DoD Components providing Internet-only guest access must use separate WLAN or logical segmentation of the host WLAN (e.g., separate service set identifier (SSID) and virtual LAN) or DoD network.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-25319	WIR0123	SV-31432r4_rule		Medium

Description
If the access point or its supporting authentication server is placed in front of the perimeter firewall, then it has no firewall protection against an attack. If the access point or its supporting authentication server is placed behind the perimeter firewall (on the internal network), then any breach of these devices could lead to attacks on other DoD information systems.

STIG	Date
Network Infrastructure Policy Security Technical Implementation Guide	2016-07-11

Details

Check Text ( C-31754r3_chk )
Have the SA show how the guest WLAN is physically connected to the firewall or supporting switch and how it is logically connected through firewall or switch configuration settings. Verify the equipment is connected via a separate WLAN or logical segmentation of the host WLAN (e.g., separate service set identifier (SSID) and virtual LAN). If a guest WLAN is set up as a separate WLAN from the DoD network or not set up as a logical segmentation from the DoD network or DoD WLAN, this is a finding.

Check Text ( C-31754r3_chk )

Have the SA show how the guest WLAN is physically connected to the firewall or supporting switch and how it is logically connected through firewall or switch configuration settings. Verify the equipment is connected via a separate WLAN or logical segmentation of the host WLAN (e.g., separate service set identifier (SSID) and virtual LAN).

If a guest WLAN is set up as a separate WLAN from the DoD network or not set up as a logical segmentation from the DoD network or DoD WLAN, this is a finding.

Fix Text (F-28238r1_fix)
Reconfigure physical and logical connections as needed so the Internet-only WLAN infrastructure resides in a dedicated subnet off the perimeter firewall.