| V-243238 | Medium | The network device must not be configured to have any feature enabled that calls home to the vendor. | Call-home services will routinely send data such as configuration and diagnostic information to the vendor for routine or emergency analysis and troubleshooting. There is a risk that transmission... |
| V-243237 | Medium | The network device must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface. | The OOBM access switch will connect to the management interface of the managed network elements. The management interface can be a true OOBM interface or a standard interface functioning as the... |
| V-243236 | Medium | WLAN EAP-TLS implementation must use certificate-based PKI authentication to connect to DoD networks. | DoD certificate-based PKI authentication is strong, two-factor authentication that relies on carefully evaluated cryptographic modules. Implementations of EAP-TLS that are not integrated with... |
| V-243235 | Medium | WLAN components must be FIPS 140-2 or FIPS 140-3 certified. | If the DoD WLAN components (WLAN AP, controller, or client) are not NIST FIPS 140-2/FIPS 140-3 (Cryptographic Module Validation Program, CMVP) certified, the WLAN system may not adequately protect... |
| V-243234 | Medium | WLAN must use EAP-TLS. | EAP-TLS provides strong cryptographic mutual authentication and key distribution services not found in other EAP methods, and thus provides significantly more protection against attacks than other... |
| V-243233 | Medium | The WLAN inactive/idle session timeout must be set for 30 minutes or less. | A WLAN session that never terminates due to inactivity may allow an opening for an adversary to highjack the session to obtain access to the network. |
