[oagitm] Re: WIFI

• From: "Verharst, Greg" <greg.verharst@xxxxxxxxxxx>
• To: "'jgardner@xxxxxxxxxxxxxxxx'" <jgardner@xxxxxxxxxxxxxxxx>, "'oagitm@xxxxxxxxxxxxx'" <oagitm@xxxxxxxxxxxxx>
• Date: Tue, 24 Jun 2014 19:25:44 +0000

These are the requirements that Justice Agencies accessing CJI must adhere to 
as state in the Criminal Justice Information Services (CJIS) Security Policy.



1. Perform validation testing to ensure rogue APs (Access Points) do not exist 
in the 802.11 Wireless Local Area Network (WLAN) and to fully understand the 
wireless network security posture.

2. Maintain a complete inventory of all Access Points (APs) and 802.11 wireless 
devices.

3. Place APs in secured areas to prevent unauthorized physical access and user 
manipulation.

4. Test AP range boundaries to determine the precise extent of the wireless 
coverage and design the AP wireless coverage to limit the coverage area to only 
what is needed for operational purposes.

5. Enable user authentication and encryption mechanisms for the management 
interface of the AP.

6. Ensure that all APs have strong administrative passwords and ensure that all 
passwords are changed in accordance with Section 5.6.2.1.

7. Ensure the reset function on APs is used only when needed and is only 
invoked by authorized personnel. Restore the APs to the latest security 
settings, when the reset functions are used, to ensure the factory default 
settings are not utilized.

8. Change the default service set identifier (SSID) in the APs. Disable the 
broadcast SSID feature so that the client SSID must match that of the AP. 
Validate that the SSID character string does not contain any agency 
identifiable information (division, department, street, etc.) or services.

9. Enable all security features of the wireless product, including the 
cryptographic authentication, firewall, and other privacy features.

10. Ensure that encryption key sizes are at least 128-bits and the default 
shared keys are replaced by unique keys.

11. Ensure that the ad hoc mode has been disabled unless the environment is 
such that the risk has been assessed and is tolerable. Note: some products do 
not allow disabling this feature; use with caution or use different vendor.

12. Disable all nonessential management protocols on the APs and disable 
hypertext transfer protocol (HTTP) when not needed or protect HTTP access with 
authentication and encryption.

13. Enable logging (if supported) and review the logs on a recurring basis per 
local policy. At a minimum logs shall be reviewed monthly.

14. Segregate, virtually (e.g. virtual local area network (VLAN) and ACLs) or 
physically (e.g. firewalls), the wireless network from the operational wired 
infrastructure. Limit access between wireless networks and the wired network to 
only operational needs.

15. When disposing of access points that will no longer be used by the agency, 
clear access point configuration to prevent disclosure of network 
configuration, keys, passwords, etc.

I hope this helps.  Please let me know if you have any follow-up questions.

[OR_-_State_Police_Badge]

Greg Verharst

CJIS Information Security Officer, Oregon State Police

Greg.Verharst@xxxxxxxxxxx

Desk: (503) 934-2335 - THIS IS A NEW NUMBER - PLEASE NOTE!!!

Fax:    (503) 378-2121 - THIS IS A NEW NUMBER - PLEASE NOTE!!!

OSP Helpdesk: (503) 934-0199



From: oagitm-bounce@xxxxxxxxxxxxx [mailto:oagitm-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Gardner
Sent: Tuesday, June 24, 2014 9:32 AM
To: 'oagitm@xxxxxxxxxxxxx'
Subject: [oagitm] WIFI

All, I have a general question about WIFI?  Do you provide it at your 
facilities and to what extent do you secure it.  We currently provide public 
WIFI that is segregated from our wired network, but it is only a partially 
managed solution that blocks sites by categories.  We are getting pressure to 
provide WIFI to all employees and the public with the employees being able to 
access all network files and work related resources.  That would be a 
significant cost to secure and provide that type of service, so I just wanted 
to see how/ and what everyone else was doing with WIFI at this point?

Jim Gardner
Information Systems Manager
800 Exchange, Suite 300
Astoria, OR 97103
Phone: 503-325-8662

This message has been prepared on resources owned by Clatsop County, Oregon. It 
is subject to the Internet and Online Services Use Policy and Procedures of 
Clatsop County.

• References:
  • [oagitm] WIFI
    • From: Jim Gardner

Other related posts:

• » [oagitm] WIFI- Jim Gardner
• » [oagitm] Re: WIFI- ALTERMATT Don
• » [oagitm] Re: WIFI- LOERTS Adam
• » [oagitm] Re: WIFI- Jones, Larry
• » [oagitm] Re: WIFI- Jared Choc
• » [oagitm] Re: WIFI- Miller, Holly
• » [oagitm] Re: WIFI - Verharst, Greg

1. Home
2. oagitm
3. Archive
4. 06-2014

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---