Rule ID
SV-243213r720094_rule
Version
V7R3
CCIs
CCI-000366
The purpose of the Guest WLAN network is to provide WLAN services to authorized site guests. Guests, by definition, are not authorized access to the enterprise network. If the guest WLAN is not installed correctly, unauthorized access to the enterprise wireless and/or wired network could be obtained.
Have the SA show how the guest WLAN is physically connected to the firewall or supporting switch and how it is logically connected through firewall or switch configuration settings. Verify the equipment is connected via a separate WLAN or logical segmentation of the host WLAN (e.g., separate service set identifier [SSID] and virtual LAN). Verify the guest WLAN only provides internet access. If a guest WLAN is not set up as a separate WLAN from the DoD network or is not set up as a logical segmentation from the DoD network or DoD WLAN, this is a finding. If the guest WLAN does not provide only internet access, this is a finding.
Reconfigure physical and logical connections as needed so the internet-only guest WLAN infrastructure resides in a dedicated subnet off the perimeter firewall or is installed as a completely separate internet-connection-only WLAN system with no access to the enterprise network.