There is little wonder why wireless networks have become so ubiquitous the last few years. Wireless access points are inexpensive, easy to install, and most of all, handy. Although wireless networking can make life a lot easier for your users though, they can also become a security nightmare. As such, it is important to have an effective wireless networking policy in place on your network.
The biggest security related problem with wireless networks is that they transmit potentially sensitive information over the airwaves. This means that the information flowing across the network can be intercepted by anyone within range who has a laptop equipped with a wireless network card. Likewise, wireless access points provide a way for hackers to enter your network without having to deal with the constraints normally associated with an Internet based attack. As such, wireless networks can pose a huge threat to your network's security unless you have a good wireless network security policy in place.
Parts of the policy
There are two main parts to a wireless network security policy; the administrative policy and the user policy. The administrative policy is the part of the policy that controls how the wireless network will be set up and which security mechanisms will be implemented. The user part of the policy sets guidelines regarding what is expected from the users.
By far the most important part of the user portion of the wireless security policy is that users must understand that setting up their own wireless access points will not be tolerated. Being that wireless access points are so inexpensive, it is fairly common for a user to buy an access point, and plug it into their network connection.
In doing so, they provide wireless network access to themselves and their friends, but they also completely undermine your network's security. As such, I recommend producing a document stating that any user caught operating an unauthorized wireless access point will be terminated, and having the users to sign the document. I know that this sounds harsh, but rogue access points represent such a severe threat to your network's security that you must be prepared to do whatever it takes to eliminate the threat.
Matching your policy to your administration model
Now that I've gotten that out of the way, let's talk about the administrative portion of the wireless network security policy. The administrative policy should be a document that specifies how wireless hardware will be connected to the wired network, and by who. There are several reasons why this is important. One example is that in large companies, the IT department is often decentralized. What this means is that there might be a main administrative body and several smaller support departments that are responsible for maintaining individual buildings, departments, etc.
If your company uses a decentralized IT model such as the one that I described above, an effective wireless access policy is especially important. The odds of someone in the IT department deploying a completely insecure access point are slim, but without a wireless networking policy in place, different branches of the IT staff might deploy wireless access points with varying degrees of security. For example, one group might use WPA encryption, while another group uses WEP encryption.
When developing a wireless networking policy, it is completely up to you which security mechanisms you require wireless access points to use. One clause that I do strongly recommend including in your security policy though is that wireless access points must only be attached to a dedicated network segment, and never to a segment containing other network resources.
The reason for this is that because you can't physically control the air waves, a wireless network should be treated as being an insecure medium (even if you are using encryption). If a wireless network truly does represent an insecure medium, then the last thing in the world that you should be doing is to attach an insecure network directly to your secure (wired) network.
Many companies get around this issue by requiring wireless users to go through an authentication process prior to allowing them to access resources located on the wired network. One way of accomplishing this is to set up a VPN. Normally, VPNs are used as a way of allowing users to securely access a corporate network over the Internet. If you stop and think about it though, the Internet is an insecure network, just like a wireless network. Therefore, it makes perfect sense to use a VPN to authenticate wireless users prior to giving them access to resources on your wired network.
As you can see, having an effective wireless access policy is critical to the security of any organization that operates a wireless network. Without such a policy, you are basically at the mercy of your IT staff to deploy wireless hardware in a secure manner.
You can quickly implement a password policy in your organization by downloading TechRepublic's Software Installation Policy. Included you'll find a risk assessment spreadsheet that will help you determine the importance of such a policy to your organization's security along with a basic policy that you can use and modify. You can purchase it from the TechRepublic Catalog or download it for free as part of your TechRepublic Pro membership.