To reduce the risks associated with the installation of unauthorized and/or improperly secured wireless networking devices that extend the University of Iowa campus network, the following procedures have been developed to facilitate the detection, analysis, and mitigation of unauthorized (rogue) wireless access points. The primary risk posed by such devices is exposure and possible interception of sensitive data.

Detection:

  1. University wireless (eduroam SSID) access point controllers will be configured to detect and report (create log records of) other Service Set identifiers (SSID) within their area of coverage.
  2. On a regular basis, a program will gather the relevant log records from the wireless controllers, merge the information gathered with other network records, and write the resultant information into a database. The database will include fields to indicate:
    a.  Known, registered wireless access point devices and their configured SSID
    b.  Unknown/new devices
    c.  Known devices that are in the process of being reviewed/mitigated
  3. Wireless access point information will be collected and maintained on a continuous basis while the device is detected, and for 12 months after the last detection.

Analysis:

  1. On a regular basis, or quarterly, the Information Security and Policy Office will review the information in the log records for changes and initiate mitigation procedures for unknown devices.
  2. Owner contact information, based on the network records available, will be obtained (if possible), by the Information Security and Policy Office.  
  3. Upon request, a report of wireless devices will be produced for the Office of Internal Audit.

Mitigation:

  1. The Information Security and Policy Office will send device details and a policy notice (via e-mail) regarding the unauthorized device to:
    a.  The IT Director and/or Network Security Contact (NSC) of the appropriate University Organization where the device is installed.
    b.  The owner or operator of the device, if known.
  2. The Information Security and Policy Office will create a record (ticket) with the relevant information in their problem tracking system.
  3. The Information Security and Policy Office will allow one week for a response detailing which remediation or mitigation steps have been taken:
    a.  The device was removed. UI wireless service (eduroam) is or will be used in its place.
    b.  The device was appropriately secured using current best practices. The device has been or will be registered (authorized) with ITS Network Services for continued use.
  4. The Information Security and Policy Office will follow up with any non or unsatisfactory responses to determine the status of the mitigation. At the Information Security and Policy Office or ITS Network Services discretion, any subsequent detection of the device, in any location, after one week from sending the notice will result in the wired network connection (or connections should the device be moved), being disconnected.

Notes:

  • Authorization for keeping personal, research, or department-owned wireless access point devices connected to the University campus network will be determined on a case basis.
  • The Information Security and Policy Office will obtain/facilitate assistance from the ITS Network Services group as necessary.
  • Any device that is disrupting the operation of the University campus network, or the UI wireless network service (eduroam), will be subject to immediate shut down as defined in the University Network Citizenship Policy.

 

Relevant University Policies:

Wireless: http://itsecurity.uiowa.edu/policy/Wireless-Networking-Policy.shtml    

Networkinghttp://itsecurity.uiowa.edu/policy/NetworkCitizenship.shtml

Acceptable Use: http://opsmanual.uiowa.edu/community-policies/acceptable-use-information-technology-resources

Airspacehttp://itsecurity.uiowa.edu/policy/airspace.shtml

Article number: 
100711
Last updated: 
May 12, 2016