{"stig":{"title":"Network WLAN Controller Platform Security Technical Implementation Guide","version":"7","release":"3"},"checks":[{"vulnId":"V-243233","ruleId":"SV-243233r817090_rule","severity":"medium","ruleTitle":"The WLAN inactive/idle session timeout must be set for 30 minutes or less.","description":"A WLAN session that never terminates due to inactivity may allow an opening for an adversary to highjack the session to obtain access to the network.","checkContent":"1. Review the relevant configuration screen of the WLAN controller or access point.\n2. Verify the inactive/idle session timeout setting is set for 30 minutes or less. \n\nIf the inactive/idle session timeout is not set to 30 minutes or less for the entire WLAN, or the WLAN does not have the capability to enable the session timeout feature, this is a finding.","fixText":"Set the WLAN inactive/idle session timeout to 30 minutes or less.","ccis":["CCI-000057"]},{"vulnId":"V-243234","ruleId":"SV-243234r720157_rule","severity":"medium","ruleTitle":"WLAN must use EAP-TLS.","description":"EAP-TLS provides strong cryptographic mutual authentication and key distribution services not found in other EAP methods, and thus provides significantly more protection against attacks than other methods. \n\nAdditionally, EAP-TLS supports two-factor user authentication on the WLAN client, which provides significantly more protection than methods that rely on a password or certificate alone. EAP-TLS also can leverage the DoD Common Access Card (CAC) in its authentication services, providing additional security and convenience.","checkContent":"Note: If the equipment is WPA2/WPA3 certified by the Wi-Fi Alliance, it is capable of supporting this requirement.\n\nReview the WLAN equipment configuration to verify that EAP-TLS is actively used and no other methods are enabled.\n\nIf EAP-TLS is not used or if the WLAN system allows users to connect with other methods, this is a finding.","fixText":"Change the WLAN configuration so it supports EAP-TLS, implementing supporting PKI and AAA infrastructure as necessary. If the WLAN equipment is not capable of supporting EAP-TLS, procure new equipment capable of such support.","ccis":["CCI-001444"]},{"vulnId":"V-243235","ruleId":"SV-243235r891326_rule","severity":"medium","ruleTitle":"WLAN components must be FIPS 140-2 or FIPS 140-3 certified and configured to operate in FIPS mode.","description":"If the DoD WLAN components (WLAN AP, controller, or client) are not NIST FIPS 140-2/FIPS 140-3 (Cryptographic Module Validation Program, CMVP) certified, the WLAN system may not adequately protect sensitive unclassified DoD data from compromise during transmission.","checkContent":"Review the WLAN equipment specification and verify it is FIPS 140-2/3 (CMVP) certified for data in transit, including authentication credentials. Verify the component is configured to operate in FIPS mode.\n\nIf the WLAN equipment is not is FIPS 140-2/3 (CMVP) certified or is not configured to operate in FIPS mode, this is a finding.","fixText":"Use WLAN equipment that is FIPS 140-2/3 (CMVP) certified. Configure the component to operate in FIPS mode.","ccis":["CCI-001967"]},{"vulnId":"V-243236","ruleId":"SV-243236r720163_rule","severity":"medium","ruleTitle":"WLAN EAP-TLS implementation must use certificate-based PKI authentication to connect to DoD networks.","description":"DoD certificate-based PKI authentication is strong, two-factor authentication that relies on carefully evaluated cryptographic modules. Implementations of EAP-TLS that are not integrated with certificate-based PKI could have security vulnerabilities. \n\nFor example, an implementation that uses a client certificate on laptop without a second factor could enable an adversary with access to the laptop to connect to the WLAN without a PIN or password. Systems that do not use the certificate-based PKI are also much more likely to be vulnerable to weaknesses in the underlying public key infrastructure (PKI) that supports EAP-TLS.\n\nCertificate-based PKI authentication must be used to connect WLAN client devices to DoD networks. The certificate-based PKI authentication should directly support the WLAN EAP-TLS implementation. \n\nAt least one layer of user authentication must enforce network authentication requirements (e.g., CAC authentication) before the user is able to access DoD information resources.","checkContent":"Interview the site ISSO and SA. Determine if the site's network is configured to require certificate-based PKI authentication before a WLAN user is connected to the network. \n\nIf certificate-based PKI authentication is not required prior to a DoD WLAN user accessing the DoD network, this is a finding.\n\nNote: This check does not apply to medical devices. Medical devices are permitted to connect to the WLAN using pre-shared keys.","fixText":"Integrate certificate-based PKI authentication into the WLAN authentication process.","ccis":["CCI-001444"]},{"vulnId":"V-243237","ruleId":"SV-243237r720166_rule","severity":"medium","ruleTitle":"The network device must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.","description":"The OOBM access switch will connect to the management interface of the managed network elements. The management interface can be a true OOBM interface or a standard interface functioning as the management interface. In either case, the management interface of the managed network element will be directly connected to the OOBM network. (See SRG-NET-000205-RTR-000012.)\n\nNetwork boundaries, also known as managed interfaces, include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis, and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). Methods used for prohibiting interfaces within organizational information systems include, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses.","checkContent":"Review the device configuration to determine if the OOB management interface is assigned an appropriate IP address from the authorized OOB management network.\n\nIf an IP address assigned to the interface is not from an authorized OOB management network, this is a finding.","fixText":"Configure the network device so that only management traffic that ingresses and egresses the OOBM interface is permitted.","ccis":["CCI-001097"]},{"vulnId":"V-243238","ruleId":"SV-243238r856613_rule","severity":"medium","ruleTitle":"The network device must not be configured to have any feature enabled that calls home to the vendor.","description":"Call-home services will routinely send data such as configuration and diagnostic information to the vendor for routine or emergency analysis and troubleshooting. There is a risk that transmission of sensitive data sent to unauthorized persons could result in data loss or downtime due to an attack. (See SRG-NET-000131-RTR-000083.)","checkContent":"Review the device configuration to determine if the call home service or feature is disabled on the device. \n\nIf the call home service is enabled on the device, this is a finding.\n\nNote: This feature can be enabled if the communication is only to a server residing in the local area network or enclave.","fixText":"Configure the network device to disable the call home service or feature.\n\nNote: This feature can be enabled if the communication is only to a server residing in the local area network or enclave.","ccis":["CCI-002403"]}]}