The WLAN must use AES-CCMP to protect data-in-transit.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3515	WIR0125-01	SV-3515r2_rule	ECSC-1 ECWN-1	Medium

Description
AES-CCMP provides all required WLAN security services for data in transit. The other encryption protocol available for IEEE 802.11i compliant robust security networks and WPA2 certified solutions is the Temporal Key Integrity Protocol (TKIP). TKIP relies on the RC4 cipher, which has known vulnerabilities. Some WLANs also rely on Wireless Equivalent Privacy (WEP), which also uses RC4, and is easily cracked in minutes on active WLANs. Use of protocols other than AES-CCMP places DoD WLANs at greater risk of security breaches than other available approaches.

Description

AES-CCMP provides all required WLAN security services for data in transit. The other encryption protocol available for IEEE 802.11i compliant robust security networks and WPA2 certified solutions is the Temporal Key Integrity Protocol (TKIP). TKIP relies on the RC4 cipher, which has known vulnerabilities. Some WLANs also rely on Wireless Equivalent Privacy (WEP), which also uses RC4, and is easily cracked in minutes on active WLANs. Use of protocols other than AES-CCMP places DoD WLANs at greater risk of security breaches than other available approaches.

STIG	Date
WLAN Client Security Technical Implementation Guide (STIG)	2014-08-26

Details

Check Text ( C-22364r1_chk )
Detailed Policy requirements: Encryption requirements for data in transit: - The WLAN infrastructure (e.g., access point, bridge, or WLAN controller) and WLAN client device must be configured to use the AES-CCMP encryption protocol. Check procedures: - Interview IAO and review WLAN system documentation. - Determine if the WLAN network and client components encryption setting has been configured to use the AES-CCMP encryption protocol and no others. - Mark as a finding if the WLAN is configured to support any encryption protocol other than AES-CCMP, even if AES-CCMP is one of several supported options.

Check Text ( C-22364r1_chk )

Detailed Policy requirements:

Encryption requirements for data in transit:
- The WLAN infrastructure (e.g., access point, bridge, or WLAN controller) and WLAN client device must be configured to use the AES-CCMP encryption protocol.

Check procedures:
- Interview IAO and review WLAN system documentation.
- Determine if the WLAN network and client components encryption setting has been configured to use the AES-CCMP encryption protocol and no others.
- Mark as a finding if the WLAN is configured to support any encryption protocol other than AES-CCMP, even if AES-CCMP is one of several supported options.

Fix Text (F-3446r1_fix)
Implement AES-CCMP to protect data in transit. Deactivate encryption protocols other than AES-CCMP.