UCF STIG Viewer Logo

WLAN Access Point (Enclave-NIPRNet Connected) Security Technical Implementation Guide (STIG)



Findings (MAC I - Mission Critial Public)

Finding ID Severity Title
V-4582 High The network device must require authentication for console access.
V-3056 High Group accounts must not be configured or used for administrative access.
V-3143 High The network element must not have any default manufacturer passwords.
V-3210 High The network element must not use the default or well-known SNMP community strings public and private.
V-3175 High The network device must require authentication prior to establishing a management connection for administrative access.
V-3069 Medium The network element must only allow management connections for administrative access using FIPS 140-2 validated encryption algorithms or protocols.
V-14671 Medium The network element must authenticate all NTP messages received from NTP servers and peers.
V-14717 Medium The network element must not allow SSH Version 1 to be used for administrative access.
V-30255 Medium The WLAN must be WPA2-Enterprise certified.
V-30257 Medium WLAN EAP-TLS implementation must use certificate-based PKI authentication to connect to DoD networks.
V-3057 Medium The network element must have all user accounts assigned to the lowest privilege level that allows each administrator to perform his or her duties.
V-19900 Medium The WLAN implementation of EAP-TLS must be FIPS 140-2 validated.
V-3014 Medium The network element must timeout management connections for administrative access after 10 minutes or less of inactivity.
V-14886 Medium Wireless access points and bridges must be placed in dedicated subnets outside the enclave’s perimeter.
V-28784 Medium A service or feature that calls home to the vendor must be disabled.
V-3967 Medium The network element must time out access to the console port after 10 minutes or less of inactivity.
V-17821 Medium The network element’s OOBM interface must be configured with an OOBM network address.
V-17822 Medium The network elements management interface must be configured with both an ingress and egress ACL.
V-14888 Medium The WLAN inactive session timeout must be set for 30 minutes or less.
V-19894 Medium The WLAN implementation of AES-CCMP must be FIPS 140-2 validated.
V-3692 Medium WLAN must use EAP-TLS.
V-3515 Medium The WLAN must use AES-CCMP to protect data-in-transit.
V-5613 Medium The network element must be configured for a maximum number of unsuccessful SSH login attempts set at 3 before resetting the interface.
V-5612 Medium The network element must be configured to timeout after 60 seconds or less for incomplete or broken SSH sessions.
V-5611 Medium The network element must only allow management connections for administrative access from hosts residing in the management network.
V-14004 Low WLAN equipment obtained through acquisition programs must be JITC interoperability certified.
V-23747 Low The network element must use two or more NTP servers to synchronize time.
V-14846 Low WLAN SSIDs must be changed from the manufacturer’s default to a pseudo random word that does not identify the unit, base, organization, etc.
V-14844 Low The relevant U.S. Forces Command (USFORSCOM) or host nation must approve the use of wireless equipment prior to operation of such equipment outside the United States and Its Possessions (US&P).
V-7011 Low The network element’s auxiliary port must be disabled unless it is connected to a secured modem providing encryption and authentication.
V-3070 Low The network element must log all attempts to establish a management connection for administrative access.
V-14889 Low WLAN signals must not be intercepted outside areas authorized for WLAN access.