Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-3515 | WIR0125-01 | SV-3515r2_rule | ECSC-1 ECWN-1 | Medium |
Description |
---|
AES-CCMP provides all required WLAN security services for data in transit. The other encryption protocol available for IEEE 802.11i compliant robust security networks and WPA2 certified solutions is the Temporal Key Integrity Protocol (TKIP). TKIP relies on the RC4 cipher, which has known vulnerabilities. Some WLANs also rely on Wireless Equivalent Privacy (WEP), which also uses RC4, and is easily cracked in minutes on active WLANs. Use of protocols other than AES-CCMP places DoD WLANs at greater risk of security breaches than other available approaches. |
STIG | Date |
---|---|
WLAN Access Point (Enclave-NIPRNet Connected) Security Technical Implementation Guide (STIG) | 2016-01-07 |
Check Text ( C-22364r1_chk ) |
---|
Detailed Policy requirements: Encryption requirements for data in transit: - The WLAN infrastructure (e.g., access point, bridge, or WLAN controller) and WLAN client device must be configured to use the AES-CCMP encryption protocol. Check procedures: - Interview IAO and review WLAN system documentation. - Determine if the WLAN network and client components encryption setting has been configured to use the AES-CCMP encryption protocol and no others. - Mark as a finding if the WLAN is configured to support any encryption protocol other than AES-CCMP, even if AES-CCMP is one of several supported options. |
Fix Text (F-3446r1_fix) |
---|
Implement AES-CCMP to protect data in transit. Deactivate encryption protocols other than AES-CCMP. |