| V-4582 | High | The network device must require authentication for console access. | Network devices with no password for administrative access via the console provide the opportunity for anyone with physical access to the device to make configuration changes enabling them to... |
| V-3056 | High | Group accounts must not be configured or used for administrative access.
| Group accounts on any device are strictly prohibited. If these group accounts are not changed when someone leaves the group, that person could possibly gain control of the network device. Having... |
| V-3143 | High | The network element must not have any default manufacturer passwords. | Network elements not protected with strong password schemes provide the opportunity for anyone to crack the password thus gaining access to the device and causing network outage or denial of... |
| V-3210 | High | The network element must not use the default or well-known SNMP community strings public and private. | Network elements may be distributed by the vendor pre-configured with an SNMP agent using the well known SNMP community strings public for read only and private for read and write authorization. ... |
| V-18604 | High | A WMAN system transmitting classified data must implement required data encryption controls. | If not compliant, classified data could be compromised. |
| V-3175 | High | The network device must require authentication prior to establishing a management connection for administrative access. | Network devices with no password for administrative access via a management connection provide the opportunity for anyone with network access to the device to make configuration changes enabling... |
| V-14207 | Medium | WMAN systems must require strong authentication from the user or WMAN subscriber device to WMAN network.
| Broadband systems not compliant with authentication requirements could allow a hacker to gain access to the DoD network. |
| V-3069 | Medium | The network element must only allow management connections for administrative access using FIPS 140-2 validated encryption algorithms or protocols. | Remote administration using non-FIPS 140-2 validated encryption is inherently dangerous because anyone with a sniffer and access to the right LAN segment can acquire the device's account and... |
| V-14671 | Medium | The network element must authenticate all NTP messages received from NTP servers and peers. | Since NTP is used to ensure accurate log file timestamp information, NTP could pose a security risk if a malicious user were able to falsify NTP information. To launch an attack on the NTP... |
| V-19903 | Medium | Site WMAN systems must implement strong authentication from the user or WMAN subscriber device to WMAN network. | Broadband systems not compliant with authentication requirements could allow a hacker to gain
access to the DoD network. |
| V-14717 | Medium | The network element must not allow SSH Version 1 to be used for administrative access. | SSH Version 1 is a protocol that has never been defined in a standard. Since SSH-1 has inherent design flaws which make it vulnerable to attacks, e.g., man-in-the-middle attacks, it is now... |
| V-19904 | Medium | Site WMAN systems must implement strong authentication from the user or WMAN subscriber device to WMAN network. | Broadband systems not compliant with authentication requirements could allow a hacker to gain
access to the DoD network. |
| V-3057 | Medium | The network element must have all user accounts assigned to the lowest privilege level that allows each administrator to perform his or her duties.
| By not restricting administrators and operations personnel to their proper privilege levels, access to restricted functions may be allowed before they are trained or experienced enough to use... |
| V-3014 | Medium | The network element must timeout management connections for administrative access after 10 minutes or less of inactivity. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled between the managed network... |
| V-14886 | Medium | Wireless access points and bridges must be placed in dedicated subnets outside the enclave’s perimeter. | If an adversary is able to compromise an access point or controller that is directly connected to an enclave network, then the adversary can easily surveil and attack other devices from that... |
| V-28784 | Medium | A service or feature that calls home to the vendor must be disabled.
| Call home services or features will routinely send data such as configuration and diagnostic information to the vendor for routine or emergency analysis and troubleshooting. The risk that... |
| V-3967 | Medium | The network element must time out access to the console port after 10 minutes or less of inactivity. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port... |
| V-17821 | Medium | The network element’s OOBM interface must be configured with an OOBM network address. | The OOBM access switch will connect to the management interface of the managed network elements. The management interface of the managed network element will be directly connected to the OOBM... |
| V-17822 | Medium | The network elements management interface must be configured with both an ingress and egress ACL. | The OOBM access switch will connect to the management interface of the managed network elements. The management interface can be a true OOBM interface or a standard interface functioning as the... |
| V-18605 | Medium | The WMAN site must perform periodic wireless IDS screening in all areas where WMAN coverage exists to prevent unauthorized access, jamming, or electromagnetic interference. | WMAN systems could be at risk of wireless hacker attack if periodic wireless IDS screening is not performed. |
| V-18603 | Medium | Site WMAN systems that transmit unclassified data must implement required data encryption controls.
| Sensitive DoD data could be exposed to a hacker. |
| V-18602 | Medium | When a WMAN system is implemented, the network enclave must enforce strong authentication from user to DoD enclave (wired network). For “User to Enclave” authentication, the enclave must enforce network authentication requirements found in USCYBERCOM CTO 07-15Rev1 (or subsequent updates) (e.g. CAC authentication).
Note: User authentication to the enclave must be a separate process from authentication to the WMAN system. If the WMAN vendor implements CAC authentication for the User or WMAN subscriber device to WMAN network, the user may only need to enter their PIN once to authenticate to both the WMAN system and the enclave.
| Without strong user authentication to the network a hacker may be able to gain access. |
| V-5613 | Medium | The network element must be configured for a maximum number of unsuccessful SSH login attempts set at 3 before resetting the interface. | An attacker may attempt to connect to the device using SSH by guessing the authentication method and authentication key or shared secret. Setting the authentication retry to 3 or less strengthens... |
| V-5612 | Medium | The network element must be configured to timeout after 60 seconds or less for incomplete or broken SSH sessions. | An attacker may attempt to connect to the device using SSH by guessing the authentication method, encryption algorithm, and keys. Limiting the amount of time allowed for authenticating and... |
| V-5611 | Medium | The network element must only allow management connections for administrative access from hosts residing in the management network. | Remote administration is inherently dangerous because anyone with a sniffer and access to the right LAN segment, could acquire the device account and password information. With this intercepted... |
| V-23747 | Low | The network element must use two or more NTP servers to synchronize time. | Without synchronized time, accurately correlating information between devices becomes difficult, if not impossible. If logs cannot be successfully compared between each of the routers, switches,... |
| V-18598 | Low | The WMAN system must not operate in the 3.30-3.65 GHz frequency band. | DoD RADAR systems operate in the 3.30-3.65 GHz frequency band. If the WMAN system operates in the same band, it could potentially interfere with RADAR operations and undermine the mission the... |
| V-18617 | Low | A site must use a WMAN system in compliance with Committee on National Security Systems Policy (CNSSP) 300: the Department or Agency Certified TEMPEST Technical Authority (CTTA) has evaluated the system to determine its TEMPEST vulnerability and provided this information to the DAA. | Sensitive or classified information could be compromised via a TEMPEST vulnerability. |
| V-14844 | Low | The relevant U.S. Forces Command (USFORSCOM) or host nation must approve the use of wireless equipment prior to operation of such equipment outside the United States and Its Possessions (US&P). | When using a wireless system outside of the US&P, host nation wireless spectrum regulations must be followed. Otherwise the system could interfere with or be disrupted by host nation... |
| V-7011 | Low | The network element’s auxiliary port must be disabled unless it is connected to a secured modem providing encryption and authentication. | The use of POTS lines to modems connecting to network devices provides clear text of authentication traffic over commercial circuits that could be captured and used to compromise the network. ... |
| V-3070 | Low | The network element must log all attempts to establish a management connection for administrative access. | Audit logs are necessary to provide a trail of evidence in case the network is compromised. Without an audit trail that provides a when, where, who and how set of information, repeat offenders... |
| V-18606 | Low | The WMAN site must implement required procedures for reporting the results of WMAN intrusion scans.
| If scan results are not properly reported and acted on, then the site could be vulnerable to wireless attack. |
| V-18601 | Low | An appropriate WMAN coverage area must be reasonably sized and constrained to the areas intended for WMAN signals. | Wireless signals could be intercepted more easily by an adversary if the coverage area is not appropriately sized. If an adversary is able to intercept wireless signals, it is possible to obtain... |
| V-18600 | Low | If the WMAN system is a tactical system or a commercial system operated in a tactical environment, the site WMAN system DIACAP must include a Transmission Security (TRANSEC) vulnerability analysis. | If the TRANSEC analysis has not been completed, the system may not be designed or configured correctly to mitigate exposure of DoD data or may be vulnerable to a wireless attack. |
