This policy was reprinted with permission of Stephen Northcutt, The SANS Institute.
This policy prohibits access to
This policy covers all wireless data communication devices (e.g., personal computers, cellular phones, PDAs, etc.) connected to any of
3.1 Register Access Points and Cards
All wireless Access Points / Base Stations connected to the corporate network must be registered and approved by InfoSec. These Access Points / Base Stations are subject to periodic penetration tests and audits. All wireless Network Interface Cards (i.e., PC cards) used in corporate laptop or desktop computers must be registered with InfoSec
3.2 Approved Technology
All wireless LAN access must use corporate-approved vendor products and security configurations.
3.3 VPN Encryption and Authentication
All computers with wireless LAN devices must utilize a corporate-approved Virtual Private Network (VPN) configured to drop all unauthenticated and unencrypted traffic. To comply with this policy, wireless implementations must maintain point to point hardware encryption of at least 56 bits. All implementations must support a hardware address that can be registered and tracked, i.e., a MAC address. All implementations must support and employ strong user authentication which checks against an external database such as TACACS+, RADIUS or something similar.
3.4 Setting the SSID
The SSID shall be configured so that it does not contain any identifying information about the organization, such as the company name, division title, employee name, or product identifier.
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
5.0 Definitions Terms
User Authentication: A method by which the user of a wireless system can be verified as a legitimate user independent of the computer or operating system being used.