| Finding ID |
Severity |
Title |
Description |
|
V-266707
|
Medium |
AOS, when used as a WLAN bridge or controller, must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface. |
The OOBM access switch will connect to the management interface of the managed network elements. The management interface can be a true OOBM interface or a standard interface functioning as the management interface. In either case, the management interface of the managed network element will be directly connected to the... |
|
V-266705
|
Medium |
AOS, when configured as a WLAN bridge, must not be configured to have any feature enabled that calls home to the vendor. |
Call-home services will routinely send data such as configuration and diagnostic information to the vendor for routine or emergency analysis and troubleshooting.
There is a risk that transmission of sensitive data sent to unauthorized persons could result in data loss or downtime due to an attack. (Refer to SRG-NET-000131-RTR-000083.) |
|
V-266704
|
Medium |
The site must conduct continuous wireless Intrusion Detection System (IDS) scanning. |
DOD networks are at risk and DOD data could be compromised if wireless scanning is not conducted to identify unauthorized wireless local area network (WLAN) clients and access points connected to or attempting to connect to the network.
DOD Components must ensure that a wireless intrusion detection system (WIDS) is... |
|
V-266703
|
Medium |
When AOS is used as a wireless local area network (WLAN) controller, WLAN Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) implementation must use certificate-based public key infrastructure (PKI) authentication to connect to DOD networks. |
DOD certificate-based PKI authentication is strong, two-factor authentication that relies on carefully evaluated cryptographic modules. Implementations of EAP-TLS that are not integrated with certificate-based PKI could have security vulnerabilities.
For example, an implementation that uses a client certificate on a laptop without a second factor could enable an adversary with... |
|
V-266644
|
Medium |
AOS, in conjunction with a remote device, must prevent the device from simultaneously establishing nonremote connections with the system and communicating via some other connection to resources in external networks. |
Split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information.
This requirement applies to virtual private network (VPN) concentrators and clients. It is implemented within remote devices (e.g., notebook computers) through configuration settings to disable split tunneling in... |
|
V-266639
|
Medium |
AOS must use cryptographic algorithms approved by the National Security Agency (NSA) to protect national security systems (NSS) when transporting classified traffic across an unclassified network. |
Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data.
National Institute of Standards and Technology (NIST) cryptographic algorithms are approved by NSA to protect NSS. Based on an analysis of the impact of quantum computing, cryptographic algorithms specified by CNSSP-15 and approved for... |
|
V-266632
|
Medium |
The network element must authenticate all network-connected endpoint devices before establishing any connection. |
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of authentication claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide authentication... |
|
V-266627
|
Medium |
AOS must require devices to reauthenticate when organization-defined circumstances or situations requiring reauthentication. |
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity on the network.
In addition to the reauthentication requirements associated with session locks, organizations may require reauthentication of devices, including (but not limited to), the following other situations:
(i) When authenticators change;
(ii) When roles change;... |
|
V-266591
|
Medium |
AOS must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks. |
A network element experiencing a DoS attack will not be able to handle production traffic load. The high utilization and CPU caused by a DoS attack will also have an effect on control keep-alives and timers used for neighbor peering, resulting in route flapping, and will eventually sinkhole production traffic.... |
|
V-266577
|
Medium |
AOS must be configured to disable nonessential capabilities. |
It is detrimental for network elements to provide, or enable by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Network elements are capable of providing a... |
|
V-266560
|
Medium |
The network element must protect wireless access to the system using Federal Information Processing Standard (FIPS)-validated Advanced Encryption Standard (AES) block cipher algorithms with an approved confidentiality mode. |
Allowing devices and users to connect to the system without first authenticating them allows untrusted access and can lead to a compromise or attack. Because wireless communications can be intercepted, encryption must be used to protect the confidentiality of information in transit.
Wireless technologies include, for example, microwave, packet radio... |
|
V-266559
|
Medium |
AOS must protect wireless access to the network using authentication of users and/or devices. |
Allowing devices and users to connect to the system without first authenticating them allows untrusted access and can lead to a compromise or attack.
The security boundary of a wireless local area network (WLAN) extends from the client device to the network boundary where network access is controlled. This boundary... |
|
V-266557
|
Medium |
AOS must use Transport Layer Security (TLS) 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access. |
Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.
This requirement applies to TLS gateways (also known as Secure Sockets Layer [SSL] gateways). Application protocols such as Hypertext Transfer Protocol Secure (HTTPS), Secure File Transfer... |
|
V-266708
|
Low |
AOS wireless local area network (WLAN) service set identifiers (SSIDs) must be changed from the manufacturer's default to a pseudo random word that does not identify the unit, base, organization, etc. |
An SSID that identifies the unit, site, or purpose of the WLAN or is set to the manufacturer default may cause an operational security vulnerability. |
