At minimum, the following security standards and network configurations are required for the deployment and operation of all wireless network installations:
A. The placement of wireless LAN Access Points (WAP) must be strategically located to minimize the interception of wireless signals by unauthorized individuals. The range of the signal must also be tested to ensure that signals are not being transmitted outside the intended coverage area.B. All WAP installations must use encryption. WPA Version 2 with AES is the minimal level of acceptable encryption. WEP and WPA (version 1) are not permitted.C. WPA Version 2 may be deployed in either "PSK mode" or "Enterprise mode" with specific requirements for each mode. 1. PSK mode deployment requirements: a. The "key" or "pass-phrase" should be known and kept securely by as few personnel as possible.b. The "key" or "pass-phrase" should be changed regularly. Regularly is defined as every three months for minimum standards, however, it is recommended to be changed every month.c. Very strong password creation practices should be followed when creating WPA-PSK passwords. At minimum, 16 characters with a combination of lower case letters, upper case letters, numbers, and symbols should be used.2. Enterprise mode deployment requirements Enterprise mode indicates that, in addition to encryption keys on the WLAN, user credentials are required for access. This mode is recommended as more secure than PSK mode, due to the second factor being required. Two known methods for implementing enterprise mode are:
a. Radius server with rolling PSK.b. Manual change of PSK as described in PSK mode, with network access control deployed.D. All WAP configuration parameters (Service Set Identifier (SSID), keys, passwords, channels, etc) that can be changed from the default manufacturer settings must be changed from the default.E. WAPs must be connected to a switch and not a hub.F. Physical security of WAPs must be maintained to protect the WAP from theft or access to the data port.G. Open broadcasting of the SSID must be disabled.H. Wireless encryption protocols only secure the LAN radio transmissions. Any sensitive data must still be handled with the appropriate network-transmission protocols. Refer to Chapter 9 of the ESP for details regarding data encryption. Each agency should consider the use of VPNs for specific users or network segments that need to transmit sensitive data.I. Software and firmware updates from the wireless manufacturer should be applied to the WAP and affected wireless cards as soon as possible after release.J. Additionally, the following wireless security best practices are recommended for deployment and operation of a wireless network.1. All WAP installations should be inventoried and the area in which the wireless LAN is installed should be regularly inspected for unauthorized WAPs or other devices not part of the approved installation. The network should be regularly inspected both physically and electronically using sniffing tools to uncover rogue WAPs and devices.2. The network should be scanned on a regular basis to detect unauthorized clients.3. Agencies with large, complex scale wireless implementations should consider using a solution that provides for centralized configuration and management of the wireless access point rather than individually maintaining each WAP. Miss. Code Ann. § 25-53-1 to § 25-53-25.