Wireless Overview

Wireless LANs (WLANs) offer tremendous benefits for faculty, students and staff of UTHSC-H. Wireless networking can provide mobile and portable access to e-mail, the Internet, applications, and databases without the time and expense of installing and supporting physical cable. As with all emerging technology, there are also potential problems associated with its implementation and use. This policy outlines the implementation requirements for establishing a secure WLAN at UTHSC-H.

All potential points of network accessibility must be protected with the same level of network security. As required for wired networks at UTHSC-H (see Network Security), wireless networks must have security features enabled when connecting to the UTHSC-H wired network. Since wireless traffic travels through the air on radio waves, UTHSC-H network resources will be accessible both inside and outside of the buildings. The proper security procedures must be implemented to prevent confidential and sensitive information from exposure.

Any violations of this policy, including unauthorized access points discovered, will be dealt with accordingly. Wireless networks are a convenience feature and may NOT be used in any way to circumvent network security or expose the UTHSC-H intranet to unauthorized use.

ROLES AND RESPONSIBILITES

The design and implementation of wireless networks touch several aspects of University operations, and therefore require the careful cooperation of all parties involved to operate effectively. Wireless network access points are devices used to provide access to wired networks, similar to a switch or hub. Therefore, WLANs must follow the same coordination efforts between the IT Infrastructure Owners and departments wishing to implement WLANs as are currently required for wired networks. The roles and responsibilities for designing, implementing, and maintaining WLANs are outlined below:

• Departmental authorities are those within specific departments or schools with the authority to request IT changes and additions, and also authorize disbursement of funds to cover such changes and additions. The departmental authorities are responsible for directing requests for wireless network coverage to the IT Infrastructure Owners (below). These requests must include:
  • Description of the desired coverage area of the wireless network,
  • Anticipated number of users,
  • Identification of resources to implement client WLAN components,
  • Anticipated funding source and
  • Plan for staffing and funding ongoing support.

The departmental authorities are responsible for handling the purchase, implementation, and support of the client wireless networking components in their department.

• The IT Infrastructure Owner handles the switching, cabling and wall jacks for the requesting department. They are also responsible for providing security on the wireless network and ensuring any authorized client seamless wireless functionality in any wireless enabled location at UTHSC-H. The IT Infrastructure Owner is responsible for:
  • Reviewing requests for wireless networks,
  • Creating the implementation plan including:
    • Design for the wireless network,
    • Anticipated number of users,
    • Departmental funding and staffing plans for the WLAN implementation and the ongoing operation of the client components of the WLAN
    • Workplan identifying tasks, resources and begin and end dates
    • Overall budget and resource allocation
    • Security features enabled
    • Security monitoring methods employed
  • Reviewing the plan with the departmental authorities,
  • Submitting the network plans to the security team for approval,
  • Purchasing and implementing the required infrastructure components of the wireless network, and
  • Keeping the departmental authorities apprised of the status and progress of the implementation.

On an ongoing basis, the IT Infrastructure Owner is also responsible for daily monitoring and maintenance of wireless infrastructure devices.

• The IT Security Core (ITS Core) Team is the security authority for the UTHSC-H. They are responsible for ensuring that the provisions of this policy are being followed by:
  • Approving plans for wireless networks,
  • Regularly monitoring and
  • Auditing the UTHSC-H wireless network.

The timeframe for a WLAN implementation will vary depending upon:

• Completeness of the initial request,
• Complexity of the request,
• Number of access points and users,
• Number of floors covered,
• Building features and
• Availability of departmental and IT Infrastructure Owner resources.

As the implementer, the IT Infrastructure Owner can provide an initial estimate of the time required to implement the WLAN. Unless unusually complex, this can be done within a week of the receipt of a complete request. It is in the best interest of the department to involve the IT Infrastructure Owner in the early planning stages of WLANs. The IT Infrastructure Owner will coordinate the WLAN implementation with departmental authorities and IT Security.

REQUIRED SECURITY COMPONENTS

• All WLANs must conform to the 802.1x specification for authorization and authentication. Only hardware which conforms to this specification may be used.
• In addition to the 802.1x security model, the network should include EAP standards which use strong mutual authentication, support open authentication, use key management, use key rotation, and use at least 128 bit WEP encryption.
• In cases where the client’s EAP standard supports multiple WEP key lengths, and both open and shared authentication, only 128 bit WEP and open authentication may be used. In cases where the client’s EAP standard only supports the common username and password model, passwords must conform to the Password Policy.
• Frequent timeouts of no more than 10 minutes must be used to rotate the individual session keys of users.
• Only Access Points (APs) which support multicast key rotation may be used, and that key must rotate on a frequency of no more than 10 minutes.
• Only APs which support non-issuance of beacon frames may be used, and that feature must be enabled.
• Only APs which support power level adjustment may be used, and that feature must be used to minimize the overlap of legitimate networks and prevent radio signals from spilling into unintended areas.
• Only infrastructure networks (based around APs) are allowed. Ad Hoc networks may not be implemented.
• SSIDs must not contain any information which might give away their usage, placement, or department. SSIDs should not be easily guessable.
• Wireless networks must traverse a routed network interface before logically contacting a traditional wired network.
• SNMP access to wireless network access devices must be regulated by strong, non-default SNMP strings.
• Management access to APs must use strong password authentication to prevent unauthorized access.
• All security plans must include provisions for active policing of unauthorized WLANs in a given department.

PHYSICAL SECURITY OF THE NETWORK EQUIPMENT

All wireless devices and network switches must be installed in physically secure areas accessible only by authorized personnel. If the device must be installed in an open area, it will be located at a height of 12’ or greater, where technically possible. Access points must not be installed near external walls or windows.