The DoD component must employ a wireless intrusion detection system.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35943	SRG-MPOL-025	SV-47259r1_rule		Medium

Description
DoD networks are at risk for intrusion and DoD data may be compromised if wireless scanning is not conducted to identify unauthorized WLAN clients and access points connected to, or attempting to, connect to the network. A wireless intrusion detection system (WIDS) must be employed by organizations to monitor wireless network transmissions for possible attacks and unauthorized traffic. This requirement applies to all DoD sites that operate DoD computer networks, including sites that have no authorized WLAN systems to prevent unauthorized systems from being implemented. DoD components will ensure a WIDS is implemented that monitor WLAN activity and detects WLAN-related policy violations on all unclassified and classified DoD wired and wireless LANs.

Description

DoD networks are at risk for intrusion and DoD data may be compromised if wireless scanning is not conducted to identify unauthorized WLAN clients and access points connected to, or attempting to, connect to the network. A wireless intrusion detection system (WIDS) must be employed by organizations to monitor wireless network transmissions for possible attacks and unauthorized traffic. This requirement applies to all DoD sites that operate DoD computer networks, including sites that have no authorized WLAN systems to prevent unauthorized systems from being implemented. DoD components will ensure a WIDS is implemented that monitor WLAN activity and detects WLAN-related policy violations on all unclassified and classified DoD wired and wireless LANs.

STIG	Date
Mobile Policy Security Requirements Guide	2013-01-24

Details

Check Text ( C-44180r1_chk )
Review the DoD component wireless architecture. Determine if the organization employs a WIDS. The WIDS must continuously scan for and detect authorized and unauthorized WLAN activities. If a WIDS is not employed in the architecture, this is a finding. Exceptions can be granted by the DAA for minimal impact WLANs systems. Minimal impact WLANs systems are systems that: do not provide connectivity to WLAN-enabled PEDs (e.g., backhaul systems); have no available FIPS 140 validated, 802.1X, EAP-TLS supplicant; support a very small number of users for a specific mission (i.e., 10 or less users); are standalone networks; or are highly specialized WLAN systems that are isolated from the GIG (e.g., handheld personal digital assistants (PDAs) used as radio-frequency identification (RFID) readers, a network of WLAN-enabled Voice over Internet Protocol (VoIP) phones). These systems shall be segmented from the GIG via a wireless demilitarized zone (DMZ) that provides network intrusion detection capabilities and limits ports and protocols to the minimum set necessary to achieve mission objectives. A STIG-compliant firewall shall be located at the system’s point of entry onto the GIG.

Check Text ( C-44180r1_chk )

Review the DoD component wireless architecture. Determine if the organization employs a WIDS. The WIDS must continuously scan for and detect authorized and unauthorized WLAN activities. If a WIDS is not employed in the architecture, this is a finding.

Exceptions can be granted by the DAA for minimal impact WLANs systems. Minimal impact WLANs systems are systems that: do not provide connectivity to WLAN-enabled PEDs (e.g., backhaul systems); have no available FIPS 140 validated, 802.1X, EAP-TLS supplicant; support a very small number of users for a specific mission (i.e., 10 or less users); are standalone networks; or are highly specialized WLAN systems that are isolated from the GIG (e.g., handheld personal digital assistants (PDAs) used as radio-frequency identification (RFID) readers, a network of WLAN-enabled Voice over Internet Protocol (VoIP) phones). These systems shall be segmented from the GIG via a wireless demilitarized zone (DMZ) that provides network intrusion detection capabilities and limits ports and protocols to the minimum set necessary to achieve mission objectives. A STIG-compliant firewall shall be located at the system’s point of entry onto the GIG.

Fix Text (F-40468r1_fix)
Implement and document an architecture with a WIDS.