{
"stig": {
"date": "2022-02-03",
"description": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.",
"findings": {
"V-243207": {
"checkid": "C-46482r720074_chk",
"checktext": "Review device configuration. \n\n1. Obtain the SSID using a wireless scanner or the AP or WLAN controller management software.\n2. Verify the name is not meaningful (e.g., site name, product name, room number, etc.) and is not set to the manufacturer's default value.\n\nIf the SSID does not meet the requirement listed above, this is a finding.",
"description": "An SSID identifying the unit, site, or purpose of the WLAN or that is set to the manufacturer default may cause an OPSEC vulnerability.",
"fixid": "F-46439r720075_fix",
"fixtext": "Change the SSID to a pseudo random word that does not identify the unit, base, or organization.",
"iacontrols": null,
"id": "V-243207",
"ruleID": "SV-243207r720076_rule",
"severity": "low",
"title": "WLAN SSIDs must be changed from the manufacturer's default to a pseudo random word that does not identify the unit, base, organization, etc.",
"version": "WLAN-NW-000200"
},
"V-243208": {
"checkid": "C-46483r817082_chk",
"checktext": "1. Review the relevant configuration screen of the WLAN controller or access point.\n2. Verify the inactive/idle session timeout setting is set for 30 minutes or less. \n\nIf the inactive/idle session timeout is not set to 30 minutes or less for the entire WLAN, or the WLAN does not have the capability to enable the session timeout feature, this is a finding.",
"description": "A WLAN session that never terminates due to inactivity may allow an opening for an adversary to highjack the session to obtain access to the network.",
"fixid": "F-46440r817083_fix",
"fixtext": "Set the WLAN inactive/idle session timeout to 30 minutes or less.",
"iacontrols": null,
"id": "V-243208",
"ruleID": "SV-243208r817084_rule",
"severity": "medium",
"title": "The WLAN inactive/idle session timeout must be set for 30 minutes or less.",
"version": "WLAN-NW-000300"
},
"V-243209": {
"checkid": "C-46484r720080_chk",
"checktext": "Review the WLAN equipment specification and verify it is Wi-Fi Alliance certified with either the older WPA2 certification or the newer WPA3 certification. WPA3 is preferred but not required at this time.\n\nIf the WLAN equipment is not Wi-Fi Alliance certified with WPA2 or WPA3, this is a finding.",
"description": "Wi-Fi Alliance certification ensures compliance with DoD interoperability requirements between various WLAN products.",
"fixid": "F-46441r720081_fix",
"fixtext": "Use WLAN equipment that is Wi-Fi Alliance certified with WPA2 or WPA3.",
"iacontrols": null,
"id": "V-243209",
"ruleID": "SV-243209r720082_rule",
"severity": "medium",
"title": "WLAN components must be Wi-Fi Alliance certified with WPA2 or WPA3.",
"version": "WLAN-NW-000400"
},
"V-243210": {
"checkid": "C-46485r720083_chk",
"checktext": "Review the WLAN equipment specification and verify it is FIPS 140-2/3 (CMVP) certified for data in transit, including authentication credentials.\n\nIf the WLAN equipment is not is FIPS 140-2/3 (CMVP) certified, this is a finding.",
"description": "If the DoD WLAN components (WLAN AP, controller, or client) are not NIST FIPS 140-2/FIPS 140-3 (Cryptographic Module Validation Program, CMVP) certified, the WLAN system may not adequately protect sensitive unclassified DoD data from compromise during transmission.",
"fixid": "F-46442r720084_fix",
"fixtext": "Use WLAN equipment that is FIPS 140-2/3 (CMVP) certified.",
"iacontrols": null,
"id": "V-243210",
"ruleID": "SV-243210r720085_rule",
"severity": "medium",
"title": "WLAN components must be FIPS 140-2 or FIPS 140-3 certified.",
"version": "WLAN-NW-000600"
},
"V-243211": {
"checkid": "C-46486r720086_chk",
"checktext": "Review documentation and inspect access point locations.\n\n1. Review documentation showing signal strength analysis from site survey activities, if available.\n2. Use testing equipment or WLAN clients to determine if the signal strength is, in the reviewer's judgment, excessively outside the required area (e.g., strong signal in the parking area, public areas, or uncontrolled spaces).\n3. Lower-end access points will not have this setting available. In this case, verify the access points are located away from exterior walls to achieve compliance with this requirement.\n\nIf any of the following is found, this is a finding:\n- Visual inspection of equipment shows obvious improper placement of access points where they will emanate into uncontrolled spaces (e.g., next to external walls, windows, or doors; uncontrolled areas; or public areas).\n- Building walk-through testing shows signals of sufficient quality and strength to allow wireless access to exist in areas not authorized for WLAN access.",
"description": "Most commercially available WLAN equipment is preconfigured for signal power appropriate to most applications of the WLAN equipment. In some cases, this may permit the signals to be received outside the physical areas for which they are intended. This can occur when the intended area is relatively small, such as a conference room, or when the access point is placed near or window or wall, thereby allowing signals to be received in neighboring areas. \n\nIn such cases, an adversary may be able to compromise the site's posture by measuring the presence of the signal and the quantity of data transmitted to obtain information about when personnel are active and what they are doing. If the signal is not appropriately protected through defense-in-depth mechanisms, the adversary could possibly use the connection to access DoD networks and sensitive information.",
"fixid": "F-46443r720087_fix",
"fixtext": "Move access points to areas in which signals do not emanate in a way that makes them usable outside the areas authorized for WLAN access.\n\nAlternatively, replace omni-directional antennae with directional antennae if this will solve the problem.\n\nIf these solutions are not effective, adjust the transmission power settings on the access point to reduce the usability of signals in unauthorized areas.\n\nIf the WLAN equipment does not allow the transmission power to be adjusted, and the access points are placed in a location where the ISSO determines there is significant risk that an adversary could be present where signals may be intercepted, the site should procure WLAN equipment that permits power adjustment.",
"iacontrols": null,
"id": "V-243211",
"ruleID": "SV-243211r720088_rule",
"severity": "low",
"title": "WLAN signals must not be intercepted outside areas authorized for WLAN access.",
"version": "WLAN-NW-000800"
},
"V-243212": {
"checkid": "C-46487r720089_chk",
"checktext": "Verify the access point is configured for either WPA2/WPA3 (Enterprise) or WPA2/WPA3 (Personal) authentication. The procedure for performing this review will vary depending on the AP model. Have the SA show the configuration setting.\n\nIf the access point is not configured with either WPA2 or WPA3 security, this is finding.",
"description": "The Wi-Fi Alliance's WPA2/WPA3 certification provides assurance that the device has adequate security functionality and can implement the IEEE 802.11i standard for robust security networks. The previous version of the Wi-Fi Alliance certification, WPA, did not require AES encryption, which must be supported for DoD WLAN implementations. Devices without any WPA certification likely do not support required security functionality and could be vulnerable to a wide range of attacks.",
"fixid": "F-46444r720090_fix",
"fixtext": "Configure the access point for WPA2 (or WPA3) authentication, confidentiality, and integrity services. \n\nIn the case of WPA2 (Personal), this action will require the selection of a strong passcode or passphrase. \n\nIn the case of WPA2 (Enterprise), this action will require the organization to deploy RADIUS or equivalent authentication services on a separate server.\n\nIn cases in which the access point does not support WPA2/WPA3, the organization will need to procure new equipment.",
"iacontrols": null,
"id": "V-243212",
"ruleID": "SV-243212r720091_rule",
"severity": "medium",
"title": "The WLAN access point must be configured for Wi-Fi Alliance WPA2 or WPA3 security.",
"version": "WLAN-NW-000900"
},
"V-243213": {
"checkid": "C-46488r720092_chk",
"checktext": "Have the SA show how the guest WLAN is physically connected to the firewall or supporting switch and how it is logically connected through firewall or switch configuration settings.\n\nVerify the equipment is connected via a separate WLAN or logical segmentation of the host WLAN (e.g., separate service set identifier [SSID] and virtual LAN).\n\nVerify the guest WLAN only provides internet access.\n\nIf a guest WLAN is not set up as a separate WLAN from the DoD network or is not set up as a logical segmentation from the DoD network or DoD WLAN, this is a finding.\n\nIf the guest WLAN does not provide only internet access, this is a finding.",
"description": "The purpose of the Guest WLAN network is to provide WLAN services to authorized site guests. Guests, by definition, are not authorized access to the enterprise network. If the guest WLAN is not installed correctly, unauthorized access to the enterprise wireless and/or wired network could be obtained.",
"fixid": "F-46445r720093_fix",
"fixtext": "Reconfigure physical and logical connections as needed so the internet-only guest WLAN infrastructure resides in a dedicated subnet off the perimeter firewall or is installed as a completely separate internet-connection-only WLAN system with no access to the enterprise network.",
"iacontrols": null,
"id": "V-243213",
"ruleID": "SV-243213r720094_rule",
"severity": "medium",
"title": "DoD Components providing guest WLAN access (internet access only) must use separate WLAN or logical segmentation of the enterprise WLAN (e.g., separate service set identifier [SSID] and virtual LAN) or DoD network.",
"version": "WLAN-NW-001000"
},
"V-243214": {
"checkid": "C-46489r720095_chk",
"checktext": "Review the device configuration to determine if the OOB management interface is assigned an appropriate IP address from the authorized OOB management network.\n\nIf an IP address assigned to the interface is not from an authorized OOB management network, this is a finding.",
"description": "The OOBM access switch will connect to the management interface of the managed network elements. The management interface can be a true OOBM interface or a standard interface functioning as the management interface. In either case, the management interface of the managed network element will be directly connected to the OOBM network. (See SRG-NET-000205-RTR-000012.)\n\nNetwork boundaries, also known as managed interfaces, include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis, and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). Methods used for prohibiting interfaces within organizational information systems include, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses.",
"fixid": "F-46446r720096_fix",
"fixtext": "Configure the network device so that only management traffic that ingresses and egresses the OOBM interface is permitted.",
"iacontrols": null,
"id": "V-243214",
"ruleID": "SV-243214r720097_rule",
"severity": "medium",
"title": "The network device must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.",
"version": "WLAN-NW-001200"
},
"V-243215": {
"checkid": "C-46490r720098_chk",
"checktext": "Review the device configuration to determine if the call home service or feature is disabled on the device. \n\nIf the call home service is enabled on the device, this is a finding.\n\nNote: This feature can be enabled if the communication is only to a server residing in the local area network or enclave.",
"description": "Call-home services will routinely send data such as configuration and diagnostic information to the vendor for routine or emergency analysis and troubleshooting. There is a risk that transmission of sensitive data sent to unauthorized persons could result in data loss or downtime due to an attack. (See SRG-NET-000131-RTR-000083.)",
"fixid": "F-46447r720099_fix",
"fixtext": "Configure the network device to disable the call home service or feature.\n\nNote: This feature can be enabled if the communication is only to a server residing in the local area network or enclave.",
"iacontrols": null,
"id": "V-243215",
"ruleID": "SV-243215r720100_rule",
"severity": "medium",
"title": "The network device must not be configured to have any feature enabled that calls home to the vendor.",
"version": "WLAN-NW-001300"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-243207": "true",
"V-243208": "true",
"V-243209": "true",
"V-243210": "true",
"V-243211": "true",
"V-243212": "true",
"V-243213": "true",
"V-243214": "true",
"V-243215": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critical Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-243207": "true",
"V-243208": "true",
"V-243209": "true",
"V-243210": "true",
"V-243211": "true",
"V-243212": "true",
"V-243213": "true",
"V-243214": "true",
"V-243215": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critical Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-243207": "true",
"V-243208": "true",
"V-243209": "true",
"V-243210": "true",
"V-243211": "true",
"V-243212": "true",
"V-243213": "true",
"V-243214": "true",
"V-243215": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critical Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-243207": "true",
"V-243208": "true",
"V-243209": "true",
"V-243210": "true",
"V-243211": "true",
"V-243212": "true",
"V-243213": "true",
"V-243214": "true",
"V-243215": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-243207": "true",
"V-243208": "true",
"V-243209": "true",
"V-243210": "true",
"V-243211": "true",
"V-243212": "true",
"V-243213": "true",
"V-243214": "true",
"V-243215": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-243207": "true",
"V-243208": "true",
"V-243209": "true",
"V-243210": "true",
"V-243211": "true",
"V-243212": "true",
"V-243213": "true",
"V-243214": "true",
"V-243215": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-243207": "true",
"V-243208": "true",
"V-243209": "true",
"V-243210": "true",
"V-243211": "true",
"V-243212": "true",
"V-243213": "true",
"V-243214": "true",
"V-243215": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-243207": "true",
"V-243208": "true",
"V-243209": "true",
"V-243210": "true",
"V-243211": "true",
"V-243212": "true",
"V-243213": "true",
"V-243214": "true",
"V-243215": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-243207": "true",
"V-243208": "true",
"V-243209": "true",
"V-243210": "true",
"V-243211": "true",
"V-243212": "true",
"V-243213": "true",
"V-243214": "true",
"V-243215": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "network_wlan_ap-ig_platform",
"title": "Network WLAN AP-IG Platform Security Technical Implementation Guide",
"version": "7"
}
}