UCF STIG Viewer Logo

WMAN Access Point Security Technical Implementation Guide


Overview


Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-4582 High The IAO will ensure that all OOB management connections to the device require authentication.
V-3056 High The IAO/NSO will ensure each user accessing the device locally have their own account with username and password.
V-3143 High The IAO/NSO will ensure all default manufacturer passwords are changed.
V-3210 High The IAO/NSO will ensure that all SNMP community strings are changed from the default values.
V-18604 High A WMAN system transmitting classified data must implement required data encryption controls.
V-3175 High The IAO will ensure that all in-band management connections to the device require authentication.
V-14207 Medium WMAN systems must require strong authentication from the user or WMAN subscriber device to WMAN network.
V-3069 Medium The system administrator will ensure in-band management access to the device is secured using FIPS 140-2 approved encryption or hash algorithms such as AES, 3DES, SSH, or TLS / SSL.
V-14671 Medium The IAO will ensure all NTP-enabled devices authenticate received NTP messages.
V-19903 Medium Site WMAN systems must implement strong authentication from the user or WMAN subscriber device to WMAN network.
V-14717 Medium The system administrator will ensure SSH version 2 is implemented.
V-19904 Medium Site WMAN systems must implement strong authentication from the user or WMAN subscriber device to WMAN network.
V-3057 Medium The IAO/NSO will ensure all user accounts are assigned the lowest privilege level that allows them to perform their duties.
V-3014 Medium The system administrator will ensure the timeout for administrative access is set for no longer than 10 minutes.
V-14886 Medium Wireless access points and bridges must be placed in dedicated subnets outside the enclave’s perimeter.
V-28784 Medium A service or feature that calls home to the vendor must be disabled.
V-3967 Medium The system administrator will ensure the console port is configured to time out after 10 minutes or less of inactivity.
V-17821 Medium Managed NE OOBM interface is not configured with an OOBM network address.
V-17822 Medium The management interface is not configured with both an ingress and egress ACL.
V-18605 Medium The WMAN site must perform periodic wireless IDS screening in all areas where WMAN coverage exists to prevent unauthorized access, jamming, or electromagnetic interference.
V-18603 Medium Site WMAN systems that transmit unclassified data must implement required data encryption controls.
V-18602 Medium When a WMAN system is implemented, the network enclave must enforce strong authentication from user to DoD enclave (wired network). For “User to Enclave” authentication, the enclave must enforce network authentication requirements found in USCYBERCOM CTO 07-15Rev1 (or subsequent updates) (e.g. CAC authentication). Note: User authentication to the enclave must be a separate process from authentication to the WMAN system. If the WMAN vendor implements CAC authentication for the User or WMAN subscriber device to WMAN network, the user may only need to enter their PIN once to authenticate to both the WMAN system and the enclave.
V-5613 Medium The system administrator will ensure the maximum number of unsuccessful SSH login attempts is set to three, locking access to the network device.
V-5612 Medium The system administrator will ensure SSH timeout value is set to 60 seconds or less, causing incomplete SSH connections to shut down after 60 seconds or less.
V-5611 Medium The system administrator will ensure that the device only allows in-band management sessions from authorized IP addresses from the internal network.
V-23747 Low The IAO/NSO will ensure all managed network elements are configured to use two or more NTP servers to synchronize time.
V-18598 Low The WMAN system must not operate in the 3.30-3.65 GHz frequency band.
V-18617 Low A site must use a WMAN system in compliance with Committee on National Security Systems Policy (CNSSP) 300: the Department or Agency Certified TEMPEST Technical Authority (CTTA) has evaluated the system to determine its TEMPEST vulnerability and provided this information to the DAA.
V-14844 Low The relevant U.S. Forces Command (USFORSCOM) or host nation must approve the use of wireless equipment prior to operation of such equipment outside the United States and Its Possessions (US&P).
V-7011 Low The system administrator will ensure that the device auxiliary port is disabled if a secured modem providing encryption and authentication is not connected.
V-3070 Low The system administrator will configure the ACL that is bound to the inband interface to log permitted and denied access attempts.
V-18606 Low The WMAN site must implement required procedures for reporting the results of WMAN intrusion scans.
V-18601 Low An appropriate WMAN coverage area must be reasonably sized and constrained to the areas intended for WMAN signals.
V-18600 Low If the WMAN system is a tactical system or a commercial system operated in a tactical environment, the site WMAN system DIACAP must include a Transmission Security (TRANSEC) vulnerability analysis.