S 2.381 Determining a strategy for the use of WLAN

Initiation responsibility: IT Security Officer, Head of IT, Top Management

Implementation responsibility: Head of IT, IT Security Officer

Before WLANs are used in an organisation, the general strategy taken by the organisation in terms of WLAN usage must be specified. In particular, it must be clarified in which organisational units, for which applications, and for what purpose WLANs will be used as well as which information is permitted to be communicated in a WLAN. The areas for which the WLANs will be set up (this could be, for example, environments in which the users often move within certain areas) as well as the areas in which no WLAN at all is permitted to be available (extending up to active shielding) should also be specified.

WLAN components can be used, for example, to

• supply blanket coverage to an organisation, a single department, or a production area with a wireless network,
• enable the use of mobile components in individual rooms, e.g. in meeting rooms,
• provide a commercial WLAN for external users (hotspots).

Wireless networks can be set up with or without connections to other networks, which also has a significant influence on the threat scenario and therefore on the security safeguards to be taken as well. Depending on the intended use and environment in which the WLAN is set up, the security safeguards necessary may differ significantly. This must be considered in all cases when formulating the security policies and regulations for WLAN usage. The decisions should be documented together with the reasons for the decisions.

When setting up a wireless network, a significant amount of planning is necessary to achieve the stability, transmission quality, and security required for professional use (see also S 2.383 Selection of a suitable WLAN standard and S 5.140 Setting up a distribution system).

Those responsible for IT as well as the Security Management in an organisation should be completely aware of the fact that many technical aspects in wireless communication systems, and especially in WLANs, are subject to rapid developments and changes. For Security Management and for those responsible for IT, this means on one hand that more expense and effort is generally required to achieve secure operation of the WLAN, and on the other hand that the effectiveness of IT security safeguards must be tested more often than on other systems, and adapted more often to changes.

The following points are important for the secure operation of wireless networks and the IT systems connected to them:

• The method of operation and technology of the wireless communication system used must be completely understood by those responsible for its operation.
• The security of the technology used should be evaluated regularly. Likewise, the security settings of the IT systems used (e.g. access points, laptops, PDAs) should be examined regularly.
• The subject of WLAN usage must be handled in the security policy of the organisation, and every change to the WLAN usage must be coordinated with Security Management.
• To reliably secure the transmitted data, specifications must be worked out that deal with, among other things, the selection and configuration of adequate encryption and authentication methods as well as with key management.
• The minimum WLAN standard, e.g. IEEE 802.11g, that must be supported by the WLAN components must be defined to guarantee secure interoperation of the individual components and to be able to use the necessary security mechanisms throughout the entire coverage area.

Use of WLAN components

Many IT systems used by end users such as laptops or PDAs contain WLAN functionality that is usually enabled by default. It must be ensured that no "wild" WLAN usage is possible using this functionality, and there must be clear rules stating whether or not it is permitted to use this WLAN functionality (and if yes, under what conditions).

Review questions:

• Have the organisational units, areas, and applications for which the use of WLAN is permitted been specified?
• Is the use of WLAN regulated in the organisation's security policy?
• Are the security requirements for the WLANs used checked regularly by means of security inspections?
• Are changes to the WLAN infrastructure and/or the terms of use co-ordinated with IT Security Management?