United States Trustee Program’s

Wireless LAN Security Checklist

In support of a standing trustee’s proposed implementation of Wireless Access

Points (WAP) in ' 341 meeting rooms and courtrooms, the following wireless LAN
security checklist must be completed and submitted to the United States Trustee for
approval prior to implementation. Completion of this checklist will assist the United
States Trustee in determining the strength of the security controls the standing trustee has
or will have in place prior to implementation. The checklist reflects guidance provided
by the National Institute of Standards and Technology (NIST) on implementing secure
WAPs (see NIST Special Publications 800-48, AWireless Network Security,” which is
available, along with other helpful information, at
www.csrc.nist.gov/publications/nistpubs).

The checklist consists of two sections. Section one lists the mandatory security
requirements, and requires the signature of the standing trustee to attest that they are in
place or will be in place immediately upon approval of the WAP by the United States
Trustee. Section two lists best practices which, while not required for approval, are
strongly recommended.

Wireless access connections should be regarded in the same manner as any

physical Internet connection and protected accordingly. WAPs should never be
connected directly to any United States Trustee Program network. All business
communications over a wireless or other un-trusted network, such as the Internet, must
use a Virtual Private Network (VPN) solution to encrypt all communications. WAPs
must be connected to a firewall that only allows access to a VPN service.
 WIRELESS LAN SECURITY CHECKLIST FOR STANDING TRUSTEES – SECTION ONE (MANDATORY REQUIREMENTS)

Will be
Mandatory Security Requirements Currently in Place Implemented Prior Remarks
to Activation
Security policy that addresses the use of wireless
1 technology, including IEEE 802.11x technologies.

Comprehensive security assessments performed at

regular and random intervals (including validating
2 that rogue WAPs do not exist in the IEEE 802.11x
WLAN) to fully understand the wireless network
security posture.
Default shared keys replaced every 90 days.
3

Administrator WAP password changed every 90

4 days or post compromise.

Network users trained in the risks associated with

5 wireless technology.

Complete inventory of all WAPs and IEEE 802.11x

6 wireless devices conducted.

WAPs maintained in secured areas to prevent

7 unauthorized physical access and user manipulation.

When disposing of WAPs no longer required, WAP

8 configuration settings cleared to prevent disclosure
of network configuration, keys, passwords, etc.
If the WAP supports logging, logging turned on and
9 logs reviewed on a regular basis.

Default SSID* and default IP address changed in the

10 WAPs.
 WIRELESS LAN SECURITY CHECKLIST FOR STANDING TRUSTEES – SECTION ONE (MANDATORY REQUIREMENTS)

Will be
Mandatory Security Requirements Currently in Place Implemented Prior Remarks
to Activation
SSID* character string validated to establish that it
11 does not reflect the trustee=s name.

All insecure and nonessential management protocols

12 on the WAPs disabled.

All security features of the WLAN product, including

the cryptographic authentication and the strongest
13
encryption algorithm available (WPA2 or better),
enabled.
Encryption in use and the encryption key size at a
14 minimum of 256 bits.

All WAPs meet requirements of trustee’s internal

15 network security.

AAd hoc mode@ for IEEE 802.11 disabled.

16

User authentication mechanisms enabled for the

17 management interfaces of the WAP.

MAC filtering enabled and in use.

18

Anti-virus software installed and latest anti-virus

19 definitions maintained on all wireless clients.

SSL/TLS used for Web-based management of

20 WAPs.

If using SNMP agent, SNMPv3 or equivalent

21 cryptographically protected protocol used to enhance
the security of WAP management traffic.
 WIRELESS LAN SECURITY CHECKLIST FOR STANDING TRUSTEES – SECTION ONE (MANDATORY REQUIREMENTS)

Will be
Mandatory Security Requirements Currently in Place Implemented Prior Remarks
to Activation
Personal firewall software installed on all wireless
22 clients.

Software patches and upgrades fully tested and

23 deployed on a regular basis.

Security impact of deploying a wireless product fully

24 understood.

* SSID B Short for Service Set Identifier, a 32-character unique identifier attached to the header of packets sent over a Wireless LAN (WLAN) that acts as a password when a mobile device tries to
connect to the Wireless LAN. The SSID differentiates one LAN from another, so all access points and all devices attempting to connect to a specific Wireless LAN must use the same SSID. A device
will not be permitted to join the WLAN unless it can provide the unique SSID. Because an SSID can be sniffed in plain text from a packet it does not supply any security to the network. An SSID is also
referred to as a network name because essentially it is a name that identifies a wireless network.
I declare that the above information is true and correct to the best of my knowledge and belief. Practices are in place or will be
immediately upon activation of wireless devices.

______________________________________ _____________
Chapter 13 Standing Trustee Date
 WIRELESS LAN SECURITY CHECKLIST FOR STANDING TRUSTEES – SECTION TWO (RECOMMENDED BEST PRACTICES)

If ”no,” plans to
Recommended Best Practices Yes No Remarks
implement? By when?
1 WAPs turned off when not in use (e.g., after hours and on
weekends).
2 Broadcast SSID* feature disabled in WAPs.
3 WAP channels at least five channels different from any other
nearby wireless networks to prevent interference.
4 Intrusion detection agents deployed on the wireless part of the
network to detect suspicious behavior or unauthorized access and
activity.
5 Technology deployed to analyze auditing records and logs for
suspicious activity.
* SSID B Short for Service Set Identifier, a 32-character unique identifier attached to the header of packets sent over a Wireless LAN (WLAN) that acts as a
password when a mobile device tries to connect to the Wireless LAN. The SSID differentiates one LAN from another, so all access points and all devices attempting to
connect to a specific Wireless LAN must use the same SSID. A device will not be permitted to join the WLAN unless it can provide the unique SSID. Because an SSID
can be sniffed in plain text from a packet it does not supply any security to the network. An SSID is also referred to as a network name because essentially it is a name
that identifies a wireless network.
Submitted by:

______________________________________ _____________
Chapter 13 Standing Trustee Date