Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

L3 KOV-26 Talon (Wireless Role) Security Technical Implementation Guide (STIG)

  • Version/Release: V6R7
  • Published: 2014-04-07
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This STIG contains the technical security controls for the operation of a L3 KOV-26 Talon (Wireless Role) encryptor in the DoD environment.
c
NSA Type1 products and required procedures must be used to protect classified data at rest (DAR) on wireless devices used on a classified WLAN or WMAN.
High - V-3512 - SV-3512r1_rule
RMF Control
Severity
High
CCI
Version
WIR0235
Vuln IDs
  • V-3512
Rule IDs
  • SV-3512r1_rule
NSA Type 1 products provide a high level of assurance that cryptography is implemented correctly and meets the standards for storage of classified information. Use of cryptography that is not Type 1 certified violates policy and increases the risk that classified data will be compromised. Information Assurance OfficerECWN-1
Checks: C-4027r1_chk

Detailed Policy requirements: Type 1 products and required procedures must be used to protect classified data-at-rest on wireless computers that are used on a classified WLAN or WMAN. If NSA Type1 certified DAR encryption is not available, the following requirements apply: - The storage media shall be physically removed from the computer and stored within a COMSEC-approved security container when the computer is not being used. - The entire computer shall be placed within a COMSEC-approved security container, if the computer has embedded storage media that cannot be removed. Check Procedures: Interview the IAO to determine if devices with wireless functionality (e.g., laptops or PDAs with embedded radios) are used to store classified data. If yes, verify the device is an NSA Type 1 certified product. Mark as a finding if a Type 1 product is not used, or if the storage media or device is not stored in a COMSEC-approved security container when not in use.

Fix: F-34121r1_fix

Immediately discontinue use of the non-compliant device.

c
A Secure WLAN (SWLAN) must conform to an approved network architecture.
High - V-4636 - SV-4636r1_rule
RMF Control
Severity
High
CCI
Version
WIR0210
Vuln IDs
  • V-4636
Rule IDs
  • SV-4636r1_rule
Approved network architectures have been assessed for IA risk. Non-approved architectures provide less assurance than approved architectures because they have not undergone the same level of evaluation.Information Assurance OfficerECSC-1, ECWN-1
Checks: C-16036r1_chk

Detailed Policy Requirements: The SWLAN architecture conforms to one of the approved configurations: LAN Extension: This architecture provides wireless access to the wired infrastructure using a Harris SecNet 11/ 54 or L3 KOV-26 Talon. In this architecture, the boundary is controlled either with fencing or inspection. See Figure 2.2 in the DISA FSO Wireless Overview for an example of the LAN Extension architecture. Wireless Bridging: This architecture provides point-to-point bridging using Harris SecNet 11/ 54 or Talon. In this architecture, the boundary is controlled either with fencing or inspection. See Figure 2.3 in the DISA FSO Wireless Overview for an example of the Wireless Bridging architecture. Wireless Peer-to-Peer: This architecture provides point-to-point communications between wireless clients using Harris SecNet 11/ 54 or Talon. In this architecture, the boundary is controlled either with fencing or inspection. See Figure 3.2 in the DISA FSO Wireless Overview for an example of the Wireless Peer-to-Peer architecture. Check Procedures: Interview the SA or IAO to obtain SWLAN network diagrams. Review the SWLAN architecture and ensure it conforms to one of the approved use cases.

Fix: F-34117r1_fix

Disable or remove the non-compliant SWLAN or reconfigure it to conform to one of the approved architectures.

a
The site must have written procedures for the protection, handling, accounting, and use of NSA Type 1 products.
Low - V-7075 - SV-7459r1_rule
RMF Control
Severity
Low
CCI
Version
WIR0230
Vuln IDs
  • V-7075
Rule IDs
  • SV-7459r1_rule
Written procedures provide assurance that personnel take the required steps to prevent loss of keys or other breaches of system security.Information Assurance OfficerECSC-1
Checks: C-4017r1_chk

Interview IAO. Verify written operating procedures exist for the protection, handling, accounting, and use of NSA Type 1 certified WLAN products and keys in a SWLAN operational environment.

Fix: F-6771r1_fix

Document procedures for the protection, handling, accounting, and use of NSA Type 1 certified WLAN products and keys.

b
A device’s wired network interfaces (e.g., Ethernet) must be disconnected or otherwise disabled when wireless connections are in use.
Medium - V-14002 - SV-14613r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR0170
Vuln IDs
  • V-14002
Rule IDs
  • SV-14613r2_rule
If a client device supports simultaneous use of wireless and wired connections, then this increases the probability that an adversary who can access the device using its wireless interface can then route traffic through the device’s wired interface to attack devices on the wired network or obtain sensitive DoD information.System AdministratorInformation Assurance OfficerECWN-1
Checks: C-11465r3_chk

Review client devices and verify that there is some technical procedure to disable the wireless network interface when the wired network interface is active (e.g., connected to a network via an Ethernet cable). Examples of compliant implementations: - Client side connection management software products have configuration settings that disable wireless connections when a wired connection is active. - Microsoft Windows hardware profiles can be created that disable assigned wireless network interfaces when the Ethernet connection is active. To check compliance, select a sample of devices (3-4), and establish a network connection using the wireless interface. Test that the wireless interface is active using a command line utility such as ifconfig (UNIX/Linux), or ipconfig (Windows), or management tools such as Network Connections within the Windows Control Panel. Then plug the device into an active Ethernet port (or other wired network). Repeat the process used to check that the connection was active to verify it is now disabled. Mark as a finding if one or more of the tested devices do not disable the wireless interface upon connection to a wired network. Also mark as finding if the device does not have the capability to disable the wireless interface when the wired interface is active.

Fix: F-13489r1_fix

Ensure the wired network interfaces on a WLAN client are disconnected or otherwise disabled when wireless network connections are in use.

a
WLAN SSIDs must be changed from the manufacturer’s default to a pseudo random word that does not identify the unit, base, organization, etc.
Low - V-14846 - SV-15614r1_rule
RMF Control
Severity
Low
CCI
Version
WIR0105
Vuln IDs
  • V-14846
Rule IDs
  • SV-15614r1_rule
An SSID identifying the unit, site or purpose of the WLAN or is set to the manufacturer default may cause an OPSEC vulnerability.System AdministratorECSC-1, ECWN-1
Checks: C-13276r1_chk

Review device configuration. 1. Obtain the SSID using a wireless scanner or the AP or WLAN controller management software. 2. Verify the name is not meaningful (e.g., site name, product name, room number, etc.) or set to the manufacturer's default value. Mark as a finding if the SSID does not meet the requirement listed above.

Fix: F-34142r1_fix

Change the SSID to a pseudo random word that does not identify the unit, base, or organization.

c
Any wireless technology used to transmit classified information must be an NSA Type 1 product.
High - V-15300 - SV-16085r1_rule
RMF Control
Severity
High
CCI
Version
WIR0205
Vuln IDs
  • V-15300
Rule IDs
  • SV-16085r1_rule
NSA Type 1 certification provides the level of assurance required for transmission of classified data. Systems without this certification are more likely to be compromised by a determined and resourceful adversary.System AdministratorInformation Assurance OfficerECWM-1
Checks: C-13709r1_chk

Visually verify the site is using a Harris Corporation SecNet 11 or SecNet 54 or L3 KOV-26 Talon (version 1.1.04 or later) for the classified WLAN.

Fix: F-6728r1_fix

Immediately remove the uncertified device from the network. Install and operate a Type 1 product if wireless functionality is still required.

c
A Secure WLAN (SWLAN) connected to the SIPRNet must have a SIPRNet connection approval package must be on file with the Classified Connection Approval Office (CCAO).
High - V-18582 - SV-20126r1_rule
RMF Control
Severity
High
CCI
Version
WIR0215
Vuln IDs
  • V-18582
Rule IDs
  • SV-20126r1_rule
The CCAO approval process provides assurance that the SWLAN use is appropriate and does not introduce unmitigated risks into the SIPRNET.ECWN-1
Checks: C-22005r1_chk

Review documentation. - Verify the SWLAN system SCAO approval documentation exists and has been approved and has a SIPRNet or NIPRNet Interim Approval to Operate (IATO) or Approval to Operate (ATO) in GIAP database. - Verify the SWLAN system is included in the SSAA/SSP and is signed by the DAA. Mark as a finding if requirements are not met.

Fix: F-34118r1_fix

Disable or remove the non-compliant SWLAN until the site has all required approvals for operation.

b
Before a Secure WLAN (SWLAN) becomes operational and is connected to the SIPRNet the Certified TEMPEST Technical Authority (CTTA) must be notified.
Medium - V-18583 - SV-20127r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR0220
Vuln IDs
  • V-18583
Rule IDs
  • SV-20127r1_rule
Wireless signals are extremely vulnerable to both detection and interception, which can provide an adversary with the location and intensity of particular DoD activities and potentially reveal classified DoD information. TEMPEST reviews provide assurance that unacceptable risks have been identified and mitigated.Information Assurance OfficerDesignated Approving AuthorityECWN-1
Checks: C-22006r1_chk

Review documentation. Verify the local CTTA has been notified of the site’s intent to install and operate a SWLAN. Mark as a finding if the local CTTA has not been notified.

Fix: F-34119r1_fix

Notify the CTTA of the need to review the SWLAN.

b
Physical security controls must be implemented for SWLAN access points.
Medium - V-18584 - SV-20128r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR0225
Vuln IDs
  • V-18584
Rule IDs
  • SV-20128r1_rule
If an adversary is able to gain physical access to a SWLAN device, it may be able to compromise the device in a variety of ways, some of which could enable the adversary to obtain classified data. Physical security controls greatly mitigate this risk.System AdministratorInformation Assurance OfficerECTM-2, ECWN-1
Checks: C-22007r1_chk

Detailed Policy Requirements: The following physical security controls must be implemented for SWLAN access points: - Secure WLAN access points shall be physically secured, and methods shall exist to facilitate the detection of tampering. WLAN APs are part of a communications system and shall have controlled physical security, in accordance with DoDD 5200.08-R. SWLAN access points not within a location that provides limited access shall have controlled physical security with either fencing or inspection. - Either physical inventories or electronic inventories shall be conducted daily by viewing or polling the serial number or MAC address. Access points not stored in a COMSEC-approved security container shall be physically inventoried. Check Procedures: It is recommended the Traditional Reviewer assist with this check. Review the physical security controls of the SWLAN access points. - Verify site SWLAN access points are physically secured - -- Verify there is some method for alerting site security if the access point has been tampered with. - Determine if site SWLAN access points are in locations that provide limited access to only authorized personnel who are approved to access the access points. - Determine how the site conducts a daily physical inventory of SWLAN access points. Verify that required inventory methods are used, depending on if the access points are stored in a COMSEC container. - Mark as a finding if any requirement has not been met.

Fix: F-34120r1_fix

Implement required physical security controls for the SWLAN.

a
SWLAN access points must implement MAC filtering.
Low - V-30359 - SV-40014r1_rule
RMF Control
Severity
Low
CCI
Version
WIR0226
Vuln IDs
  • V-30359
Rule IDs
  • SV-40014r1_rule
Medium access control (MAC) filtering is a mechanism for ensuring that only authorized devices connect to the WLAN. While there are other methods to achieve similar protection with greater assurance, MAC filtering can be employed as a defense-in-depth measure. System AdministratorInformation Assurance OfficerECWN-1
Checks: C-39028r1_chk

Detailed Policy Requirements: MAC filtering must be implemented to enable the SWLAN AP to perform client device access control. Check Procedures: Verify MAC address filtering has been implemented on site SWLAN access points. Have the system administrator log into a sample of site SWLAN access points (2-3 devices) and show MAC address filtering has been enabled. Mark as a finding if MAC filtering has not been enabled.

Fix: F-34123r1_fix

Implement MAC filtering on the SWLAN access point.

c
SWLAN must be rekeyed at least every 90 days.
High - V-30369 - SV-40029r1_rule
RMF Control
Severity
High
CCI
Version
WIR0231
Vuln IDs
  • V-30369
Rule IDs
  • SV-40029r1_rule
The longer a key remains in use, the more likely it will be compromised. If an adversary can compromise an SWLAN key, then it can obtain classified information. ECWN-1
Checks: C-39044r1_chk

Detailed Policy Requirements: SWLAN system will be rekeyed at least every 90 days. Check Procedures: Interview IAO and obtain the site’s procedures for rekeying the WLAN. Mark a finding if the procedures do not exist or they do not include a requirement to rekey at least every 90 days.

Fix: F-34145r1_fix

Write and implement rekeying procedures that specify the keys must be changed at least every 90 days.