| |
Wireless Access Standards of Practice
The Wireless Standard of Practice is established to ensure secure
and reliable access to limited network resources for all members
of the DOE community for educational purposes. The DOE network infrastructure
is extended through the use of wireless network access methods.
This standards of practice describes how wireless technologies are
to be deployed and operated to protect the security and integrity
of the entire DOE network. Use of the DOE network (wired and wireless)
is governed by Board of Education (BOE) Internet Access Regulations
2170.1, and this standard of practice is extension of the regulation
2170.1.
Network Support Services Branch (NSSB) of the Office of Information
and Technology (OITS) is responsible for ensuring the integrity,
reliability, and security of the DOE network infrastructure, and
can 1) restrict the use of wireless devices, 2) determine what devices
can be connected to the network 3) determine how these devices should
be configured.
Purpose
Wireless devices offer increased flexibility, expandability and
mobility thus improving access to the networked resources. Insecure
and improperly implemented wireless devices pose risks to the network
which can impact the productivity of many users, when wireless implementations are done
without proper security and little or no planning.
This standards of practice describes how wireless technologies are
to be deployed, administered, and supported within the DOE network.
The standards of practice: - provides for an acceptable level of
wireless security, - provides for network robustness/reliability,
- minimizes network interference from other devices utilizing the
same wireless frequency spectrum.
Scope
This standards of practice applies to all devices using wireless communications
(e.g. computers, PDAs, voice over IP phones, printers/scanners) that interfaces
directly with the DOE network. This includes but is not limited to,
wireless access points, wireless routers, wireless base stations, and any
wireless communication device capable of transmitting and receiving
data packets on the DOE network. Wireless devices such as personal cell phones that do
not interface with the DOE's network does not fall under the scope of this
standards of practice.
Standards of Practice
1. Register the Wireless Access Points (AP), Base Stations (BS) and devices.
1.1. The School or Office Administration (Principal/Administrator) needs to authorize implementation and
ensure that the wireless device is registered in the central database of authorized wireless devices
connected to the DOE network, including the school local area networks (LAN).
This centralized database at a minimum must contain the basic
information of the wireless device including the manufacturer, model
number, location of placement,IP address assigned, name of the
AP/BS, MAC address, frequencies used, channel used, and security
configuration (Encryption, Authentication, etc).
1.2. All wireless devices implemented are subject to audits. The audits will check for proper
implementation and security safeguards.
2. Suitability.
2.1. For data networks, wireless networks should not be considered a
replacement for a wired network. It should be seen only as an
extension to the existing wired network.
2.2. Wireless access should only be allowed with encrypted protocols
and/or Virtual Private Network (VPN) when accessing
administrative information systems such as FMS, Student
Information System, ISPED, Human Resource System, etc. that
contain sensitive and confidential information.
2.3. DOE reserves the right to restrict wireless access to services
and resources that are disruptive to the network, or pose a
threat to the DOE's information security, audit or accreditation
status when used from the wireless network.
3. Management & Support.
3.1. Wireless LAN implementations are the responsibility of the
Administrator(e.g. school administrator for school, office
administrator for state or complex office) that controls the
space in which they operate. The Administration is expected to
know what is occurring in their space, and to take steps to make
sure that all wireless implementations active in their space
follow the standards of practice defined here.
3.2. Authorized by Administration. Every wireless access installation
within the DOE network must be authorized by the Administrator in
which it operates. Administration may delegate details to
technical staff, or other responsible person. Network access
using an unauthorized wireless AP/BS (considered a rogue device)is
unauthorized and prohibited.
4. Radio Frequency Spectrum Management.
4.1. There are many devices that share the same radio frequency spectrum as most
of the DOE Wireless Network. This includes, but is not limited to
2.4 GHz and 5 GHz devices such as cordless phones, microwave
ovens, wireless cameras or speakers that can interfere with the
wireless network. To prevent such disruptions of the wireless
networks, the use of these non-networked devices should be identified before
the implementation for potential interference.
4.2. Wireless channel assignments will be managed by the
Administration.
5. Security Standards.
5.1. AP/BS should be configured as a closed network. Every effort
shall be made to limit the range of the wireless access within
the school campus or office space under the jurisdiction of the
Administrator. Wireless access should not be allowed from the
outside perimeters of the school or office premises.
5.2. The wireless infrastructure by nature is insecure because data is transmitted
over radio waves that anyone can intercept and view. It is recommended that the
wireless tranmissions be encrypted especially if accessing sensitive student or
financial data.
5.3. All authorized wireless users or clients shall be known to the
AP/BS. Wireless access should require authentication, authorization and proper
accounting of the access.
5.4. Wireless access Service Set Identifier (SSID) should be changed from the
vendor's default settings, and SSID beaconing should be disabled.
5.5. Practice limiting off-hour traffic by turning off AP/BS during
non-use hours if possible.
5.6. Rogue AP/BS (Unregistered, unauthorized and unknown to management) devices are
strictly prohibited.
6. Guest Access (e.g. vendors, parents, community members)
6.1. Guests who connect wireless devices onto the DOE network require
permission from the Administration. Guest access devices must be
verified for acceptable client security implementation before
being allowed for access. Any problem or disruption caused by
the guest will be the responsibility of the permitting
Administration for remediation. Guests will have restricted
access to the DOE resources available on the network.
7. Enforcement.
7.1. Any DOE employee found to have willfully violated this standard
of practice shall be subject to disciplinary action as
prescribed in the Internet Access Regulation 2170.1 and as
appropriately determined by the Administrator.
The above Wireless Access Standards of Practice is available in downloadable
document.
For more information, please visit the Wireless
Access Standard of Practice FAQ
|
