The IDPS must authenticate devices before establishing wireless network connections using bidirectional authentication between cryptographically based devices.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000150-IDPS-000137	SRG-NET-000150-IDPS-000137	SRG-NET-000150-IDPS-000137_rule		Medium

Description
Without authentication, an unauthorized device can easily connect to a nearby access-point (AP) within the enclave. In addition, a rogue AP owned by an attacker can accept connections from wireless stations enabling it to intercept traffic and initiate man-in-the-middle attacks before allowing traffic to flow to the intended host. Hence, it is imperative that authentication is bi-directional (mutual authentication) using cryptography to ensure a high level of trust and authenticity. Device authentication requires unique identification and authentication that may be defined by type, by specific device, or by a combination of type and device as deemed appropriate by the organization. The devices typically use either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for identification or an organizational authentication solution (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and/or wide area networks.

Description

Without authentication, an unauthorized device can easily connect to a nearby access-point (AP) within the enclave. In addition, a rogue AP owned by an attacker can accept connections from wireless stations enabling it to intercept traffic and initiate man-in-the-middle attacks before allowing traffic to flow to the intended host. Hence, it is imperative that authentication is bi-directional (mutual authentication) using cryptography to ensure a high level of trust and authenticity. Device authentication requires unique identification and authentication that may be defined by type, by specific device, or by a combination of type and device as deemed appropriate by the organization. The devices typically use either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for identification or an organizational authentication solution (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and/or wide area networks.

STIG	Date
IDPS Security Requirements Guide (SRG)	2012-03-08

Details

Check Text ( C-43275_chk )
Verify sensor communications to wireless network elements (e.g., sensors, management consoles, WIDS, or gateways) are configured to establish mutual authentication before establishing communications. If communications between the IDPS and wireless network elements is not mutually authenticated, this is a finding.

Fix Text (F-43275_fix)
Configure the IDPS to require mutual authentication when communicating with wireless network elements.