{
"stig": {
"date": "2013-03-14",
"description": "This STIG contains the technical security controls for the operation of a WLAN IDS Sensor and Server in the DoD environment.",
"findings": {
"V-14887": {
"checkid": "C-13413r1_chk",
"checktext": "Detailed policy requirements:\n\nDoDD 8100.2 requires ALL DoD networks use a wireless IDS to scan for unauthorized wireless devices.\n\nThe WIDS sensor and server must meet the following requirements:\n\n-For a continuous Wireless IDS (WIDS) scanning system: \n--System is server-based, whereby sensor scanning results are consolidated and evaluated by a WIDS server.\n--The WIDS will scan continuously 24 hours/day, 7 days/week to detect authorized and unauthorized activity. \n--The WIDS will include a location sensing protection scheme for authorized and unauthorized wireless devices that will provide information enabling designated site personnel to take appropriate actions.\n\nNOTE: While not recommended, WLAN access points that also provide WIDS scanning capability are acceptable as \"continuous scanning\" WIDS sensors. \n\n- For a periodic WIDS scanning system:\n--The DAA will determine how often WIDS scanning will be conducted based on the results of the wireless risk assessment. (DISA recommends at least every 90 days.)\n--Periodic scanning will be conducted by using handheld or laptop WIDS scanners during a walk-through assessment of the network environment.\n\nNOTE: The WIDS must cover all WLAN frequencies transmitted by the WLAN equipment. The WLAN frequency band can vary by country and the WIDS must cover all channels being used in a country the equipment is being used in. For example, the allowed WLAN channels are different in the U.S., Japan, and many European countries.\n\nCheck procedures:\n\nInterview the site IAO. Determine if the scanning by a Wireless Intrusion Detection System (WIDS) is continuous or periodic. See Check V0018596 (NET-WIDS-001 / WIR0050). Verify the site\u2019s WIDS scanning system meets the following requirements:\n\n-For Continuous WIDS scanning:\n--Verify the site has installed a continuous-scanning WIDS system (e.g., AirDefense, Airmagnet, etc.).\n--Verify the WIDS is set up to scan continuously 24 hours/day, 7 days/week to detect authorized and unauthorized activity.\n--Verify the WIDS includes a location sensing protection scheme for authorized and unauthorized wireless devices.\n--Mark as a finding if any of these requirements have not been met.\n\n-For Periodic WIDS scanning:\n--Verify the DAA has determined the frequency of the scans. Review the DAA approved wireless risk assessment.\n--Mark as a finding if any of these requirements have not been met.",
"description": "Unauthorized WLAN devices threaten DoD networks in a variety of ways. If someone installs an access point on a DoD network, then people may use that access point to access network resources without any perimeter security controls, which significantly degrades the IA posture of that network. If someone installs an unauthorized access point in the site\u2019s vicinity, even if not connected to a DoD network, then site users may unknowingly or inadvertently connect to it. Once this connection occurs, the user\u2019s traffic may be diverted to spoofed web sites and other servers to capture the user\u2019s authentication credentials and sensitive DoD data. Finally, if an unauthorized WLAN client is operating inside or near the site, it may improperly connect to the site\u2019s WLAN infrastructure or other network devices that improperly have left open active Wi-Fi interfaces. WIDS can help counter all of these threats. ",
"fixid": "F-34071r1_fix",
"fixtext": "Install and operate WIDS on a continuous or periodic basis in a manner consistent with policy requirements.",
"iacontrols": [
"ECWN-1"
],
"id": "V-14887",
"ruleID": "SV-15655r1_rule",
"severity": "medium",
"title": "The site must scan the radio frequency spectrum for unauthorized WLAN devices.",
"version": "WIR0145-01"
},
"V-19896": {
"checkid": "C-25505r1_chk",
"checktext": "Detailed policy requirements:\n\nThe results of WIDS scans (logs and scan results) shall be maintained by the site for at least one year.\n\nCheck procedures:\n\nInterview the site IAO. Verify the site has saved its scan results for at least one year, viewing one of the older logs to validate the practice. Mark as a finding if the site is not saving the logs/results or is saving them for less than one year. ",
"description": "DoDD 8100.2 requires ALL DoD networks use a wireless IDS to scan for unauthorized wireless\ndevices. If sites do not maintain scan logs, it cannot be determined if IDS findings are isolated and harmless events or a more sustained, methodical attack on the system.",
"fixid": "F-34073r1_fix",
"fixtext": "IAO must ensure WIDS and operating procedures maintain WLAN scan results for at least one year.",
"iacontrols": [
"ECWN-1"
],
"id": "V-19896",
"ruleID": "SV-22066r1_rule",
"severity": "low",
"title": "WIDS sensor scan results must be saved for at least one year.",
"version": "WIR0145-02"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-14887": "true",
"V-19896": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critial Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-14887": "true",
"V-19896": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critial Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-14887": "true",
"V-19896": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critial Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-14887": "true",
"V-19896": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-14887": "true",
"V-19896": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-14887": "true",
"V-19896": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-14887": "true",
"V-19896": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-14887": "true",
"V-19896": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-14887": "true",
"V-19896": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "wlan_ids_sensorserver",
"title": "WLAN IDS Sensor/Server Security Technical Implementation Guide (STIG)",
"version": "6"
}
}