{
"stig": {
"date": "2022-10-04",
"description": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.",
"findings": {
"V-243216": {
"checkid": "C-46491r720101_chk",
"checktext": "Interview the site ISSO. Determine if the scanning by a WIDS is being conducted and if it is continuous or periodic.\n\nIf a continuous scanning WIDS is used, there is no finding. \n\nIf periodic scanning is used, verify the exception to policy is documented and signed by the AO. Verify the exception meets one of the required criteria.\n\nIf periodic scanning is being performed but requirements have not been met, this is a finding.\n\nIf no WIDS scanning is being performed at the site, this is a finding.",
"description": "DoD networks are at risk and DoD data could be compromised if wireless scanning is not conducted to identify unauthorized WLAN clients and access points connected to or attempting to connect to the network.\n\nDoD Components must ensure that a Wireless Intrusion Detection System (WIDS) is implemented that allows for monitoring of WLAN activity and the detection of WLAN-related policy violations on all unclassified and classified DoD wired and wireless LANs. The WIDS must be implemented regardless of whether or not an authorized WLAN has been deployed.\n\nThe WIDS must be capable of monitoring IEEE 802.11 transmissions within all DoD LAN environments and detecting nearby unauthorized WLAN devices.\n\nThe WIDS is not required to monitor non-IEEE 802.11 transmissions.\n\nThe WIDS must continuously scan for and detect authorized and unauthorized WLAN activities 24 hours a day, 7 days a week.\n\nNote: Exceptions to WIDS implementation criteria may be made by the AO for DoD wired and wireless LAN operating environments. This exception allows the AO to implement periodic scanning conducted by designated personnel using handheld scanners during walk-through assessments. Periodic scanning may be conducted as the alternative to the continuous scanning only in special circumstances, where it has been determined on a case-by-case basis that continuous scanning is either infeasible or unwarranted. The AO exception must be documented.\n\nThe \"infeasible\" criteria includes the following use case examples:\n- It is not my building - This scenario means that for contractual or other similar reasons, the DoD component is not allowed to install a WIDS.\n- There is no power or space is limited - This scenarios means that for space weight and power (SWAP) reasons, the addition of continuous scanning capabilities cannot be accomplished because it would exceeds SWAP availability. Power would also affect the decision to waive continuous scanning requirements if the entire LAN is only in operation periodically (e.g., the wired/wireless LAN is enabled on a vehicle that is only operating when the vehicle is being used for a specific operation).\n- The exception for \"Minimal Impact WLAN Systems\" that do not provide connectivity to WLAN-enabled PEDs (e.g., backhaul systems), have no available FIPS 140 validated 802.1X EAP-TLS supplicant, support a very small number of users for a specific mission (e.g., 10 or less users), are standalone networks, or are highly specialized WLAN systems that are isolated from the DODIN (e.g., handheld personal digital assistants [PDAs] used as radio-frequency identification [RFID] readers, a network of WLAN-enabled Voice over Internet Protocol [VoIP] phones) allows the AO to waive any of the security requirements in the Instruction. This includes using non-standard/proprietary FIPS-validated encryption, using an alternative FIPS-validated EAP type, and not having a continuous WIDS.\n- The cost of the continuous WIDS capability is more expensive that the total cost of the LAN without a WIDS.\n\nThe AO must conduct a wireless threat risk assessment where analysis has shown that the threat environment is extremely unlikely to non-existent to meet the \"unwarranted\" exception criteria.",
"fixid": "F-46448r720102_fix",
"fixtext": "Perform required WIDS scanning.",
"iacontrols": null,
"id": "V-243216",
"ruleID": "SV-243216r720103_rule",
"severity": "medium",
"title": "The site must conduct continuous wireless Intrusion Detection System (IDS) scanning.",
"version": "WLAN-NW-000100"
},
"V-243217": {
"checkid": "C-46492r720104_chk",
"checktext": "Review device configuration. \n\n1. Obtain the SSID using a wireless scanner or the AP or WLAN controller management software.\n2. Verify the name is not meaningful (e.g., site name, product name, room number, etc.) and is not set to the manufacturer's default value.\n\nIf the SSID does not meet the requirement listed above, this is a finding.",
"description": "An SSID identifying the unit, site, or purpose of the WLAN or that is set to the manufacturer default may cause an OPSEC vulnerability.",
"fixid": "F-46449r720105_fix",
"fixtext": "Change the SSID to a pseudo random word that does not identify the unit, base, or organization.",
"iacontrols": null,
"id": "V-243217",
"ruleID": "SV-243217r720106_rule",
"severity": "low",
"title": "WLAN SSIDs must be changed from the manufacturer's default to a pseudo random word that does not identify the unit, base, organization, etc.",
"version": "WLAN-NW-000200"
},
"V-243218": {
"checkid": "C-46493r817085_chk",
"checktext": "1. Review the relevant configuration screen of the WLAN controller or access point.\n2. Verify the inactive/idle session timeout setting is set for 30 minutes or less. \n\nIf the inactive/idle session timeout is not set to 30 minutes or less for the entire WLAN, or the WLAN does not have the capability to enable the session timeout feature, this is a finding.",
"description": "A WLAN session that never terminates due to inactivity may allow an opening for an adversary to highjack the session to obtain access to the network.",
"fixid": "F-46450r817086_fix",
"fixtext": "Set the WLAN inactive/idle session timeout to 30 minutes or less.",
"iacontrols": null,
"id": "V-243218",
"ruleID": "SV-243218r817087_rule",
"severity": "medium",
"title": "The WLAN inactive/idle session timeout must be set for 30 minutes or less.",
"version": "WLAN-NW-000300"
},
"V-243219": {
"checkid": "C-46494r720110_chk",
"checktext": "Review the WLAN equipment specification and verify it is Wi-Fi Alliance certified with either the older WPA2 certification or the newer WPA3 certification. WPA3 is preferred but not required at this time.\n\nIf the WLAN equipment is not Wi-Fi Alliance certified with WPA2 or WPA3, this is a finding.",
"description": "Wi-Fi Alliance certification ensures compliance with DoD interoperability requirements between various WLAN products.",
"fixid": "F-46451r720111_fix",
"fixtext": "Use WLAN equipment that is Wi-Fi Alliance certified with WPA2 or WPA3.",
"iacontrols": null,
"id": "V-243219",
"ruleID": "SV-243219r720112_rule",
"severity": "medium",
"title": "WLAN components must be Wi-Fi Alliance certified with WPA2 or WPA3.",
"version": "WLAN-NW-000400"
},
"V-243220": {
"checkid": "C-46495r720113_chk",
"checktext": "Note: If the equipment is WPA2/WPA3 certified by the Wi-Fi Alliance, it is capable of supporting this requirement.\n\nReview the WLAN equipment configuration to verify that EAP-TLS is actively used and no other methods are enabled.\n\nIf EAP-TLS is not used or if the WLAN system allows users to connect with other methods, this is a finding.",
"description": "EAP-TLS provides strong cryptographic mutual authentication and key distribution services not found in other EAP methods, and thus provides significantly more protection against attacks than other methods. \n\nAdditionally, EAP-TLS supports two-factor user authentication on the WLAN client, which provides significantly more protection than methods that rely on a password or certificate alone. EAP-TLS also can leverage the DoD Common Access Card (CAC) in its authentication services, providing additional security and convenience.",
"fixid": "F-46452r720114_fix",
"fixtext": "Change the WLAN configuration so it supports EAP-TLS, implementing supporting PKI and AAA infrastructure as necessary. If the WLAN equipment is not capable of supporting EAP-TLS, procure new equipment capable of such support.",
"iacontrols": null,
"id": "V-243220",
"ruleID": "SV-243220r720115_rule",
"severity": "medium",
"title": "WLAN must use EAP-TLS.",
"version": "WLAN-NW-000500"
},
"V-243221": {
"checkid": "C-46496r720116_chk",
"checktext": "Review the WLAN equipment specification and verify it is FIPS 140-2/3 (CMVP) certified for data in transit, including authentication credentials.\n\nIf the WLAN equipment is not is FIPS 140-2/3 (CMVP) certified, this is a finding.",
"description": "If the DoD WLAN components (WLAN AP, controller, or client) are not NIST FIPS 140-2/FIPS 140-3 (Cryptographic Module Validation Program, CMVP) certified, the WLAN system may not adequately protect sensitive unclassified DoD data from compromise during transmission.",
"fixid": "F-46453r720117_fix",
"fixtext": "Use WLAN equipment that is FIPS 140-2/3 (CMVP) certified.",
"iacontrols": null,
"id": "V-243221",
"ruleID": "SV-243221r720118_rule",
"severity": "medium",
"title": "WLAN components must be FIPS 140-2 or FIPS 140-3 certified.",
"version": "WLAN-NW-000600"
},
"V-243222": {
"checkid": "C-46497r720119_chk",
"checktext": "Interview the site ISSO and SA. Determine if the site's network is configured to require certificate-based PKI authentication before a WLAN user is connected to the network. \n\nIf certificate-based PKI authentication is not required prior to a DoD WLAN user accessing the DoD network, this is a finding.\n\nNote: This check does not apply to medical devices. Medical devices are permitted to connect to the WLAN using pre-shared keys.",
"description": "DoD certificate-based PKI authentication is strong, two-factor authentication that relies on carefully evaluated cryptographic modules. Implementations of EAP-TLS that are not integrated with certificate-based PKI could have security vulnerabilities. \n\nFor example, an implementation that uses a client certificate on laptop without a second factor could enable an adversary with access to the laptop to connect to the WLAN without a PIN or password. Systems that do not use the certificate-based PKI are also much more likely to be vulnerable to weaknesses in the underlying public key infrastructure (PKI) that supports EAP-TLS.\n\nCertificate-based PKI authentication must be used to connect WLAN client devices to DoD networks. The certificate-based PKI authentication should directly support the WLAN EAP-TLS implementation. \n\nAt least one layer of user authentication must enforce network authentication requirements (e.g., CAC authentication) before the user is able to access DoD information resources.",
"fixid": "F-46454r720120_fix",
"fixtext": "Integrate certificate-based PKI authentication into the WLAN authentication process.",
"iacontrols": null,
"id": "V-243222",
"ruleID": "SV-243222r720121_rule",
"severity": "medium",
"title": "WLAN EAP-TLS implementation must use certificate-based PKI authentication to connect to DoD networks.",
"version": "WLAN-NW-000700"
},
"V-243223": {
"checkid": "C-46498r720122_chk",
"checktext": "Review documentation and inspect access point locations.\n\n1. Review documentation showing signal strength analysis from site survey activities, if available.\n2. Use testing equipment or WLAN clients to determine if the signal strength is, in the reviewer's judgment, excessively outside the required area (e.g., strong signal in the parking area, public areas, or uncontrolled spaces).\n3. Lower-end access points will not have this setting available. In this case, verify the access points are located away from exterior walls to achieve compliance with this requirement.\n\nIf any of the following is found, this is a finding:\n- Visual inspection of equipment shows obvious improper placement of access points where they will emanate into uncontrolled spaces (e.g., next to external walls, windows, or doors; uncontrolled areas; or public areas).\n- Building walk-through testing shows signals of sufficient quality and strength to allow wireless access to exist in areas not authorized for WLAN access.",
"description": "Most commercially available WLAN equipment is preconfigured for signal power appropriate to most applications of the WLAN equipment. In some cases, this may permit the signals to be received outside the physical areas for which they are intended. This can occur when the intended area is relatively small, such as a conference room, or when the access point is placed near or window or wall, thereby allowing signals to be received in neighboring areas. \n\nIn such cases, an adversary may be able to compromise the site's posture by measuring the presence of the signal and the quantity of data transmitted to obtain information about when personnel are active and what they are doing. If the signal is not appropriately protected through defense-in-depth mechanisms, the adversary could possibly use the connection to access DoD networks and sensitive information.",
"fixid": "F-46455r720123_fix",
"fixtext": "Move access points to areas in which signals do not emanate in a way that makes them usable outside the areas authorized for WLAN access.\n\nAlternatively, replace omni-directional antennae with directional antennae if this will solve the problem.\n\nIf these solutions are not effective, adjust the transmission power settings on the access point to reduce the usability of signals in unauthorized areas.\n\nIf the WLAN equipment does not allow the transmission power to be adjusted, and the access points are placed in a location where the ISSO determines there is significant risk that an adversary could be present where signals may be intercepted, the site should procure WLAN equipment that permits power adjustment.",
"iacontrols": null,
"id": "V-243223",
"ruleID": "SV-243223r720124_rule",
"severity": "low",
"title": "WLAN signals must not be intercepted outside areas authorized for WLAN access.",
"version": "WLAN-NW-000800"
},
"V-243224": {
"checkid": "C-46499r720125_chk",
"checktext": "Review network architecture with the network administrator.\n\n1. Verify compliance by inspecting the site network topology diagrams.\n2. Since many network diagrams are not kept up to date, walk through the connections with the network administrator using network management tools or diagnostic commands to verify the diagrams are current.\n\nIf the site's wireless infrastructure, such as access points and bridges, is not isolated from the enclave network, this is a finding.",
"description": "If an adversary is able to compromise an access point or controller that is directly connected to an enclave network, the adversary can easily surveil and attack other devices from that beachhead. A defense-in-depth approach requires an additional layer of protection between the WLAN and the enclave network. This is particularly important for wireless networks, which may be vulnerable to attack from outside the physical perimeter of the facility or base given the inherent nature of radio communications to penetrate walls, fences, and other physical boundaries.\n\nWireless access points and bridges must not be directly connected to the enclave network. A network device must separate wireless access from other elements of the enclave network. Sites must also comply with the Network Infrastructure STIG configuration requirements for DMZ, VLAN, and VPN configurations, as applicable.\n\nExamples of acceptable architectures include placing access points or controllers in a screened subnet (e.g., DMZ separating intranet and wireless network) or dedicated virtual LAN (VLAN) with ACLs.",
"fixid": "F-46456r720126_fix",
"fixtext": "Remove wireless network devices with direct connections to an enclave network. If feasible, reconfigure network connections to isolate the WLAN infrastructure from the enclave network, separating them with a firewall or equivalent protection.",
"iacontrols": null,
"id": "V-243224",
"ruleID": "SV-243224r720127_rule",
"severity": "medium",
"title": "Wireless access points and bridges must be placed in dedicated subnets outside the enclave's perimeter.",
"version": "WLAN-NW-001100"
},
"V-243225": {
"checkid": "C-46500r720128_chk",
"checktext": "Review the device configuration to determine if the OOB management interface is assigned an appropriate IP address from the authorized OOB management network.\n\nIf an IP address assigned to the interface is not from an authorized OOB management network, this is a finding.",
"description": "The OOBM access switch will connect to the management interface of the managed network elements. The management interface can be a true OOBM interface or a standard interface functioning as the management interface. In either case, the management interface of the managed network element will be directly connected to the OOBM network. (See SRG-NET-000205-RTR-000012.)\n\nNetwork boundaries, also known as managed interfaces, include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis, and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). Methods used for prohibiting interfaces within organizational information systems include, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses.",
"fixid": "F-46457r720129_fix",
"fixtext": "Configure the network device so that only management traffic that ingresses and egresses the OOBM interface is permitted.",
"iacontrols": null,
"id": "V-243225",
"ruleID": "SV-243225r720130_rule",
"severity": "medium",
"title": "The network device must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.",
"version": "WLAN-NW-001200"
},
"V-243226": {
"checkid": "C-46501r720131_chk",
"checktext": "Review the device configuration to determine if the call home service or feature is disabled on the device. \n\nIf the call home service is enabled on the device, this is a finding.\n\nNote: This feature can be enabled if the communication is only to a server residing in the local area network or enclave.",
"description": "Call-home services will routinely send data such as configuration and diagnostic information to the vendor for routine or emergency analysis and troubleshooting. There is a risk that transmission of sensitive data sent to unauthorized persons could result in data loss or downtime due to an attack. (See SRG-NET-000131-RTR-000083.)",
"fixid": "F-46458r720132_fix",
"fixtext": "Configure the network device to disable the call home service or feature.\n\nNote: This feature can be enabled if the communication is only to a server residing in the local area network or enclave.",
"iacontrols": null,
"id": "V-243226",
"ruleID": "SV-243226r720133_rule",
"severity": "medium",
"title": "The network device must not be configured to have any feature enabled that calls home to the vendor.",
"version": "WLAN-NW-001300"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-243216": "true",
"V-243217": "true",
"V-243218": "true",
"V-243219": "true",
"V-243220": "true",
"V-243221": "true",
"V-243222": "true",
"V-243223": "true",
"V-243224": "true",
"V-243225": "true",
"V-243226": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critical Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-243216": "true",
"V-243217": "true",
"V-243218": "true",
"V-243219": "true",
"V-243220": "true",
"V-243221": "true",
"V-243222": "true",
"V-243223": "true",
"V-243224": "true",
"V-243225": "true",
"V-243226": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critical Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-243216": "true",
"V-243217": "true",
"V-243218": "true",
"V-243219": "true",
"V-243220": "true",
"V-243221": "true",
"V-243222": "true",
"V-243223": "true",
"V-243224": "true",
"V-243225": "true",
"V-243226": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critical Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-243216": "true",
"V-243217": "true",
"V-243218": "true",
"V-243219": "true",
"V-243220": "true",
"V-243221": "true",
"V-243222": "true",
"V-243223": "true",
"V-243224": "true",
"V-243225": "true",
"V-243226": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-243216": "true",
"V-243217": "true",
"V-243218": "true",
"V-243219": "true",
"V-243220": "true",
"V-243221": "true",
"V-243222": "true",
"V-243223": "true",
"V-243224": "true",
"V-243225": "true",
"V-243226": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-243216": "true",
"V-243217": "true",
"V-243218": "true",
"V-243219": "true",
"V-243220": "true",
"V-243221": "true",
"V-243222": "true",
"V-243223": "true",
"V-243224": "true",
"V-243225": "true",
"V-243226": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-243216": "true",
"V-243217": "true",
"V-243218": "true",
"V-243219": "true",
"V-243220": "true",
"V-243221": "true",
"V-243222": "true",
"V-243223": "true",
"V-243224": "true",
"V-243225": "true",
"V-243226": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-243216": "true",
"V-243217": "true",
"V-243218": "true",
"V-243219": "true",
"V-243220": "true",
"V-243221": "true",
"V-243222": "true",
"V-243223": "true",
"V-243224": "true",
"V-243225": "true",
"V-243226": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-243216": "true",
"V-243217": "true",
"V-243218": "true",
"V-243219": "true",
"V-243220": "true",
"V-243221": "true",
"V-243222": "true",
"V-243223": "true",
"V-243224": "true",
"V-243225": "true",
"V-243226": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "network_wlan_ap-nipr_platform",
"title": "Network WLAN AP-NIPR Platform Security Technical Implementation Guide",
"version": "7"
}
}