SOX, FIPS, HIPAA. If you are deploying WLAN technology and are not familiar with these terms, then you better listen up. With the advent of homeland security, corporate scandal and the transmission of medical information via network infrastructures, there have been a multitude of regulations passed that require strict attention to security within the IT world. SOX, FIPS and HIPAA stand for Sarbanes Oxley, Federal Information Processing Standards and Health Insurance Portability and Accountability Act respectively. These regulations are in place for a variety of different reasons, but they all mean one thing:
YOU BETTER SECURE YOUR WLAN NETWORK
The rules for securing the network are as ambiguous as most federal regulations. For example, SOX stipulates that that there be an internal accounting control structure that attests to management responsibility for establishing and maintaining adequate internal control over the financial reporting aspects of the organization. Try translating that into a security policy or even better yet a technical solution that adheres to the standard. Both HIPAA and SOX provide for auditing of organizations to ensure that the regulations are being met so it behooves anyone who is deploying WLAN technology to at least have a basic understanding of how compliance can be met.
Well I am here to tell you that the easiest way to be compliant is to lock down your WLAN with strong authentication
Requires Free Membership to View
and encryption standards. For those of you unfamiliar with WLAN technology,
there is a whole suite of security protocols and design schemes to ensure robust authentication and
encryption. I will not go into all of the WLAN security protocols and standards but I will tell you
that Wired Equivalency Protocol (WEP) is NOT compliant.
Encryption is critical in terms of compliance as information in WLAN environments is transmitted over the airwaves. Someone can sit outside in the parking lot and capture your organizations fiscal reporting metrics or someone's medical records. This is entirely preventable by deploying a robust design that protects the environment.
The key to being compliant is to err on the side of caution. Since the regulations do not specify which technologies are acceptable in terms of compliance, it is up to you to decide what you want in your environment. If the auditors come in and are able to access your network via the WLAN, they better not be able to get to any sensitive data.
The best way to protect your network is to use the following WLAN security measures:
- Do not broadcast any SSID's from AP's
- Use 802.1x EAP protocols for Authentication
- At minimum use Dynamic WEP for Encryption
- Preferably use IPSec for encryption
If you do these 4 things at a minimum you will be compliant for an audit. However, it is necessary to maintain ongoing monitoring of the environment to ensure that no one does break through the security or install rogue AP's in the environment. For this you will need to purchase a WLAN management system that monitors the environment 24x7. Several vendors including AirDefense, BlueSocket and AirMagnet provide these.
Good luck and hopefully your WLAN deployments are secure and reliable!!!!!
Robbie Harrell (CCIE#3873) is the National Practice Lead for Advanced Infrastructure Solutions for SBC Communications. He has over 10 years of experience providing strategic, business, and technical consulting services to clients. Robbie resides in Atlanta, and is a graduate of Clemson University. His background includes positions as a Principal Architect at International Network Services, Lucent, Frontway and Callisma.
This was first published in June 2005