Main Nav

We are looking into the possibility of allowing access to our Banner ERP system (where SSN, grades, etc. are stored) via an encrypted wireless network.  We would be using WPA2/AES with a pre-shared Key which would change on a regular basis.  I would greatly appreciate any feedback that you can give on this.  I would especially like to know if any of you are doing anything like this or are you just using wired connections.  I know there is always a certain amount of risk involved with any network, but it would be helpful for me to hear from the community.

 

Thank you,

Joey Bridges

Associate VP for Technology Services

Gardner-Webb University

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

We are in the process of setting up a secure Cisco wireless network that uses WPA2 Enterprise, 802.11X and AES encryption.  We will be allowing access to our ERP system (Datatel) using this new secure wireless.  Before, staff members had to connect via the VPN if they wanted to access the ERP system via wireless.  We also require a static IP address to allow access.

--
Kevin Kelly
Director, Network Technology
Whitman College

From: "Joey Bridges" <jbridges@GARDNER-WEBB.EDU>
To: CIO@LISTSERV.EDUCAUSE.EDU
Sent: Wednesday, June 13, 2012 3:08:36 PM
Subject: [CIO] Security of ERP using a wireless network

We are looking into the possibility of allowing access to our Banner ERP system (where SSN, grades, etc. are stored) via an encrypted wireless network.  We would be using WPA2/AES with a pre-shared Key which would change on a regular basis.  I would greatly appreciate any feedback that you can give on this.  I would especially like to know if any of you are doing anything like this or are you just using wired connections.  I know there is always a certain amount of risk involved with any network, but it would be helpful for me to hear from the community.

 

Thank you,

Joey Bridges

Associate VP for Technology Services

Gardner-Webb University

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

That is not safe. 

 

WPA2 with pre-shared keys is not meant for enterprise environments.  The complexity of distributing the keys just increases the chance that the key will be leaked and allow someone to gain access and/or monitor traffic.  It would also make it easy for any legitimate user (employee) to monitor all of the wireless traffic.  To be fair, employees can also sniff their local subnet on your wired network if you don’t have port security or 802.1x running, but it’s a little more difficult and easier to get caught.

 

If the underlying connection to your ERP system is encrypted (e.g. SSL), then that traffic will still be secure but you are still opening your network up in other ways.

 

If you want to allow wireless access, you should use WPA2 with 802.1x authentication, not pre-shared keys. 

 

You need to address the security of the machines your staff will be using to connect.  Will they be able to use personally-owned devices?  If so, what measures are you going to take to prevent data loss via malware?  Any machine your staff are using to connect to your ERP system should, at a minimum, be patched up to date and have anti-virus.

 

Regards,

 

Steven Alexander Jr.

Online Education Systems Manager

Merced College

3600 M Street

Merced, CA 95348-2898

(209) 384-6191

alexander.s@mccd.edu

 

Message from shelf@westernu.edu

As for an EMR, I would strongly recommend that if you absolutely have to use wireless to pass personally identifiable information, (and ask, sincerely, do you, really?), use a VPN.

 

WPA of all persuasions, and SSL, have been hacked, as perennially demonstrated at DefCon, every year. If reasonably proficient folks want the info, they will get it over the air using WPAx + SSL.

 

Repeat: no VPN = don’t do it.

 

My two bits.

 

Sincerely,

 

Scott Helf, DO, MSIT

Chief Technology Officer-COMP

Director, Academic Informatics

Assistant Professor

 

Department of Academic Informatics

Office of Academic Affairs

College of Osteopathic Medicine of the Pacific

Western University of Health Sciences

309 East 2nd Street

Pomona, CA  91766

 

909-781-4353

shelf@westernu.edu

 

www.westernu.edu

 

 

 

You may want to double check this with the vendor, but I believe that Banner INB itself has its own encryption, totally separate from any encryption that might be going on within your networking infrastructure. However, Banner SSB does not.

 

Jerry

 

----------------------------------------------------------------------------------------
Jerry Bryan • Vice President of Information Services • Pellissippi State • 10915 Hardin Valley Road • P.O. Box 22990 • Knoxville, TN 37933-0990

Voice: 865 539-7127 •  Fax: 865 539-7653 •  E-mail: jbryan@pstcc.edu

 

 

 

 

 

Joey,

 

As follow up to all the great advice offered in other comments, I thought I’d offer some advice as well, based on our work in Higher Education.

 

In reading your email, the first question that came to mind was in wondering what you meant by “regular basis.” The change should be very frequent.

 

Probably the main thing you need to address is how you plan to manage the pre-shared key. The “best” or most ideal way to manage the pre-shared key is if you own all the devices; then you can manage and implement the key from domain control.  Most of us are dealing with BYOD, and the organization does not own the devices – there are personal devices being brought to the institution by employees and students. In the case of BYOD, the organization must wrestle with the decision between “should we even allow access to pre-shared keys?” If the decision is made to allow pre-shared keys on personally owned devices, then the organization should develop clear policies and procedures about BYOD (to address and mitigate the risks), train and communicate related to the policies and procedures, apply them consistently, and regularly gather evidence and documentation that proves you are executing your policies and procedures.

 

Good luck, and I hope you’ll let us all know what you decide.

 

Verna Lynch | Senior Consultant
d: 207.739.9540 | vlynch@berrydunn.com

www.berrydunn.com/consulting

 

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Why do you use VDI? The all the services are on a server and the communication with the client machine is encrypted. God bless, Sam Young CIO Point Loma Nazarene University ~ Individualization, Achiever, Belief, Learner, Activator ~ From: Verna Lynch > Reply-To: EDUCAUSE Listserv > Date: Wed, 27 Jun 2012 19:31:54 +0000 To: EDUCAUSE Listserv > Subject: [CIO] Security of ERP using a wireless network Joey, As follow up to all the great advice offered in other comments, I thought I’d offer some advice as well, based on our work in Higher Education. In reading your email, the first question that came to mind was in wondering what you meant by “regular basis.” The change should be very frequent. Probably the main thing you need to address is how you plan to manage the pre-shared key. The “best” or most ideal way to manage the pre-shared key is if you own all the devices; then you can manage and implement the key from domain control. Most of us are dealing with BYOD, and the organization does not own the devices – there are personal devices being brought to the institution by employees and students. In the case of BYOD, the organization must wrestle with the decision between “should we even allow access to pre-shared keys?” If the decision is made to allow pre-shared keys on personally owned devices, then the organization should develop clear policies and procedures about BYOD (to address and mitigate the risks), train and communicate related to the policies and procedures, apply them consistently, and regularly gather evidence and documentation that proves you are executing your policies and procedures. Good luck, and I hope you’ll let us all know what you decide. Verna Lynch | Senior Consultant d: 207.739.9540 | vlynch@berrydunn.com www.berrydunn.com/consulting [Email Logo.PNG] ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Don't instead of do. God bless, Sam Young CIO Point Loma Nazarene University ~ Individualization, Achiever, Belief, Learner, Activator ~
Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.