Brookhaven Wireless Access Policy

Title: Deployment and Management of 802.11 and Related Wireless Standards
Applicability:
All Employees, Guests, System Administrators, and Management



General

The purpose of the wireless policy and related standards and guidelines is to assure that Brookhaven National Laboratory’s (BNL’s) employees, guests, and contractors have access to a reliable, robust, and integrated wireless network, and to increase the security of the campus wireless network to the extent possible.

This document describes how wireless technologies are to be deployed, administered, and supported at BNL. Only wireless systems that meet the criteria of this policy or have been granted an exclusive waiver by Cyber Security are approved for connectivity to BNL’s networks. This procedure also addresses wireless access points (APs) connected to Brookhaven's network.

Note: Wireless access points and client systems (desktop, laptop, handheld-, portable-, or other computing devices) are prohibited in Limited Areas.

Campus and Visitor Wireless Zones - Wireless APs, by default, will reside on BNL’s Visitor Wireless Zone. Cyber Security will review, case-by-case, all wireless APs that must reside on the BNL Campus Wireless Zone because of operational needs.  

  • All wireless APs connected to the Brookhaven network must be registered through the Cyber Security Management Information System (CSMIS) before installation. 
  • APs will be scanned for vulnerabilities to assess the needed base level of security relevant to the network.
  • Wireless subnets will be isolated by a firewall from the rest of the BNL network to restrict access to network resources and allow logging.  All well-known exploits will be blocked with firewall rules.
  • Client systems accessing the BNL Visitor Wireless Zone must have antivirus software and up-to-date patches.  

Campus Wireless Zone - Client systems accessing the BNL Campus Wireless Zone must follow all the same guidelines for access to the network as for the wired Local Area Network (LAN) including, but not restricted to, network registration, antivirus software, up-to-date patches, and strong passwords that comply with the BNL Password Policy.

Top of Page

Approved Technology

To ensure that technical coordination is in place to provide the best possible wireless network for the Laboratory, the Information Technology Division will centrally manage the procurement, installation, operations, and maintenance of wireless APs. 

All new wireless access points must use Brookhaven-approved vendor products and security configurations. To retain legacy wireless APs on the BNL Wireless Campus Zone, users must apply for an exception to this policy via the Cyber Security Management Information System (CSMIS).  

  • Contact the Cyber Security Office at security@bnl.gov to find out how you can apply for an exception to this policy when accessing this web page from outside the laboratory.

Campus and Visitor Wireless Zones - All wireless APs shall support controlled remote management; SNMPv3 will be used when available, and SSL for web-based management.  Wireless APs shall be managed from the wired-LAN only. Wireless routers are not permitted on the network. Wireless APs shall not run Network Address Translation/Port Address Translation.  All implementations must support a hardware address that can be registered and tracked, i.e., a MAC address. Clients requiring the Dynamic Host Configuration Protocol (DHCP) service must use the normal DHCP server for BNL’s networks.

Top of Page

Authentication

Visitor Wireless Zone - While the Wireless Visitor Zone will, by default, be unencrypted, individual departments may request their own encrypted enclave on it after being approved by the CSMIS.

Wireless Campus Zone - To comply with this policy, wireless implementations must maintain point-to-point hardware encryption with state-of-the-art technology (at least 128 bits). All systems must support and employ strong user authentication, authorization, and accounting that checks against an external database, such as the TACACS/ RADIUS server.

Top of Page

Setting the Service Set Identifier (SSID)

The SSID shall not contain any identifying information about the organization, such as the employee’s name or product identifier.

Top of Page

Exceptions

The Cyber Security Office may grant specific exceptions to this policy to address needs that are not adequately provided for by the Campus and Visitor Wireless Networks, or for other reasons that Cyber Security deems appropriate. Requests for exceptions must be detailed and documented via the CSMIS and must justify the waiver. The Cyber Security Office makes all decisions about exceptions to the wireless policy.

Top of Page

Responsibilities of Requestor

The following steps must be taken to apply for approval to have a wireless AP installed:

  • Contact the Help Desk at itdhelp@bnl.gov or at 631.344.5522. The Help Desk first will determine if a wireless AP already is located in the physical area where the requestor is asking for it to be installed. If so, the Help Desk then will assist the requestor in getting connected to it.  If there is no wireless AP, the Help Desk will respond by routing a service call to the ITD Network Services.
    • If the request is to locate an AP in the range of an existing AP within an encrypted enclave, and the requestor is not a member of the group, the requestor may not be allowed to use it. At this point, the Help Desk will fulfill the request for the AP.
  • The Network Services then will contact requestor to review the request. If it is to install the wireless AP in BNL Campus Wireless Zone, the requestor must Contact the Cyber Security Office at security@bnl.gov to find out how they can apply for a waiver when accessing this web page from outside the laboratory.
  • Once approval is received, Network Services (ITD/WAP Administrator) will register and install the wireless AP.

Top of Page

Responsibilities of the ITD WAP System Administrator

The Administrator will undertake the following tasks:

  • Change the Wireless AP default SSID; examine and change all other default parameters.
  • Manage the 128-bit access keys.
  • Contact the Cyber Security Office at security@bnl.gov to find out how you can ensure that all wireless APs are properly registered when accessing this web page from outside the laboratory.
  • Ensure that exceptions are processed and approved before installation.
  • Ensure all wireless APs comply with stated policies.

Top of Page

Responsibility of Chief of Cyber Security 

  • Review and approve waivers for exception to the policy.
  • Conduct regular "compliance checks" on all wireless APs on the Campus network.
  • Conduct periodic penetration tests and audits on all wireless APs.
  • Carry out periodic sweeps of the Laboratory network to locate unregistered rogue access points.
  • Disconnect these access points from the network until they are properly approved, and also any access point used for irresponsible, inappropriate or illegal activity based upon the BNL Personal User Agreement.

Questions about requirements within this document can be directed to the:

Top of Page

Wireless Policy Definitions

  • BNL Network  - BNL's Network includes the backbone network and all Local Area Networks at the Laboratory funded by BNL, the DOE, or collaborators.
  • Client Systems (hardware/software) - The equipment and software that is installed in a desktop, laptop, handheld-, portable-, or other computing device.
  • Campus Wireless Zone – The zone that accommodates wireless devices in the internal Campus Zone.  It allows users to connect directly to the internal BNL network without using VPN access. 
  • Media Access Control (MAC) - This is a unique hardware identifier for each individual device or device interface on a network.    
  • Network Address Translation (NAT) – This is a mechanism for reducing the need for globally unique IP addresses. NAT allows an organization with addresses that are not globally unique to connect to the Internet by translating them into globally routable address space.  It is also known as a Network Address Translator.
  • Port Address Translation (PAT) – The function of PAT is similar to that of NAT, but here data from different IP addresses are altered so that they can share the same source IP address.  To ensure that the data is still distinguishable (and the replies can be routed back correctly), the source port is varied in some defined way. Again, if NAT means Translation rather than Translator, omit "a" in front of NAT and PAT.
  • SSID – A Service Set Identifier is a name that identifies a wireless network.  All devices on a specific wireless network must know its SSID.
  • User Authentication - A method verifying that the user of a wireless system is a legitimate user, independent of the computer or operating system being employed.  
  • Visitor Wireless Zone – A zone that allows persons using laptop computers equipped with wireless network cards to connect to the Visitor Network without needing to physically attach to the network, and with the capability to access the internal BNL Campus Zone via a VPN. Public access points are generally located in areas accessible to all people, and are usable by all members of the Brookhaven community.
  • Wireless Access Point - Any piece of equipment that allows wireless communication using transmitters and receivers. These devices act as hubs and allow communications to the campus network.
  • Wired Equivalent Privacy – This is a system used to encrypt and decrypt data signals transmitted between Wireless LAN devices.

Top of Page

Last Modified: April 6, 2010
Please forward all questions about this site to: Web Services