S 2.382 Drawing up a security policy for the use of WLAN

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: IT Security Officer, Head of IT, Administrator

Suitable security policies must be established for the use of WLAN components in government agencies and companies. These WLAN-specific security policies must conform to the general security concept and the general security policies of the organisation. They must be checked regularly to ensure they are up to date and modified if necessary. The WLAN-specific rules can be added to the existing policies or can be collected in a separate policy.

A WLAN security policy should contain the following points, among others:

• It should describe who is permitted to install, configure, and use WLAN components in the organisation. A number of conditions must be specified for this purpose, for example:
• • which information may be disclosed over WLAN components,
  • where the WLAN components are used and where access points may be set up,
  • which internal or external networks the WLAN is permitted to connected to.
• Security safeguards and a standard configuration must be specified for all WLAN components.

• When security problems are suspected, the person responsible for security must be informed of this so that additional steps can be taken (see also S 1.8 Handling security incidents).

• The administrators as well as the users of WLAN components should be informed and/or receive training on the threats posed by WLAN components and the corresponding security safeguards to follow.
• The correct implementation of the security safeguards described in the WLAN security policy should be checked regularly.

User policy for WLAN usage

So as not to overload users with too many details, it may make sense to create a separate WLAN user policy. In this case, the user policy should contain short descriptions of the special aspects related to WLAN usage, for example:

• which other internal and external networks the WLAN client is permitted to connect to,
• under which general conditions clients are permitted to log in to an internal or external WLAN,
• if and how hotspots are allowed to be used,
• that the ad-hoc mode is to be disabled so that no other client can directly access the WLAN
• what steps must be taken if it is suspected that a WLAN client has been compromised, and in particular, who needs to be informed in this case.

It is also important to clearly describe how to handle security solutions on the clients. This includes, for example, rules stating the following:

• No security-related configurations must be changed
• A virus scanner must always be activated
• An existing personal firewall must not be disabled (see also S 5.91 Use of personal firewalls for clients ),
• All shared directories or services must be deactivated or at least protected by good passwords
• Only special user accounts with restrictive rights should be used when using an external WLAN

In addition, the user policy should contain a clearly stated ban on connecting unauthorised access points. Furthermore, the policy should contain specifications, especially for the use of classified information such as classified materials, of which data is used in the WLAN as well as of which data is permitted to be transmitted over the WLAN and which not. Users should be sensitised to WLAN threats and be familiar with the contents and consequences of the WLAN policy.

Policy for administrators of a WLAN

In addition, a WLAN-specific policy for administrators should be created which can be used as the basis for training the administrators. It should specify who is responsible for the administration of the various WLAN components, which interfaces are available between the administrators responsible for operations, and when which information must flow between the persons responsible. It is common for one organisational unit to be responsible for the operation of the active components (distribution system and access points) while a different organisational unit is responsible for supporting WLAN clients or for identity and authorisation management.

The WLAN policy for administrators should also contain the essential core aspects of the operation of a WLAN infrastructure, for example:

• Specification of a secure VPN configuration and definition of secure standard configurations
• Use of a WLAN management system
• Selection and configuration of cryptographic methods including key management
• Regular evaluation of log files, at least of the access points
• Performing WLAN measurements: The configuration and the network coverage of access points and clients should be checked regularly using a WLAN analyser and a network sniffer. When checking, unauthorised WLAN clients and access points within the organisation should be searched for in particular.
• Initial operation of replacement systems
• Safeguards when the VPN has been compromised

Even if no WLANs are officially installed in an organisation, Security Management should still ensure that the systems are scanned regularly for unauthorised WLAN component installations.

All WLAN users, both general users and administrators, should confirm with their signature that they have read the contents of the WLAN security policy and will follow the instructions defined in the security policy. No one should be allowed to use the WLAN without this written confirmation. The signed declarations should be kept in a suitable location, for example in the personnel file.

Review questions:

• Have the internal or external networks to which the WLAN may be connected been specified?
• Has a process including instructions in case of security incidents in the WLAN area been defined?
• Have administrators and users been informed on the security risks and the corresponding security safeguards to follow in the WLAN area?
• Have the persons responsible for administration of the WLAN components been specified?
• Are the log files evaluated regularly?
• Are regular checks for unauthorised WLAN components performed?
• Do the WLAN users confirm in writing that they have read the instructions?
• Does a user policy governing the access to hotspots exist?
• Is a security policy for the use of WLANs available?