UCF STIG Viewer Logo

WLAN Access Point (Enclave-NIPRNet Connected) Security Technical Implementation Guide (STIG)



Findings (MAC I - Mission Critical Sensitive)

Finding ID Severity Title
V-4582 High The network device must require authentication for console access.
V-3056 High Group accounts must not be configured for use on the network device.
V-15434 High The emergency administration account must be set to an appropriate authorization level to perform necessary administrative functions when the authentication server is not online.
V-3012 High Network devices must be password protected.
V-3210 High The network device must not use the default or well-known SNMP community strings public and private.
V-3143 High Network devices must not have any default manufacturer passwords.
V-3175 High The network device must require authentication prior to establishing a management connection for administrative access.
V-3196 High The network device must use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography for any SNMP agent configured on the device.
V-3069 Medium Management connections to a network device must be established using secure protocols with FIPS 140-2 validated cryptographic modules.
V-14671 Medium Network devices must authenticate all NTP messages received from NTP servers and peers.
V-14717 Medium The network device must not allow SSH Version 1 to be used for administrative access.
V-30257 Medium WLAN EAP-TLS implementation must use certificate-based PKI authentication to connect to DoD networks.
V-3057 Medium Authorized accounts must be assigned the least privilege level necessary to perform assigned duties.
V-3160 Medium Network devices must be running a current and supported operating system with all IAVMs addressed.
V-15432 Medium Network devices must use two or more authentication servers for the purpose of granting administrative access.
V-3013 Medium Network devices must display the DoD-approved logon banner warning.
V-3014 Medium The network devices must timeout management connections for administrative access after 10 minutes or less of inactivity.
V-14886 Medium Wireless access points and bridges must be placed in dedicated subnets outside the enclave’s perimeter.
V-3969 Medium Network devices must only allow SNMP read-only access.
V-28784 Medium A service or feature that calls home to the vendor must be disabled.
V-5611 Medium The network devices must only allow management connections for administrative access from hosts residing in the management network.
V-3967 Medium The network devices must time out access to the console port at 10 minutes or less of inactivity.
V-3966 Medium In the event the authentication server is unavailable, the network device must have a single local account of last resort defined.
V-17821 Medium The network devices OOBM interface must be configured with an OOBM network address.
V-17822 Medium The network devices management interface must be configured with both an ingress and egress ACL.
V-14888 Medium The WLAN inactive session timeout must be set for 30 minutes or less.
V-3692 Medium WLAN must use EAP-TLS.
V-3515 Medium The WLAN must use AES-CCMP to protect data-in-transit.
V-5613 Medium The network device must be configured for a maximum number of unsuccessful SSH logon attempts set at 3 before resetting the interface.
V-5612 Medium The network devices must be configured to timeout after 60 seconds or less for incomplete or broken SSH sessions.
V-3058 Medium Unauthorized accounts must not be configured for access to the network device.
V-23747 Low Network devices must use at least two NTP servers to synchronize time.
V-14846 Low WLAN SSIDs must be changed from the manufacturer’s default to a pseudo random word that does not identify the unit, base, organization, etc.
V-14889 Low WLAN signals must not be intercepted outside areas authorized for WLAN access.
V-3070 Low Network devices must log all attempts to establish a management connection for administrative access.
V-7011 Low The auxiliary port must be disabled unless it is connected to a secured modem providing encryption and authentication.