Information Security Standards & Guidelines

August 2010 Wireless / Wired LAN Security Standards

Security Guidelines for Wired/Wireless LAN:

1. Physical Security 1.1. The wireless station and its WLAN adaptor card should not be physically exposed to prevent theft and unauthorized access to the WLAN. 1.2. The access points should be placed within the physically protected HBL branch environment to prevent them from any unauthorized access and physical tampering 1.3. The access points should be physically located away from external sources of electromagnetic interference, e.g. microwave ovens. 1.4. A site review should be conducted to assess the coverage of WLAN to minimize spillage of WLAN traffic beyond the physical HBL branch environment. 2. Key Management 2.1 Encryption standards: 2.1.1 WPA/2 for WLAN. It uses the Advanced Encryption Standard (AES) for data encryption and is eligible for FIPS (Federal Information Processing Standards) 140-2 compliance 2.1.2 Either IPSec, SSL or SSH for wired LAN (depends on application server compatibility) 2.2 Strong symmetric encryption, e.g. using 128-bit key length, should be used to protect the information that is transmitted over the WLAN 2.3 Symmetric and asymmetric keys to be managed via an enterprise key management (EKM) solution at a central location 3. End points / Users Authentication 3.1 EAP authentication with X.509 certificates for wired or wireless AP device authenticating to endpoints 3.2 MAC address authentication for endpoints authenticating to wired or wireless AP device, as first layer of endpoint authentication 3.3 X.509 certificates on user-assigned smart cards for users conducting transactions from endpoints (for transactions above a threshold to be agreed with Business), as second layer of endpoint authentication. 3.4 X.509 certificates for LAN/WAN devices authenticating to each other 3.5 LDAP/Kerberos or authentication protocol to be used via Microsoft AD where available or via LDAP where AD is not available 3.6 X.509 certificates to be issued by HBL Key Issuing Authority (Certificate Authority)

Access control 4.1 The access point should be configured to drop any unencrypted network traffic so that unauthorized wireless stations or rogue access points cannot associate with the access point if they do not know the shared secret or dont have X.509 certificates. 4.2 Access control device such as firewalls should be implemented to segregate the WLAN from the internal wired network. The WLAN should be deployed in a different network segment, which is separate from the internal wired network 4.3 Wireless IPS should be implemented to prevent and detect rogue access points and any unauthorized access to the wireless station over the WLAN 4.4 IP / Port filtering can be implemented at the gateway to ensure that only authorized network traffic from the WLAN or legitimate access points are allowed to enter the wired network. This is to prevent unauthorized access to the internal wired network via rogue access points 4.5 Traffic security policies and rule-sets to be provided by ISD, based on threat/vulnerability assessment of application traffic profiling provided by application owners Access Point Administration 5.1 Wireless access points to be configured to restrict the range of network access to the physical location in which the users are expected to reside 5.2 Change network default name at installation; SSID should not reflect the name of any divisions/departments, system name or product name 5.3 MAC addresses administration procedures for wireless users to be documented. They must include MAC address administration procedures for user additions, terminations and changes in assigned equipment 5.4 Change product default access point configuration settings, which are considered, unsecured most of the time for easy deployment 5.5 Enable and configure security settings including SSID, encryption keys and Simple Network Management Protocol (SNMP) community strings 5.6 Disable SSID broadcasting to prevent the access points from broadcasting the SSID so that only authorized users whose configured SSID matches that of the access point can connect to the network 5.7 Disable DHCP and assign static IP addresses to all wireless users to minimize the possibility of an unauthorized user obtaining a valid IP address 5.8 Access to Network Devices to be controlled by access lists so that the equipment is accessible only from a limited number of locations 5.9 The wireless station should not be configured for network file sharing without any protection to prevent any unauthorized access to his local files