Responsible Office: Office of Cybersecurity
Last Review: 05/23/2023
Next Review: 05/23/2025
Contact: Chris Madeksho
The purpose of this standard is to establish controls for 802.11x wireless networks to minimize risks to the confidentiality, integrity, and availability of information and to support secure access to resources and services over wireless networks. This standard is also designed to meet compliance requirements for data regulated by federal or state law. This includes, but is not limited to, security requirements and safeguards for the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), or Gramm-Leach-Bliley Act (GLBA).
802.11x wireless networks enable users of wireless devices the flexibility to physically move throughout a wireless environment while maintaining connectivity to the network. While 802.11x wireless networks are exposed to many of the same risks as wired networks, they are also exposed to additional risks unique to wireless technologies. This standard outlines the additional controls required for the use of wireless networks.
This standard applies to all 802.11x wireless networks that store, process, or transmit data or connect to a UTHSC network or system, including networks managed and hosted by third parties on behalf of UTHSC.
The types of 802.11x wireless networks in scope include:
- Internal – these wireless networks are directly connected to the internal information technology resources and are only available to authenticated users.
- Public (authenticated) – these wireless networks are not connected to internal information technology resources and access is limited to authenticated users.
- Public (non-authenticated) – these wireless networks are not connected to internal information technology resources and are available for anyone to use without authentication.
AP – Wireless Access Point – a networking hardware device that allows other wireless devices to connect to a network.
Wi-Fi Protected Access (WPA) – a security protocol designed to create secure wireless networks.
ITS Networking personnel are responsible for the installation of maintenance of all wireless equipment. No one else should install wireless equipment besides the ITS Networking personnel. Networking is also responsible for keeping an inventory of all equipment and documentation of security plans.
The Office of Cybersecurity is responsible for the auditing of the security plan and monitoring of traffic on the wireless networks.
- 802.11x wireless networks must follow all requirements of Information Security Standards and Practices including, but not limited to, a risk assessment prior to implementation.
- Security plan documentation must include, at a minimum, the department name, all AP locations, all supporting wireless infrastructure locations, the subnet on the wired network, and the Service Set Identifier (SSID).
- APs and other supporting wireless devices must be placed in a physically protected location that minimizes opportunity for theft, damage or unauthorized access.
- Wireless network coverage must be managed to restrict the ability to connect outside of the approved boundary.
- The SSID of 802.11x wireless networks must be changed from the factory default setting.
- The SSID must not include information that indicates the location, technology or manufacturer details of the wireless network (e.g., Server-Rm-WiFi-Access, Wifi-Rm70 and Cisco-2400-WiFi). The SSID also must not include information that indicates the type of data traversing the network.
- Public wireless networks must be, at a minimum, physically separated from the internal network or configured to tunnel to a secure endpoint outside the internal network. The design must be included in the documented security plan.
- Logical addressing schemas used for the wireless network must differ from those used for the wired network to effectively distinguish client connections between the two networks.
- While servers and information stores may be accessible over a wireless network, they must not directly connect to a wireless network.
- APs on public authenticated or internal wireless networks must be configured to provide the strongest encryption settings available. At a minimum, Wi-Fi Protected Access (WPA) 2 – Advanced Encryption Standard (AES) must be utilized.
- WPA2 personal mode must not be used for internal networks.
- WPA2 personal mode, with Wi-Fi Protected Access (WPS) disabled, may be used for public authenticated access points that do not connect to internal networks.
- APs which utilize passphrases (such as APs configured to use WPA2 personal mode) must use passphrases that conform to AC-002.02-Password Management and Complexity.
- Passphrases used by APs must be changed from the factory default setting.
- The wireless network administration console must not be directly accessible from the wireless network.
- 802.11x authentication, specifically the Extensible Authentication Protocol (EAP), must be used for all devices connecting to the internal wireless networks. SEs must use the EAP-TLS method whenever possible. Use of Lightweight EAP (LEAP) or use of the following EAP authentication mechanisms is not allowed: EAP-MD5 (Message Digest), EAP-OTP (One Time Password), and EAP-GTC (Generic Token Card).
- Wireless client devices that connect to internal wireless networks must be configured to validate certificates issued by the authentication server during the authentication process.
- Wireless client devices must be configured to utilize identity privacy settings during the authentication process, where technically feasible.
- Individual user authentication, in accordance with AC-002-Authentication is required for internal wireless networks.
- Exceptions to this Practice should be requested using the process outlined in GP-001.02 Security Exceptions and Exemptions to ITS Standards and Practices.
- AC-002.02-Password Management and Complexity
- GP-001.02 Security Exceptions and Exemptions to ITS Standards and Practices
- SC-001-Network Security