Educause Security Discussion mailing list archives
1 Survey summary, 2 new surveys -- was Re: [unisog] Survey of effective campus wireless security practices -- your input is requested
From: "H. Morrow Long" <morrow.long () YALE EDU>
Date: Tue, 1 Jun 2004 13:57:31 -0400
1. As promised, I've summarized the results of my informal survey (posted to UniSog and the Educause Security Group Listserv). Appended in text format is the raw answer data from the (de-identified) responding institutions. You view the summarized answers (as tables & graphs) in the PPT at: http://www.yale.edu/its/security/Presentations/ByDate/20040518/ SPW04STFEPWSHIED.ppt 2. Short survey #2: Cyber-risk policies - How many institutions have purchased one? I'm aware that many institutions have been approached by insurance companies, insurance brokers and risk managers and advised to look into purchasing new 'cyber' risk insurance policies to cover gaps in current coverage. How many of your institutions have actually done so? (Answers will be kept anonymous) 3. Short survey #3: PC S/W firewalls - How many campuses mandate/recommend/provide one? * Does your campus mandate a personal PC firewall (h/w or s/w)? * Does it mandate a particular vendor or brand? * Does it mandate a particular configuration? * Does your campus recommend a personal PC firewall (h/w or s/w)? * Does it mandate a recommend vendor or brand? * Does it mandate a recommend configuration? * Does your campus provide a personal PC firewall (h/w or s/w) for free? * Does your campus provide a personal PC firewall (h/w or s/w) for a fee? Which PC S/W firewall did your institution choose? How and/or why? - H. Morrow Long, CISSP, CISM University Information Security Officer Director -- Information Security Office Yale University, ITS ------------------------------------------------------------------------ ------------------------------------------------------------------------ ----- Survey of effective campus wireless security practices questions 15 Responding Institutions (de-identified) [Save the below lines as a file named survey.csv if you wish to bring it into Excel] Do you provide WiFi access on your campus? ,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y Do you publish your campus SSID on the Web? ?,N,N,Y,N,Y,N,Y,Y,N,Y,Y,Y,Y,Y,N Do you publish campus maps with WiFi locations?,Y,N,N,Y,Y,Y,N,Y,N,Y,N,Y,Y,Y,Y (*hotspots*) on the Web?,,,,,,,,,,,,,,, Is your campus wireless LAN(s) mode:,,,,,,,,,,,,,,, IBSS (ad-hoc),N,N,Y,N,N,N,N,N,N,N,N,N,N,N,N BSS (Infrastructure),Y,Y,Y,Y,Y,N,Y,N,Y,Y,Y,Y,N,Y,Y ESS (Extended Infrastructure),N,N,N,N,N,Y,N,Y,N,Y,N,N,Y,N,N Have you implemented:,,,,,,,,,,,,,,, 802.11a,Y,N,N,Y,N,N,N,N,N,N,N,N,Y,Y,N 802.11b,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,N,Y 802.11g,Y,Y,Y,Y,N,N,N,N,Y,N,N,Y,Y,N,N " Other 802.11 (e.g. Super-G, WiMAX, etc.) ",N,N,N,N,N,N,N,N,N,N,N,N,N,N,N 802.11i ,N,N,N,N,N,N,N,N,N,N,N,N,N,N,N WEP ,Y,Y,Y,Y,N,Y,Y,N,Y,Y,Y,N,Y,N,N WPA ,N,N,Y,N,N,N,N,N,N,N,N,N,N,N,N 801.X ,Y,Y,Y,N,N,N,Y,N,Y,Y,N,N,Y,N,N EAP-MD5,N,Y,N,N,N,N,N,N,N,N,N,N,N,N,N LEAP (aka EAP-Cisco),N,N,N,Y,N,N,N,N,Y,Y,N,N,Y,N,N PEAP,Y,N,Y,N,N,N,N,N,N,Y,N,N,N,N,N EAP over TLS,N,N,N,N,N,N,N,N,N,N,N,N,Y,N,N TTLS,N,N,N,N,N,N,Y,N,N,N,N,N,N,N,N Other EAP Name: _________ ,N,N,N,N,N,N,N,N,N,N,N,N,N,N,N AirDefense,N,N,N,N,N,N,N,N,N,N,N,N,N,N,N Bluesocket,N,N,N,N,N,N,N,Y,N,N,N,N,N,N,N Ecutel,N,N,N,N,N,N,N,N,N,N,N,N,N,N,N ReefEdge,N,N,N,N,N,N,N,N,N,N,N,N,N,N,N Vernier,N,N,N,N,N,N,N,N,N,N,N,N,N,N,N Other Name: ,Perfigo,,,,,,, , ,,,,,,N Network Topology,,,,,,,,,,,,,,, -------------------------,,,,,,,,,,,,,,, Are your wireless lans ...,, ,,,,,,,,,,,,, ,, ,,,,,,,,,,,,, On a separate VLAN from your campus network?,Y,N,Y,Y,Y,Y,Y,N,Y,Y,Y,Y,Y,Y,N On a private (RFC1918) network separate from your campus network?,N,N,Y,Y,Y,N,N,N,N,N,N,N,Y,Y,N On a public net or subnet(s) separate from your campus network?,N,Y,N,N,N,Y,N,N,Y,N,Y,Y,N,Y,N On the same network and/or subnets as your campus network?,Y,N,N,Y,N,N,N,Y,N,Y,N,N,Y,N,Y Other? Explain ______________________,N,N,N,N,N,N,N,N,N,N,N,N,N,N,N Network Access Control,,,,,,,,,,,,,,, ---------------------------------,,,,,,,,,,,,,,, Do you have a firewall between your wireless LAN(s) and the campus network?,N,N,Y,N,N,N,Y,N,Y,N,N,N,N,Y,N Do you have a firewall between your wireless LAN(s) and the Internet?,Y,Y,Y,Y,N,Y,Y,N,Y,N,N,N,NY,Y,N Do you require the use of a VPN to send traffic off of your WLAN?,N,N,N,N,Y,Y,N,N,N,N,N,N,NY,N,N Do you require the use of a VPN to send traffic from your WLAN into your campus net?,Y,N,N,N,Y,Y,N,N,N,N,N,N,N,N,N ,,,,,,, ,,,,,,,, Do you have a secure method of keeping out unregistered MAC addressed WLAN cards?,Y,N,N,N,N,N,N,Y,Y,N,Y,N,Y,Y,N Do you have protection against ARP spoofing/cache poisoning and 'dsniff' type attacks?,Y,N,N,N,N,N,N,Y,N,N,N,N,N,N,N Is your SSID (network name) kept private?,N,N,Y,N,N,Y,N,N,Y,N,N,N,N,N,N Do you disable SSID (network name) info in broadcasts (beacon frames)?,N,N,Y,N,N,Y,Y,N,Y,N,Y,N,YN,N,N Do you provide wireless users with protection against accidental and malicious association,,,,, ,,,, ,,,,,, with rogue access points?,N,N,N,Y,N,N,Y,N,N,Y,Y,N,Y,N,N Do you monitor for rogue WiFi cards/stations?,N,N,Y,N,Y,N,Y,N,Y,N,Y,Y,NY,N,N Do you monitor for rogue WiFi Access Points?,Y,N,Y,Y,Y,Y,Y,N,Y,N,Y,Y,NY,N,N Do you monitor for channel/signal interference?,Y,N,Y,Y,Y,Y,Y,N,Y,N,Y,Y,YN,N,Y Do you have a wireless management system?,N,N,N,Y,Y,N,Y,N,N,Y,N,Y,NY,N,N Do you use or have the ability to jam wireless signals on campus?,N,N,N,N,N,N,N,N,N,N,N,N,N,N,N Authentication,,,,,,,,,,,,,,, --------------------,,,,,,,,,,,,,,, Do you allow unauthenticated (open) access?,N,N,N,N,N,N,N,N,Y,N,N,N,N,N,N Do you require MAC (Hardware Address) registration and DHCP for access?,Y,Y,N,N,N,N,N,N,Y,N,Y,Y,Y,Y,Y Do you require campus ID signon (e.g. NetID and password) via capture and redirection,Y,N,N,N,N,N,Y,Y,N,N,N,Y,N,Y,Y to a webpage (web authentication)?,,, ,,,,,,,,,,,, Do you require campus ID signon (e.g. NetID and password) via WiFi driver authentication?,,, ,,,,,,,,,,,, " (e.g. supplicant 801.X/*EAP/WPA/802.11i, etc.)",Y,Y,N,Y,N,N,Y,N,N,Y,N,NY,Y,N,N Do you require X.509 certificates for WiFi access?,N,N,N,N,N,N,N,N,N,N,N,N,Y,N,N Do you require smartcard auth. for WiFi access?,N,N,N,N,N,N,N,N,N,N,N,N,N,N,N Do you use a VPN to authenticate for WiFi access?,N,N,N,N,Y,Y,N,N,N,N,N,N,N,N,N Encryption,,,,,,,,,,,,,,, ---------------,,,,,,,,,,,,,,, WEP 40/64 bit static,N,N,N,N,N,N,N,N,Y,N,Y,N,N,N,N WEP > 40/64 bit static,N,N,N,N,N,Y,N,N,Y,N,N,N,N,N,N ,, ,,,,,,,,, ,,,, WEP 40/64 bit dynamic,N,N,N,Y,N,N,N,N,N,N,N,N,N,N,N WEP > 40/64 bit dynamic,N,N,N,N,N,N,N,N,N,N,N,N,Y,N,N WPA 128 bit 'standalone' ,N,N,N,N,N,N,N,N,N,N,N,N,N,N,N WPA 128 bit 'Enterprise' (802.1X server),N,N,N,N,N,N,Y,N,N,Y,N,NY,NY,N,N Do you require/allow/recommend/don't care about encryption at the ____ layer on WLANs?, , , , ,,,,,,,,,,,R Application (SSH), ,DC,"A,REC",DC,DC,REC,DC,,R,REC,REC,REC,REC,DC,R Session (SSL/TLS), ,DC,"A,REC",DC,DC,REC,R,,R,REC,REC,REC,REC,DC,R Transport (PPTP VPN), ,DC,"A,REC",DC,R,R,DC,,R,DC,REC,R,NA,DC,R Network (IPSEC and/or L2TP VPN), ,DC,"A,REC",DC,R,R,DC,,R,DC,A,R,REC,DC,R " Data Link (WEP, WPA)", ,DC,"A,REC",R,DC,R,DC,,R,R,R,DC,REC,DC,R Policy,,,,,,,,,,,,,,, ---------,,,,,,,,,,,,,,, Do you have a policy which reserves WiFi spectrum frequencies to UNIV?,Y,N,Y,Y,Y,N,Y,N,N,N,Y,N,Y,Y,N Do you allow wireless access points to be set up by:,NR,,,,,,,,,,,,,, (non-IT) departments? ,N,N,N,N,N,N,N,Y,N,Y,N,Y,Y,N,Y any faculty members?,N,N,N,N,N,N,N,Y,N,Y,N,Y,N,N,Y students?,N,N,N,N,N,N,N,Y,N,N,N,Y,N,N,Y Do you have minimum security configuration standards required for non-IT WAPs?,N,N,Y,N,Y,N,N,Y,NA,Y,NA,Y,Y,N,N Do you have any other interesting or unique security measures on your WLAN?,N,N,,N,N,N,N,Bluesocket,,,Port Kill,,LEAP,,N ,,,,,,,,,,,,,TO,, ,,,,,,,,,,,, ,EAP-TLS,, # # # ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Attachment:
smime.p7s
Description:
Current thread:
- 1 Survey summary, 2 new surveys -- was Re: [unisog] Survey of effective campus wireless security practices -- your input is requested H. Morrow Long (Jun 01)