WLAN Client Security Technical Implementation Guide (STIG)

Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

WLAN Client Security Technical Implementation Guide (STIG)

Overview

Version	Date	Finding Count (9)			Downloads
6	2014-08-26 2011-10-07 2011-10-07 2011-10-07 2013-03-14 2013-03-14 2013-03-14 2013-03-14 2014-03-18 2014-03-18	CAT I (High): 1	CAT II (Med): 7	CAT III (Low): 1	Excel	JSON	XML

STIG Description
This STIG contains the technical security controls for the operation of a WLAN client in the DoD environment.

Available Profiles

Classified	Public	Sensitive
I - Mission Critical Classified	I - Mission Critical Public	I - Mission Critical Sensitive	II - Mission Support Classified	II - Mission Support Public	II - Mission Support Sensitive	III - Administrative Classified	III - Administrative Public	III - Administrative Sensitive

Findings (MAC III - Administrative Sensitive)

Finding ID	Severity	Title	Description
V-3512	High	NSA Type1 products and required procedures must be used to protect classified data at rest (DAR) on wireless devices used on a classified WLAN or WMAN.	NSA Type 1 products provide a high level of assurance that cryptography is implemented correctly and meets the standards for storage of classified information. Use of cryptography that is not...
V-3503	Medium	WLAN-capable devices must not use wireless peer-to-peer networks to connect to other devices.	WLANs may be configured into a peer-to-peer (also known as ad hoc) network that permits devices to communicate directly rather than through an access point. It is difficult to ensure required IA...
V-3692	Medium	WLAN must use EAP-TLS.	EAP-TLS provides strong cryptographic mutual authentication and key distribution services not found in other EAP methods, and thus provides significantly more protection against attacks than other...
V-14202	Medium	FIPS 140-2 validated encryption modules must be used to encrypt unclassified sensitive data at rest on the wireless device (e.g., laptop, PDA, smartphone).	If a wireless device is lost or stolen without DAR encryption, sensitive DoD data could be compromised. Most known security breaches of cryptography result from improper implementation, not flaws...
V-3515	Medium	The WLAN must use AES-CCMP to protect data-in-transit.	AES-CCMP provides all required WLAN security services for data in transit. The other encryption protocol available for IEEE 802.11i compliant robust security networks and WPA2 certified solutions...
V-30257	Medium	WLAN EAP-TLS implementation must use certificate-based PKI authentication to connect to DoD networks.	DoD certificate-based PKI authentication is strong, two-factor authentication that relies on carefully evaluated cryptographic modules. Implementations of EAP-TLS that are not integrated with...
V-14002	Medium	A device’s wired network interfaces (e.g., Ethernet) must be disconnected or otherwise disabled when wireless connections are in use.	If a client device supports simultaneous use of wireless and wired connections, then this increases the probability that an adversary who can access the device using its wireless interface can...
V-4632	Medium	Laptops with WLAN interfaces must have the WLAN card radio set to OFF as the default setting.	Laptop computers with wireless interfaces particularly susceptible to the Windows XP wireless vulnerabilities. If a user has an active wireless interface with security disabled, a hacker could...
V-7072	Low	WLAN clients must not be configured to connect to other WLAN devices without the user initiating a request to establish such a connection.	Many WLAN clients have the capability to automatically connect to particular WLANs when they are available. This behavior means the user may not know to which WLAN they are connected or even be...