will vary for organizations and may overlap. For example, the proper configuration of an access point has a direct effect on the security of the wireless LAN.

Step 2: Management Buy-In

Once a wireless LAN policy has been defined and documented, the next step is to have executives approve the policy and agree to its strict implementation. A wireless LAN policy without management buy-in lacks the teeth required make the policy effective.

While technical staff focus on what can and cannot be technically feasible in a wireless LAN policy, managers should focus on the business case of the wireless LAN. Performance policies work to guarantee the network’s promised productivity gains. Security polices are necessary to guard against the potential monetary losses that can come from exposed corporate data, open enterprise systems, and the public embarrassment of ending up in the press for such attacks.

Organizational politics and the lack of stakeholder support can cause a wireless LAN policy to fail miserably. Strong management buy-in can circumvent these potential mine fields.

Step 3: Educate Employees

After receiving appropriate approval and support from management, the policy must be communicated to those expected to comply with the policy. In the case of wireless LANs, this can include employees, independent contractors, on-site vendors, and any frequent visitor. Effective education of the policy can be accomplished in a variety of ways. Everyone should receive a written copy of the policy and then be required to sign a statement saying they agree to strictly follow the defined policy. For more proactive education, 15- or 30-minute sessions can be conducted periodically to go over the highlights of the policy, go over recurring problem areas, and reinforce key messages.

Step 4: Audit & Monitoring

Well-defined wireless LAN policies are essential for organizations to reap the expected benefits and eliminate unnecessary risks associated with 802.11 wireless LANs. However, policies can become useless if an enterprise does not monitor for policy compliance. IT security and network managers have few options in monitoring the wireless LAN to enforce the established policies.

Step 5: Enforcement – Get Proactive

After monitoring for WLAN policy compliance, enterprises must take corrective measures to alter network configurations, eliminate rogue stations or APs, and deal with the people responsible for such violations. As part of the written WLAN policy, an enterprise should document exactly how violations should be corrected and who is responsible for taking the necessary actions. In the case of an improperly configured access point with a default SSID and disabled encryption, the policy could read to the effect of:

Insecure enterprise access points should be viewed as a major security threat. Network managers should view improperly configured access points as high priority to be corrected within 30 minutes of detection. The network manager must reconfigure the AP as defined by the WLAN policy and monitor the AP’s configuration over the next hour. If the AP cannot be reconfigured according to the WLAN policy or a greater problem with the AP is detected, the access point should be disabled until a solution is found.

Similar policies for enforcement should be in place to deal with various levels of priority for usage, configuration, security, and performance policies.

Step 6: Revise & Fine-Tune the Policy

After a wireless LAN policy is defined, implemented, and enforced, organizations must evaluate the policy’s effectiveness and limitations. Network managers that oversee the policy’s implementation should solicit feedback from WLAN users and those who enforce the policy. By conducting a formal review process, the WLAN policy should be revised to fit the specific needs of the organization. In many cases, the WLAN policy may need to be tightened for greater security and management. However, other organizations may be required to loosen their policy to allow for greater WLAN adoption, usage, and productivity.

Once the policy is revised and fine-tuned, the policy process must be repeated to document all changes, have management buy-into the new policies, communicate the policies to all who are expected to comply, monitor for compliance, enforce the policy, and finally refine the policy.

Conclusion

Wireless LAN policies will vary based on an organization’s wireless LAN deployment, risk tolerance, and needs for performance and usage. However, the documented policy is just the first step toward maximum security and network performance. Monitoring for policy compliance plays a critical role that ensures that the policy does not become a useless, unread document. Without auditing the network for policy compliance, the policy cannot be enforced.