Information Security Standard M6

Security of Wi-Fi Infrastructure

Introduction

  1. UBC has a large and complex Wi-Fi network that plays an integral role in the operations of the University. Consequently, intruders and hackers may consider the Wi-Fi network an attractive target to breach the security of UBC Electronic Information and Systems.
  2. This standard defines requirements to ensure that Wi-Fi devices, such as Wireless Access Points (WAPs), which allow Wi-Fi devices to connect to a wired network, are deployed in a secure, controlled and centrally managed way to reduce the likelihood of a security breach. Unless otherwise indicated, UBC IT Network and Infrastructure is responsible for ensuring compliance with this standard.
  3. In addition to this standard, UBC IT Wi-Fi networks provisioned by UBC IT are governed by Policy SC11, Management of the Wireless Network.
  4. The Chief Information Officer has issued this standard under the authority of Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems. Questions about this standard may be referred to information.security@ubc.ca.

Deployment of WAPs

  1. All deployment of WAPs must be authorized by UBC IT.
  2. WAP hardware must be protected to ensure physical security mechanisms (e.g. locked cabinet, high ceiling mount, etc.) are in place to prevent theft, alteration or misuse.

Secure Configuration

  1. All WAPs should be secured using a minimum of Wi-Fi Protected Access (WPA2) with a minimum of AES 128-bit Encryption.
  2. Wired Equivalent Privacy (WEP) is prohibited for Wi-Fi network security, as it is insecure.
  3. It is recommended that Users connecting to WAPs, providing access to the UBC LAN, be configured to use the ”AutoConnect” ubcsecure automated client configuration tool. This will help prevent connecting to rogue WAPs, which have been setup with the same name (spoofing) to steal credentials.
  4. Console access must be password protected in compliance with the Passphrase and Password Protection standard.
  5. WAP and wireless controller management must be handled as follows:
    1. secure protocols such as HTTPS, SSH and CAPWAP must be utilized;
    2. management must only be over the LAN interface;
    3. if SNMP is used in the management environment, all default SNMP community strings must be changed, otherwise it must be disabled; and
    4. vendor defaults such as Encryption keys and administrative passwords must be changed.
  6. The use of Telnet and other insecure protocols is prohibited.

Security Updates

  1. The operating system or software code on WAP and wireless controllers should be patched and kept current to ensure proper protection from the latest security vulnerabilities.
  2. WAPs and wireless controllers must be replaced if they have reached end of life for software support.

Additional Requirements for Merchant Systems

  1. Users responsible for Merchant Systems must:
    1. ensure that a perimeter firewall is in place between any Wi-Fi network and Merchant Systems processing Payment Card Industry (PCI) Information. These firewalls must be configured to deny or control any traffic from the Wi-Fi environment to Merchant Systems;
    2. test for the presence of unauthorized WAPs on a quarterly basis. Methods that may be used in the process include, but are not limited to, Wi-Fi network scans, physical/logical inspections of system components and IT Infrastructure, network access control (NAC), or Wi-Fi IDS/IPS; and
    3. report any unauthorized WAPs as a security incident, in compliance with the Reporting Cybersecurity Incidents standard.

Related Documents and Resources

  1. Policy SC11, Management of the Wireless Network
  2. Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems
  3. Passphrase and Password Protection standard
  4. Reporting Cybersecurity Incidents standard

Standard Last Revised: 2021-01