WLAN access points and supporting authentication servers used for Internet-only connections must reside in a dedicated subnet off of the perimeter firewall.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-25319 | WIR0123 | SV-31432r2_rule | ECWN-1 | Medium |
| Description |
|---|
| If the access point or its supporting authentication server is placed in front of the perimeter firewall, then it has no firewall protection against an attack. If the access point or its supporting authentication server is placed behind the perimeter firewall (on the internal network), then any breach of these devices could lead to attacks on other DoD information systems. |
| STIG | Date |
|---|---|
| WLAN Access Point (Internet Gateway Only Connection) Security Technical Implementation Guide | 2011-10-07 |
Details
| Check Text ( C-31754r2_chk ) |
|---|
| Have the SA show how the access point and authentication server (if used) is physically connected to the firewall or supporting switch and how it is logically connected through firewall or switch configuration settings. Verify the equipment is connected to an subnet off of the perimeter firewall and the subnet only contains devices that support wireless connectivity to the Internet (WLAN Access Point, WLAN Authentication Server, etc.). Mark as a finding if: - Any WLAN infrastructure device supporting Internet-only access is located somewhere other than a dedicated subnet off the perimeter firewall; - Any device not supporting the Internet-only WLAN resides in the subnet dedicated to the Internet-only WLAN. |
| Fix Text (F-28238r2_fix) |
|---|
| Reconfigure physical and logical connections as needed so the Internet-only WLAN infrastructure resides in a dedicated subnet off the perimeter firewall. |