UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

WMAN Access Point Security Technical Implementation Guide (STIG)


Overview


Findings (MAC II - Mission Support Public)

Finding ID Severity Title
V-4582 High The network device must require authentication for console access.
V-3056 High Group accounts must not be configured for use on the network device.
V-3143 High The network element must not have any default manufacturer passwords.
V-3210 High The network element must not use the default or well-known SNMP community strings public and private.
V-18604 High A WMAN system transmitting classified data must implement required data encryption controls.
V-3175 High The network device must require authentication prior to establishing a management connection for administrative access.
V-14207 Medium WMAN systems must require strong authentication from the user or WMAN subscriber device to WMAN network.
V-3069 Medium Management connections to a network device must be established using secure protocols with FIPS 140-2 validated cryptographic modules.
V-14671 Medium The network element must authenticate all NTP messages received from NTP servers and peers.
V-19903 Medium Site WMAN systems must implement strong authentication from the user or WMAN subscriber device to WMAN network.
V-14717 Medium The network element must not allow SSH Version 1 to be used for administrative access.
V-19904 Medium Site WMAN systems must implement strong authentication from the user or WMAN subscriber device to WMAN network.
V-3057 Medium Authorized accounts must be assigned the least privilege level necessary to perform assigned duties.
V-3014 Medium The network element must timeout management connections for administrative access after 10 minutes or less of inactivity.
V-14886 Medium Wireless access points and bridges must be placed in dedicated subnets outside the enclave’s perimeter.
V-28784 Medium A service or feature that calls home to the vendor must be disabled.
V-3967 Medium The network element must time out access to the console port after 10 minutes or less of inactivity.
V-17821 Medium The network element’s OOBM interface must be configured with an OOBM network address.
V-17822 Medium The network elements management interface must be configured with both an ingress and egress ACL.
V-18605 Medium The WMAN site must perform periodic wireless IDS screening in all areas where WMAN coverage exists to prevent unauthorized access, jamming, or electromagnetic interference.
V-18603 Medium Site WMAN systems that transmit unclassified data must implement required data encryption controls.
V-18602 Medium When a WMAN system is implemented, the network enclave must enforce strong authentication from user to DoD enclave (wired network). For “User to Enclave” authentication, the enclave must enforce network authentication requirements found in USCYBERCOM CTO 07-15Rev1 (or subsequent updates) (e.g. CAC authentication). Note: User authentication to the enclave must be a separate process from authentication to the WMAN system. If the WMAN vendor implements CAC authentication for the User or WMAN subscriber device to WMAN network, the user may only need to enter their PIN once to authenticate to both the WMAN system and the enclave.
V-5613 Medium The network element must be configured for a maximum number of unsuccessful SSH login attempts set at 3 before resetting the interface.
V-5612 Medium The network element must be configured to timeout after 60 seconds or less for incomplete or broken SSH sessions.
V-5611 Medium The network element must only allow management connections for administrative access from hosts residing in the management network.
V-23747 Low The network element must use two or more NTP servers to synchronize time.
V-18598 Low The WMAN system must not operate in the 3.30-3.65 GHz frequency band.
V-18617 Low A site must use a WMAN system in compliance with Committee on National Security Systems Policy (CNSSP) 300: the Department or Agency Certified TEMPEST Technical Authority (CTTA) has evaluated the system to determine its TEMPEST vulnerability and provided this information to the DAA.
V-14844 Low The relevant U.S. Forces Command (USFORSCOM) or host nation must approve the use of wireless equipment prior to operation of such equipment outside the United States and Its Possessions (US&P).
V-7011 Low The network element’s auxiliary port must be disabled unless it is connected to a secured modem providing encryption and authentication.
V-3070 Low The network element must log all attempts to establish a management connection for administrative access.
V-18606 Low The WMAN site must implement required procedures for reporting the results of WMAN intrusion scans.
V-18601 Low An appropriate WMAN coverage area must be reasonably sized and constrained to the areas intended for WMAN signals.