15: Wireless Access Control

Maintain an inventory of authorized wireless access points connected to the wired network.

Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access points connected to the wired network.

Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access points connected to the network.

Disable wireless access on devices that do not have a business purpose for wireless access.

Configure wireless access on client machines that do have an essential wireless business purpose, to allow access only to authorized wireless networks and to restrict access to other wireless networks.

Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.

Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.

Ensure that wireless networks use authentication protocols such as Extensible Authentication Protocol-Transport Layer Security (EAP/TLS), which requires mutual, multi-factor authentication.

Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication (NFC)], unless such access is required for a business purpose.

Create a separate wireless network for personal or untrusted devices. Enterprise access from this network should be treated as untrusted and filtered and audited accordingly.