| V-30255 | Medium | The WLAN must be WPA2-Enterprise certified. | The Wi-Fi Alliance WPA2-Enterprise certification means the WLAN equipment can support DoD requirements, most notably EAP-TLS and AES-CCMP. If the equipment has not been WPA-Enterprise certified,... |
| V-3503 | Medium | WLAN-capable devices must not use wireless peer-to-peer networks to connect to other devices. | WLANs may be configured into a peer-to-peer (also known as ad hoc) network that permits devices to communicate directly rather than through an access point. It is difficult to ensure required IA... |
| V-3692 | Medium | WLAN must use EAP-TLS. | EAP-TLS provides strong cryptographic mutual authentication and key distribution services not found in other EAP methods, and thus provides significantly more protection against attacks than other... |
| V-14202 | Medium | FIPS 140-2 validated encryption modules must be used to encrypt unclassified sensitive data at rest on the wireless device (e.g., laptop, PDA, smartphone). | If a wireless device is lost or stolen without DAR encryption, sensitive DoD data could be compromised. Most known security breaches of cryptography result from improper implementation, not flaws... |
| V-19900 | Medium | The WLAN implementation of EAP-TLS must be FIPS 140-2 validated. | Most known security breaches of cryptography result from improper implementation of the cryptography, not flaws in the cryptographic algorithms themselves. FIPS 140-2 validation provides assurance... |
| V-3515 | Medium | The WLAN must use AES-CCMP to protect data-in-transit. | AES-CCMP provides all required WLAN security services for data in transit. The other encryption protocol available for IEEE 802.11i compliant robust security networks and WPA2 certified solutions... |
| V-30257 | Medium | WLAN EAP-TLS implementation must use certificate-based PKI authentication to connect to DoD networks. | DoD certificate-based PKI authentication is strong, two-factor authentication that relies on carefully evaluated cryptographic modules. Implementations of EAP-TLS that are not integrated with... |
| V-14002 | Medium | A device’s wired network interfaces (e.g., Ethernet) must be disconnected or otherwise disabled when wireless connections are in use. | If a client device supports simultaneous use of wireless and wired connections, then this increases the probability that an adversary who can access the device using its wireless interface can... |
| V-4632 | Medium | Laptops with WLAN interfaces must have the WLAN card radio set to OFF as the default setting. | Laptop computers with wireless interfaces particularly susceptible to the Windows XP wireless vulnerabilities. If a user has an active wireless interface with security disabled, a hacker could... |
| V-19894 | Medium | The WLAN implementation of AES-CCMP must be FIPS 140-2 validated. | Most known security breaches of cryptography result from improper implementation of the cryptography, not flaws in the cryptographic algorithms themselves. FIPS 140-2 validation provides assurance... |
| V-14004 | Low | WLAN equipment obtained through acquisition programs must be JITC interoperability certified. | Interoperability certification assures that warfighters can communicate effectively in joint, combined, coalition, and interagency environments. There is some degree of risk that systems without... |
| V-7072 | Low | WLAN clients must not be configured to connect to other WLAN devices without the user initiating a request to establish such a connection. | Many WLAN clients have the capability to automatically connect to particular WLANs when they are available. This behavior means the user may not know to which WLAN they are connected or even be... |
