"NYP Wireless Network Security Policy and Procedures"
23 July 2002 NYP Wireless Network Security Policy and Procedures PURPOSE The purpose of this document is to establish procedures to ensure the appropriate protection of New York Presbyterian (NYP) Hospital’s and Columbia University Health Sciences data communication over wireless forms of transmission and reception. SCOPE This policy applies to all employees, contractors, consultants, temporaries, and other workers at New York Presbyterian Hospital, including those workers affiliated with third parties who access NYP information systems and networks. Throughout this policy, the word "worker" will be used to collectively refer to all such individuals. The policy applies to all wireless computer and data communication systems owned by and/or administered by NYP and Columbia University Health Sciences. Currently, this Policy is limited to the 802.11b and 802.11a standards. GENERAL POLICY CORE Resources is implementing a new wireless data communication system called Rome. This system is a wireless access system based on the 801.11b standard. Rome allows NYP staff and Columbia Health Sciences staff, students and faculty to access the data communications network, and most of its facilities, from their mobile or portable computers. This standard uses the FCC unlicensed 2.4 GHz Industrial/Scientific/Medical (ISM) band. Transmissions within that band conform to the IEEE 802.11 DSSS (Direct Sequence Spread Spectrum) wireless LAN specification. Certain other "wireless" devices exist in the market place that also employ the same 2.4 GHz frequency band and can cause interference to users of the Rome system. These devices include, but are not limited to other IEEE 802.11 wireless LAN devices, cordless telephones, video cameras, and audio speakers. Page 1 23 July 2002 RESPONSIBILITIES The Department of CORE Resources shall administer the Rome system at NYP / Columbia University Health Sciences. CORE Resources will provide access points (AP) and IP, IPX and AppleTalk connectivity to the data communication network at various areas throughout the campus as needed by the user community. In order to assure the highest level of service to the users of the Rome system, CORE Resources needs help from all members of the campus community in minimizing the potential interference from those devices. CORE Resources requests that use of all other 2.4 GHz devices be discontinued in NYP / Columbia Health Sciences buildings. In cases where the device is being used for a specific teaching or research application, CORE Resources will work with faculty to determine whether there are circumstances under which use of the device may still be accommodated without causing interference to Rome system users. CORE Resources will approach the shared use of the 2.4 GHz radio frequency in the same way that it manages the shared use of the wired network. We will actively monitor use of the airspace for potential interfering devices, we will seek out the user of a specific device if we find that it is actually causing interference and disrupting the campus network. In these cases, CORE Resources reserves the right to restrict the use of all 2.4 GHz radio devices in NYP / Columbia Health Sciences buildings and all outdoor spaces on the Columbia Presbyterian Center (CPC) / Health Sciences Campus. If you think you have an existing system that may use 2.4 GHz radios for transmission or you are planning to purchase a wireless system and you are uncertain if it employs 2.4 GHz radios, please contact the Helpdesk at 5-HELP (5-4357) or send mail to firstname.lastname@example.org. The Helpdesk can assist you in contacting CORE Resources and resolving any interference and / or interoperability issues. The following is a list of General Rules • All APs shall be Cisco Aironet 350 Wireless Access Points unless otherwise authorized by the department. • Wireless Network Interface Cards (NIC) shall be Cisco Aironet 350. Support for other compatible devices is not guaranteed. Users are free to try other wireless NICs but will have to configure and troubleshoot connectivity on their own. Page 2 23 July 2002 • Connectivity to the “wired” data communication network will be via existing network infrastructure at each AP location. The data will then be carried via a single Virtual LAN (VLAN) shared by all APs. This VLAN will collapse into a single network device that provides Layer 3 connectivity to the rest of the data communication network. • All data communication and activity within the Rome system will be considered un-trusted. This means that users will be subject to restrictions implemented to protect the security and integrity of the data communication network in whole. • Access to The Internet shall be provided with little restriction or protection. However, acceptable use policies (AUP) for the “wired” LAN supercede this policy. Users shall not violate the general AUP • Access to NYP / Health Sciences systems and data will only be allowed via a VPN connection using IPSec. • CORE Resources reserves the right to confiscate any device causing interference with the Rome system and whose owner or custodian is unwilling to turn off after it has been found to interfere with the Rome system. Users are encouraged NOT to install their own wireless networking devices and should ask CORE Resources to provide connectivity in the area. PROCEDURE The system is provided as a supplement to the “wired” network, not a replacement of it. This implies that the Rome system will not be redundant nor shall it be considered for critical business use. It is intended more for convenience than for business critical application use. The following procedures will be used as a guideline for the implementation and use of the Rome system: The Rome System • The Rome system is to be implemented by the installation of a central switch/router where all connections from APs will eventually collapse into. The switch/router will be a Cisco 5500 class switch/router or similar with enough capacity to accommodate a fiber optic connection from each of the campus buildings at 100 Mb/s full-duplex or greater. • A link from each building to the central Rome switch/router will be to the lower level distribution switch/router existing in Hospital buildings. University owned buildings currently have only one distribution switch and the connection shall be made from that switch. Page 3 23 July 2002 • VLAN 888 will be used for the Rome system and implemented as a “Flat Network” where the VLAN will span every connection to each of the buildings and APs. This is necessary to facilitate seamless roaming from one location to another without having to re negotiate a new layer 3 network address between the mobile device and the system. • IP Subnet 220.127.116.11/23 is to be used for IP addressing. This subnet provides roughly 512 IP addresses that can be active at any one time within the Rome system. • Addressing will be via DHCP only. No static addressing will be supported in the Rome system. This will be strictly enforced and no single device can be assigned any one specific address. Users shall not expect a static address and if a mobile device receives the same address it is purely coincidental. • Access Points will be initially Cisco Aironet 350 Wireless Access Points. These are 802.11b compliant devices that support industry standard protocols and are fully manageable. • APs will be connected to existing distribution layer switches on a particular location as needed. They shall be connected to VLAN 888 and configured with an IP address from the management IP subnet within the Rome system. Placement of APs To ensure the highest level of performance and coverage, CORE Resources shall conduct a “site survey” with industry accepted equipment and procedures. A Wireless Site Survey kit shall be used to survey and map an area to be covered. Where more than one AP is necessary to provide coverage, the following channel overlap scheme is to be used: CHANNEL 1 CHANNEL 6 CHANNEL 11 CHANNEL 1 Enough overlap is to be provided to allow ample time and power for mobile devices to transparently roam between “cells” without loss of connectivity. Page 4 23 July 2002 Signal strength is never to drop below 40 db without another cell overlapping the same spot at that db level. CORE Resources will allow for a 3db variance in signal strength. APs will be mounted professionally to the wall, the ceiling, or above dropped ceiling tiles. Mounting will be dictated primarily by performance of the system. CORE Resources will take into consideration the aesthetics of an installation in a particular area and will accommodate the occupants of the area at the expense of the department requesting the relocation of the device(s) Power is to be provided via in-line power over the Cat-5 cabling to be installed from each AP to the nearest data closet. In cases where such application is required, CORE Resources will design and implement a more robust, highly redundant wireless system. These one time custom implementations shall NOT be part of the Rome system and shall remain as separate entities with unique addressing and connectivity schemes. End User Responsibilities Users are encouraged to purchase Cisco Aironet 350 Wireless Network Interface Cards (NICs) or a subsequent model from Cisco. CORE Resources has done extensive compatibility testing and we have found these cards to provide the greatest performance and feature sets than any other comparable product. Of great importance is the support for security features not provided by other vendors. Security will be the most important consideration while we implement and support the Rome system. While WEP security is available in most wireless products, it will not be implemented within the Rome system. Instead, all traffic will be allowed unencrypted to and from The Internet. Traffic to and from the Health Sciences Campus network, Columbia University, New York Presbyterian Weill Cornell Center and Weill Cornell Medical College will be allowed only via a VPN connection. Users will need to have a VPN account to access these resources. The use of other Wireless NICs is not prohibited. The Rome system shall support any 802.11b wireless device. However, CORE Resources will prioritize support for those users with a Cisco 350 Wireless NIC or similar. Page 5 23 July 2002 Wireless NICs that are causing interference will be confiscated by CORE Resources to maintain system integrity. Users willingly causing interference to the system will be reported to Human Resources for disciplinary action and their device will be confiscated. Attempts to bypass security or to damage the system passively and / or actively are strictly prohibited. The use of scanning software to capture raw data from the wireless data stream is strictly prohibited. “War driving” or the active scanning of 802.11b data streams for the purpose of finding weaknesses in the integrity of the system with the intent of exploiting such weakness is strictly prohibited. Promiscuous data capture for whatever reason is also strictly prohibited. Data capture is to be done only by CORE Resources or other authorized personnel for the purposes of system testing or troubleshooting or for security reasons. Ample notice shall be given prior to any such data capture. Users shall never assume privacy when using the Rome system. It is the sole responsibility of the user to ensure their privacy and the protection of privileged information and / or intellectual property. CORE Resources makes no guarantees as the security of the data traversing the Rome system. EXCEPTIONS NYP acknowledges that under rare circumstances, certain workers will need to employ systems that are not compliant with this policy. All such instances must be approved in writing and in advance by the Information Security Officer and by the Director of CORE Resources. VIOLATIONS NYP workers who willingly and deliberately violate this policy will be subject to disciplinary action up to and including termination and civil and/or criminal penalties. Page 6