{
"stig": {
"date": "2016-11-14",
"description": "This STIG contains the technical security controls for the operation of the Harris SecNet 11 or 54 classified WLAN devices in the DoD environment.",
"findings": {
"V-14002": {
"checkid": "C-11465r3_chk",
"checktext": "Review client devices and verify that there is some technical procedure to disable the wireless network interface when the wired network interface is active (e.g., connected to a network via an Ethernet cable). \n\nExamples of compliant implementations: \n- Client side connection management software products have configuration settings that disable wireless connections when a wired connection is active. \n- Microsoft Windows hardware profiles can be created that disable assigned wireless network interfaces when the Ethernet connection is active.\n\nTo check compliance, select a sample of devices (3-4), and establish a network connection using the wireless interface. Test that the wireless interface is active using a command line utility such as ifconfig (UNIX/Linux), or ipconfig (Windows), or management tools such as Network Connections within the Windows Control Panel. Then plug the device into an active Ethernet port (or other wired network). Repeat the process used to check that the connection was active to verify it is now disabled. \n\nMark as a finding if one or more of the tested devices do not disable the wireless interface upon connection to a wired network. Also mark as finding if the device does not have the capability to disable the wireless interface when the wired interface is active.",
"description": "If a client device supports simultaneous use of wireless and wired connections, then this increases the probability that an adversary who can access the device using its wireless interface can then route traffic through the device\u2019s wired interface to attack devices on the wired network or obtain sensitive DoD information.",
"fixid": "F-13489r1_fix",
"fixtext": "Ensure the wired network interfaces on a WLAN client are disconnected or otherwise disabled when wireless network connections are in use.",
"iacontrols": [
"ECWN-1"
],
"id": "V-14002",
"ruleID": "SV-14613r2_rule",
"severity": "medium",
"title": "A device\u2019s wired network interfaces (e.g., Ethernet) must be disconnected or otherwise disabled when wireless connections are in use.",
"version": "WIR0170"
},
"V-14846": {
"checkid": "C-13276r1_chk",
"checktext": "Review device configuration. \n1. Obtain the SSID using a wireless scanner or the AP or WLAN controller management software. \n2. Verify the name is not meaningful (e.g., site name, product name, room number, etc.) or set to the manufacturer's default value.\n\nMark as a finding if the SSID does not meet the requirement listed above.",
"description": "An SSID identifying the unit, site or purpose of the WLAN or is set to the manufacturer default may cause an OPSEC vulnerability.",
"fixid": "F-34142r1_fix",
"fixtext": "Change the SSID to a pseudo random word that does not identify the unit, base, or organization. ",
"iacontrols": null,
"id": "V-14846",
"ruleID": "SV-15614r1_rule",
"severity": "low",
"title": "WLAN SSIDs must be changed from the manufacturer\u2019s default to a pseudo random word that does not identify the unit, base, organization, etc. ",
"version": "WIR0105"
},
"V-14886": {
"checkid": "C-13412r3_chk",
"checktext": "Detailed policy requirements:\n\nWireless access points and bridges must not be directly connected to the enclave network. A network device must separate wireless access from other elements of the enclave network. Sites must also comply with the Network Infrastructure STIG configuration requirements for DMZ, VLAN, and VPN configurations, as applicable.\n\nExamples of acceptable architectures include placing access points or controllers in a screened subnet (e.g. DMZ separating intranet and wireless network) or dedicated virtual LAN (VLAN) with ACLs. \n\nCheck Procedures:\n\nReview network architecture with the network administrator.\n1. Verify compliance by inspecting the site network topology diagrams.\n2. Since many network diagrams are not kept up-to-date, walk through the connections with the network administrator using network management tools or diagnostic commands to verify the diagrams are current.\n\nIf the site\u2019s wireless infrastructure, such as access points and bridges, is not isolated from the enclave network, this is a finding.",
"description": "If an adversary is able to compromise an access point or controller that is directly connected to an enclave network, then the adversary can easily surveil and attack other devices from that beachhead. A defense-in-depth approach requires an additional layer of protection exist between the WLAN and the enclave network. This is particularly important for wireless networks, which may be vulnerable to attack from outside physical perimeter of the facility or base given the inherent nature of radio communications to penetrate walls, fences, and other physical boundaries.",
"fixid": "F-3448r1_fix",
"fixtext": "Remove wireless network devices with direct connections to an enclave network. If feasible, reconfigure network connections to isolate the WLAN infrastructure from the enclave network, separating them with a firewall or equivalent protection.",
"iacontrols": null,
"id": "V-14886",
"ruleID": "SV-15654r2_rule",
"severity": "medium",
"title": "Wireless access points and bridges must be placed in dedicated subnets outside the enclave\u2019s perimeter.",
"version": "WIR0135"
},
"V-15300": {
"checkid": "C-13709r1_chk",
"checktext": "Visually verify the site is using a Harris Corporation SecNet 11 or SecNet 54 or L3 KOV-26 Talon (version 1.1.04 or later) for the classified WLAN. ",
"description": "NSA Type 1 certification provides the level of assurance required for transmission of classified data. Systems without this certification are more likely to be compromised by a determined and resourceful adversary.",
"fixid": "F-6728r1_fix",
"fixtext": "Immediately remove the uncertified device from the network. Install and operate a Type 1 product if wireless functionality is still required.",
"iacontrols": null,
"id": "V-15300",
"ruleID": "SV-16085r1_rule",
"severity": "high",
"title": "Any wireless technology used to transmit classified information must be an NSA Type 1 product. ",
"version": "WIR0205"
},
"V-18582": {
"checkid": "C-22005r1_chk",
"checktext": "Review documentation.\n- Verify the SWLAN system SCAO approval documentation exists and has been approved and has a SIPRNet or NIPRNet Interim Approval to Operate (IATO) or Approval to Operate (ATO) in GIAP database.\n- Verify the SWLAN system is included in the SSAA/SSP and is signed by the DAA.\nMark as a finding if requirements are not met.",
"description": "The CCAO approval process provides assurance that the SWLAN use is appropriate and does not introduce unmitigated risks into the SIPRNET.",
"fixid": "F-34118r1_fix",
"fixtext": "Disable or remove the non-compliant SWLAN until the site has all required approvals for operation.",
"iacontrols": null,
"id": "V-18582",
"ruleID": "SV-20126r1_rule",
"severity": "high",
"title": "A Secure WLAN (SWLAN) connected to the SIPRNet must have a SIPRNet connection approval package must be on file with the Classified Connection Approval Office (CCAO). ",
"version": "WIR0215"
},
"V-18583": {
"checkid": "C-22006r1_chk",
"checktext": "Review documentation. Verify the local CTTA has been notified of the site\u2019s intent to install and operate a SWLAN. Mark as a finding if the local CTTA has not been notified.\n",
"description": "Wireless signals are extremely vulnerable to both detection and interception, which can provide an adversary with the location and intensity of particular DoD activities and potentially reveal classified DoD information. TEMPEST reviews provide assurance that unacceptable risks have been identified and mitigated.",
"fixid": "F-34119r1_fix",
"fixtext": "Notify the CTTA of the need to review the SWLAN.",
"iacontrols": null,
"id": "V-18583",
"ruleID": "SV-20127r1_rule",
"severity": "medium",
"title": "Before a Secure WLAN (SWLAN) becomes operational and is connected to the SIPRNet the Certified TEMPEST Technical Authority (CTTA) must be notified.",
"version": "WIR0220"
},
"V-18584": {
"checkid": "C-22007r1_chk",
"checktext": "Detailed Policy Requirements:\n\nThe following physical security controls must be implemented for SWLAN access points:\n\n- Secure WLAN access points shall be physically secured, and methods shall exist to facilitate the detection of tampering. WLAN APs are part of a communications system and shall have controlled physical security, in accordance with DoDD 5200.08-R. SWLAN access points not within a location that provides limited access shall have controlled physical security with either fencing or inspection.\n\n- Either physical inventories or electronic inventories shall be conducted daily by viewing or polling the serial number or MAC address. Access points not stored in a COMSEC-approved security container shall be physically inventoried. \nCheck Procedures:\n\nIt is recommended the Traditional Reviewer assist with this check. Review the physical security controls of the SWLAN access points.\n\n- Verify site SWLAN access points are physically secured - -- Verify there is some method for alerting site security if the access point has been tampered with.\n- Determine if site SWLAN access points are in locations that provide limited access to only authorized personnel who are approved to access the access points.\n- Determine how the site conducts a daily physical inventory of SWLAN access points. Verify that required inventory methods are used, depending on if the access points are stored in a COMSEC container.\n\n- Mark as a finding if any requirement has not been met.",
"description": "If an adversary is able to gain physical access to a SWLAN device, it may be able to compromise the device in a variety of ways, some of which could enable the adversary to obtain classified data. Physical security controls greatly mitigate this risk.",
"fixid": "F-34120r1_fix",
"fixtext": "Implement required physical security controls for the SWLAN.",
"iacontrols": null,
"id": "V-18584",
"ruleID": "SV-20128r1_rule",
"severity": "medium",
"title": "Physical security controls must be implemented for SWLAN access points. ",
"version": "WIR0225"
},
"V-30359": {
"checkid": "C-39028r1_chk",
"checktext": "Detailed Policy Requirements:\n\nMAC filtering must be implemented to enable the SWLAN AP to perform client device access control. \n\nCheck Procedures:\n\nVerify MAC address filtering has been implemented on site SWLAN access points. Have the system administrator log into a sample of site SWLAN access points (2-3 devices) and show MAC address filtering has been enabled. \nMark as a finding if MAC filtering has not been enabled. ",
"description": "Medium access control (MAC) filtering is a mechanism for ensuring that only authorized devices connect to the WLAN. While there are other methods to achieve similar protection with greater assurance, MAC filtering can be employed as a defense-in-depth measure. ",
"fixid": "F-34123r1_fix",
"fixtext": "Implement MAC filtering on the SWLAN access point. ",
"iacontrols": null,
"id": "V-30359",
"ruleID": "SV-40014r1_rule",
"severity": "low",
"title": "SWLAN access points must implement MAC filtering. ",
"version": "WIR0226"
},
"V-30369": {
"checkid": "C-39044r1_chk",
"checktext": "Detailed Policy Requirements:\n\nSWLAN system will be rekeyed at least every 90 days.\n\nCheck Procedures:\n\nInterview IAO and obtain the site\u2019s procedures for rekeying the WLAN. Mark a finding if the procedures do not exist or they do not include a requirement to rekey at least every 90 days. ",
"description": "The longer a key remains in use, the more likely it will be compromised. If an adversary can compromise an SWLAN key, then it can obtain classified information. ",
"fixid": "F-34145r1_fix",
"fixtext": "Write and implement rekeying procedures that specify the keys must be changed at least every 90 days. ",
"iacontrols": null,
"id": "V-30369",
"ruleID": "SV-40029r1_rule",
"severity": "high",
"title": "SWLAN must be rekeyed at least every 90 days. ",
"version": "WIR0231"
},
"V-3512": {
"checkid": "C-4027r1_chk",
"checktext": "Detailed Policy requirements:\n\nType 1 products and required procedures must be used to protect classified data-at-rest on wireless computers that are used on a classified WLAN or WMAN. \n\nIf NSA Type1 certified DAR encryption is not available, the following requirements apply:\n\n- The storage media shall be physically removed from the computer and stored within a COMSEC-approved security container when the computer is not being used.\n- The entire computer shall be placed within a COMSEC-approved security container, if the computer has embedded storage media that cannot be removed.\n\nCheck Procedures:\n\nInterview the IAO to determine if devices with wireless functionality (e.g., laptops or PDAs with embedded radios) are used to store classified data. If yes, verify the device is an NSA Type 1 certified product. \nMark as a finding if a Type 1 product is not used, or if the storage media or device is not stored in a COMSEC-approved security container when not in use. ",
"description": "NSA Type 1 products provide a high level of assurance that cryptography is implemented correctly and meets the standards for storage of classified information. Use of cryptography that is not Type 1 certified violates policy and increases the risk that classified data will be compromised. ",
"fixid": "F-34121r1_fix",
"fixtext": "Immediately discontinue use of the non-compliant device.",
"iacontrols": null,
"id": "V-3512",
"ruleID": "SV-3512r1_rule",
"severity": "high",
"title": "NSA Type1 products and required procedures must be used to protect classified data at rest (DAR) on wireless devices used on a classified WLAN or WMAN. ",
"version": "WIR0235"
},
"V-4636": {
"checkid": "C-16036r1_chk",
"checktext": "Detailed Policy Requirements:\n\nThe SWLAN architecture conforms to one of the approved configurations: \nLAN Extension: This architecture provides wireless access to the wired infrastructure using a Harris SecNet 11/ 54 or L3 KOV-26 Talon. In this architecture, the boundary is controlled either with fencing or inspection. See Figure 2.2 in the DISA FSO Wireless Overview for an example of the LAN Extension architecture.\n\nWireless Bridging: This architecture provides point-to-point bridging using Harris SecNet 11/ 54 or Talon. In this architecture, the boundary is controlled either with fencing or inspection. See Figure 2.3 in the DISA FSO Wireless Overview for an example of the Wireless Bridging architecture.\n\nWireless Peer-to-Peer: This architecture provides point-to-point communications between wireless clients using Harris SecNet 11/ 54 or Talon. In this architecture, the boundary is controlled either with fencing or inspection. See Figure 3.2 in the DISA FSO Wireless Overview for an example of the Wireless Peer-to-Peer architecture.\n\nCheck Procedures:\n\nInterview the SA or IAO to obtain SWLAN network diagrams. Review the SWLAN architecture and ensure it conforms to one of the approved use cases.",
"description": "Approved network architectures have been assessed for IA risk. Non-approved architectures provide less assurance than approved architectures because they have not undergone the same level of evaluation.",
"fixid": "F-34117r1_fix",
"fixtext": "Disable or remove the non-compliant SWLAN or reconfigure it to conform to one of the approved architectures. ",
"iacontrols": null,
"id": "V-4636",
"ruleID": "SV-4636r1_rule",
"severity": "high",
"title": "A Secure WLAN (SWLAN) must conform to an approved network architecture.",
"version": "WIR0210"
},
"V-7075": {
"checkid": "C-4017r1_chk",
"checktext": "Interview IAO. Verify written operating procedures exist for the protection, handling, accounting, and use of NSA Type 1 certified WLAN products and keys in a SWLAN operational environment.",
"description": "Written procedures provide assurance that personnel take the required steps to prevent loss of keys or other breaches of system security.",
"fixid": "F-6771r1_fix",
"fixtext": "Document procedures for the protection, handling, accounting, and use of NSA Type 1 certified WLAN products and keys. ",
"iacontrols": null,
"id": "V-7075",
"ruleID": "SV-7459r1_rule",
"severity": "low",
"title": "The site must have written procedures for the protection, handling, accounting, and use of NSA Type 1 products.",
"version": "WIR0230"
},
"V-72525": {
"checkid": "C-72723r1_chk",
"checktext": "Determine the model numbers of a site\u2019s classified wireless routers. \n\nIf the Harris SecNet 11 or 54 wireless routers are being used, this is a finding. \n",
"description": "If an unsupported version of the Harris SecNet wireless router is being used, the device is not being updated with security patches and may contain vulnerabilities that may expose classified data to unauthorized people. The SecNet 11 and 54 support old and obsolete wireless technologies and are no longer being supported by Harris.",
"fixid": "F-78887r2_fix",
"fixtext": "Remove all versions of the Harris SecNet 11 or 54 wireless routers from service and properly dispose of the devices. ",
"iacontrols": null,
"id": "V-72525",
"ruleID": "SV-87149r1_rule",
"severity": "high",
"title": "Only supported versions of the Harris SecNet 11/54 should be used.",
"version": "WIR2017"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-14002": "true",
"V-14846": "true",
"V-14886": "true",
"V-15300": "true",
"V-18582": "true",
"V-18583": "true",
"V-18584": "true",
"V-30359": "true",
"V-30369": "true",
"V-3512": "true",
"V-4636": "true",
"V-7075": "true",
"V-72525": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critical Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-14002": "true",
"V-14846": "true",
"V-14886": "true",
"V-15300": "true",
"V-18582": "true",
"V-18583": "true",
"V-18584": "true",
"V-30359": "true",
"V-30369": "true",
"V-3512": "true",
"V-72525": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critical Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-14002": "true",
"V-14846": "true",
"V-14886": "true",
"V-15300": "true",
"V-18582": "true",
"V-18583": "true",
"V-18584": "true",
"V-30359": "true",
"V-30369": "true",
"V-3512": "true",
"V-72525": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critical Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-14002": "true",
"V-14846": "true",
"V-14886": "true",
"V-15300": "true",
"V-18582": "true",
"V-18583": "true",
"V-18584": "true",
"V-30359": "true",
"V-30369": "true",
"V-3512": "true",
"V-4636": "true",
"V-7075": "true",
"V-72525": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-14002": "true",
"V-14846": "true",
"V-14886": "true",
"V-15300": "true",
"V-18582": "true",
"V-18583": "true",
"V-18584": "true",
"V-30359": "true",
"V-30369": "true",
"V-3512": "true",
"V-72525": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-14002": "true",
"V-14846": "true",
"V-14886": "true",
"V-15300": "true",
"V-18582": "true",
"V-18583": "true",
"V-18584": "true",
"V-30359": "true",
"V-30369": "true",
"V-3512": "true",
"V-72525": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-14002": "true",
"V-14846": "true",
"V-14886": "true",
"V-15300": "true",
"V-18582": "true",
"V-18583": "true",
"V-18584": "true",
"V-30359": "true",
"V-30369": "true",
"V-3512": "true",
"V-4636": "true",
"V-7075": "true",
"V-72525": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-14002": "true",
"V-14846": "true",
"V-14886": "true",
"V-15300": "true",
"V-18582": "true",
"V-18583": "true",
"V-18584": "true",
"V-30359": "true",
"V-30369": "true",
"V-3512": "true",
"V-72525": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-14002": "true",
"V-14846": "true",
"V-14886": "true",
"V-15300": "true",
"V-18582": "true",
"V-18583": "true",
"V-18584": "true",
"V-30359": "true",
"V-30369": "true",
"V-3512": "true",
"V-72525": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "harris_secnet_11_54",
"title": "Harris SecNet 11 / 54 Security Technical Implementation Guide (STIG)",
"version": "6"
}
}