T4.5.4 - SECURITY OF WIRELESS NETWORKS Implementation Guidance
The entity shall ensure that all wireless networks are adequately secured.
Back to T4.5.4 - P2 - SECURITY OF WIRELESS NETWORKS
Consideration should be given to the segregation of wireless networks from internal and private networks. As the perimeters of wireless networks are not well defined, a risk assessment should be carried out in such cases to identify controls (e.g. strong authentication, cryptographic methods, and frequency selection) to maintain network segregation.
When designing its wireless networks, the entity should consider the number of base stations to be deployed, where they will be situated, what bandwidth limitations should apply to clients and what wired alternatives should exist, so as to limit the potential for wireless-based Denial of Service attacks.
The use of ‘guest’ wireless networks should be restricted to genuine short-term guests of the Entity and consultants without a verified need for connection to the Entity’s core network. Guest networks should only connect to the Internet and their data should not transit via the Entity’s core network. Traffic on wireless guest networks should not be terminated on the core network and should be tunnelled directly to the network perimeter.
Traffic on guest networks should be monitored by the entity to ensure conformance with its acceptable usage provisions. Temporary users of guest networks should be required to authenticate to the network, to avoid opportunistic use of the Entity’s network resources.
Network managers should implement controls to ensure the security of information in wireless. In particular, special controls should be established to safeguard the confidentiality and integrity of data passing over wireless networks, and to protect the connected systems and applications.
The entity should prohibit and sanction the creation and use of ad-hoc wireless networks, including the connecting of unapproved wireless base-stations to the entity’s core data network.
The entity should put in place mechanisms that allow for the identification and isolation of rogue wireless access points.
