Home page logo

basics logo Security Basics mailing list archives

Re: wireless policies
From: Alessandro Bottonelli <a.bottonelli () axis-net it>
Date: Thu, 13 Nov 2003 00:14:02 +0100

On Tuesday 11 November 2003 23:44, netethix () iprimus com au wrote:
I'm in the process of assisting in the creation of a wireless policy for
a large company. I'm interested in hearing people's experiences in a)
putting together an effective wireless policy and b) how they have gone
about securely implementing a wireless solution. It's a broad topic - and
so answers can be as broad or specific as you like.

I am supporting a military client of mine on a very similar task. 

What happens here is that the key points to define are:

  When and where WLANs are acceptable, ie:
    -1- For Unclassified networks only
    -2- When wired arrangements are not possible
         for example: in buildings of historical value
                            for temporary networks
    -3- Where in-campus mobility is a requirement

   How they are to be implemented, ie:
    -1- Only encrypted traffic 
    -2- Cipher of at least N bits
    -3- Key changes every N days
    -4- Strong (two-factor) user authentication
    -5- Must be approved by the Security Officer
    -6- Must be audited N time(s) a year

This is just a starting point, these concepts need to be developed further on 
the specific client environment. Any statement in the policy means MONEY, so 
you must carefully balance actual risk with protection levels really needed 
by the client.

Alessandro Bottonelli
CISSP & BS7799 Lead Auditor
Information Security Consultant

The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]