V-30255 | Medium | The WLAN must be WPA2-Enterprise certified. | The Wi-Fi Alliance WPA2-Enterprise certification means the WLAN equipment can support DoD requirements, most notably EAP-TLS and AES-CCMP. If the equipment has not been WPA-Enterprise certified,... |
V-3503 | Medium | WLAN-capable devices must not use wireless peer-to-peer networks to connect to other devices. | WLANs may be configured into a peer-to-peer (also known as ad hoc) network that permits devices to communicate directly rather than through an access point. It is difficult to ensure required IA... |
V-3692 | Medium | WLAN must use EAP-TLS. | EAP-TLS provides strong cryptographic mutual authentication and key distribution services not found in other EAP methods, and thus provides significantly more protection against attacks than other... |
V-3515 | Medium | The WLAN must use AES-CCMP to protect data-in-transit. | AES-CCMP provides all required WLAN security services for data in transit. The other encryption protocol available for IEEE 802.11i compliant robust security networks and WPA2 certified solutions... |
V-19900 | Medium | The WLAN implementation of EAP-TLS must be FIPS 140-2 validated. | Most known security breaches of cryptography result from improper implementation of the cryptography, not flaws in the cryptographic algorithms themselves. FIPS 140-2 validation provides assurance... |
V-14202 | Medium | FIPS 140-2 validated encryption modules must be used to encrypt unclassified sensitive data at rest on the wireless device (e.g., laptop, PDA, smartphone). | If a wireless device is lost or stolen without DAR encryption, sensitive DoD data could be compromised. Most known security breaches of cryptography result from improper implementation, not flaws... |
V-4632 | Medium | Laptops with WLAN interfaces must have the WLAN card radio set to OFF as the default setting. | Laptop computers with wireless interfaces particularly susceptible to the Windows XP wireless vulnerabilities. If a user has an active wireless interface with security disabled, a hacker could... |
V-14274 | Medium | All wireless devices must be configured according to applicable operating system STIGs. | Security risks inherent to the particular client operating systems such as Windows and Linux must be mitigated in addition to wireless security risks to achieved multilayered security. |
V-18630 | Medium | DoD network users authorized to remotely connect to the DoD network via a home wireless LAN (WLAN) must use a separate WLAN for DoD computers.
| Untrusted, residential WLAN systems or home/personally-owned computer equipment that has malware installed on it can lead to attacks on DoD computers connected to the same network as the... |
V-30257 | Medium | WLAN EAP-TLS implementation must use CAC authentication to connect to DoD networks. | DoD CAC authentication is strong, two-factor authentication that relies on on carefully evaluated cryptographic modules. Implementations of EAP-TLS that are not integrated with DoD CAC could have... |
V-14002 | Medium | A device’s wired network interfaces (e.g., Ethernet) must be disconnected or otherwise disabled when wireless connections are in use. | If a client device supports simultaneous use of wireless and wired connections, then this increases the probability that an adversary who can access the device using its wireless interface can... |
V-18748 | Medium | DoD network users authorized to remotely connect to the DoD network from a residential WLAN must ensure that the access point uses Network Address Translation (NAT). | An access point routes traffic between a WLAN and a distribution network, typically the Internet for residential WLANs. NAT prevents computers on the distribution network from directly addressing... |
V-18631 | Medium | DoD network users authorized to remotely connect to a DoD network from a residential WLAN must do so using an access point that is WPA2 certified. | The Wi-Fi Alliance WPA2 certification means that the WLAN equipment can support DoD requirements, most notably AES-CCMP. If the equipment has not been WPA Enterprise certified, then the equipment... |
V-30358 | Medium | DoD network users authorized to remotely connect to a DoD network from a residential WLAN must configure the access point with a strong pre-shared key (PSK) passcode. | If the passcode is weak, then an adversary is more likely to crack it. Once an adversary obtains the passcode, the adversary can use the passcode access to gain access to WLAN and potentially... |
V-19894 | Medium | The WLAN implementation of AES-CCMP must be FIPS 140-2 validated. | Most known security breaches of cryptography result from improper implementation of the cryptography, not flaws in the cryptographic algorithms themselves. FIPS 140-2 validation provides assurance... |
V-18747 | Low | DoD network users authorized to remotely connect to the DoD network from a residential WLAN must change the default SSID to an SSID that does not reveal the WLAN is used to transmit DoD data. | WLANs that can be identified as carrying DoD traffic by the SSID will be targeted for attack by hackers more readily than other WLANs. Similarly, the use of manufacturer default SSIDs can provide... |
V-14004 | Low | WLAN equipment obtained through acquisition programs must be JITC interoperability certified. | Interoperability certification assures that warfighters can communicate effectively in joint, combined, coalition, and interagency environments. There is some degree of risk that systems without... |
V-7072 | Low | WLAN clients must not be configured to connect to other WLAN devices without the user initiating a request to establish such a connection. | Many WLAN clients have the capability to automatically connect to particular WLANs when they are available. This behavior means the user may not know to which WLAN they are connected or even be... |
V-19895 | Low | The Information Assurance component of the WLAN system must be NIAP Common Criteria certified for basic or medium robustness for data in transit. | Common criteria certification provides a high level of assurance the manufacturer has properly implemented the product’s security functionality. Products that do not have a common criteria... |