Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Detailed Policy requirements: Type 1 products and required procedures must be used to protect classified data-at-rest on wireless computers that are used on a classified WLAN or WMAN. If NSA Type1 certified DAR encryption is not available, the following requirements apply: - The storage media shall be physically removed from the computer and stored within a COMSEC-approved security container when the computer is not being used. - The entire computer shall be placed within a COMSEC-approved security container, if the computer has embedded storage media that cannot be removed. Check Procedures: Interview the IAO to determine if devices with wireless functionality (e.g., laptops or PDAs with embedded radios) are used to store classified data. If yes, verify the device is an NSA Type 1 certified product. Mark as a finding if a Type 1 product is not used, or if the storage media or device is not stored in a COMSEC-approved security container when not in use.
Immediately discontinue use of the non-compliant device.
Detailed Policy Requirements: The SWLAN architecture conforms to one of the approved configurations: LAN Extension: This architecture provides wireless access to the wired infrastructure using a Harris SecNet 11/ 54 or L3 KOV-26 Talon. In this architecture, the boundary is controlled either with fencing or inspection. See Figure 2.2 in the DISA FSO Wireless Overview for an example of the LAN Extension architecture. Wireless Bridging: This architecture provides point-to-point bridging using Harris SecNet 11/ 54 or Talon. In this architecture, the boundary is controlled either with fencing or inspection. See Figure 2.3 in the DISA FSO Wireless Overview for an example of the Wireless Bridging architecture. Wireless Peer-to-Peer: This architecture provides point-to-point communications between wireless clients using Harris SecNet 11/ 54 or Talon. In this architecture, the boundary is controlled either with fencing or inspection. See Figure 3.2 in the DISA FSO Wireless Overview for an example of the Wireless Peer-to-Peer architecture. Check Procedures: Interview the SA or IAO to obtain SWLAN network diagrams. Review the SWLAN architecture and ensure it conforms to one of the approved use cases.
Disable or remove the non-compliant SWLAN or reconfigure it to conform to one of the approved architectures.
Interview IAO. Verify written operating procedures exist for the protection, handling, accounting, and use of NSA Type 1 certified WLAN products and keys in a SWLAN operational environment.
Document procedures for the protection, handling, accounting, and use of NSA Type 1 certified WLAN products and keys.
Review client devices and verify that there is some technical procedure to disable the wireless network interface when the wired network interface is active (e.g., connected to a network via an Ethernet cable). Examples of compliant implementations: - Client side connection management software products have configuration settings that disable wireless connections when a wired connection is active. - Microsoft Windows hardware profiles can be created that disable assigned wireless network interfaces when the Ethernet connection is active. To check compliance, select a sample of devices (3-4), and establish a network connection using the wireless interface. Test that the wireless interface is active using a command line utility such as ifconfig (UNIX/Linux), or ipconfig (Windows), or management tools such as Network Connections within the Windows Control Panel. Then plug the device into an active Ethernet port (or other wired network). Repeat the process used to check that the connection was active to verify it is now disabled. Mark as a finding if one or more of the tested devices do not disable the wireless interface upon connection to a wired network. Also mark as finding if the device does not have the capability to disable the wireless interface when the wired interface is active.
Ensure the wired network interfaces on a WLAN client are disconnected or otherwise disabled when wireless network connections are in use.
Review device configuration. 1. Obtain the SSID using a wireless scanner or the AP or WLAN controller management software. 2. Verify the name is not meaningful (e.g., site name, product name, room number, etc.) or set to the manufacturer's default value. Mark as a finding if the SSID does not meet the requirement listed above.
Change the SSID to a pseudo random word that does not identify the unit, base, or organization.
Detailed policy requirements: Wireless access points and bridges must not be directly connected to the enclave network. A network device must separate wireless access from other elements of the enclave network. Sites must also comply with the Network Infrastructure STIG configuration requirements for DMZ, VLAN, and VPN configurations, as applicable. Examples of acceptable architectures include placing access points or controllers in a screened subnet (e.g. DMZ separating intranet and wireless network) or dedicated virtual LAN (VLAN) with ACLs. Check Procedures: Review network architecture with the network administrator. 1. Verify compliance by inspecting the site network topology diagrams. 2. Since many network diagrams are not kept up-to-date, walk through the connections with the network administrator using network management tools or diagnostic commands to verify the diagrams are current. If the site’s wireless infrastructure, such as access points and bridges, is not isolated from the enclave network, this is a finding.
Remove wireless network devices with direct connections to an enclave network. If feasible, reconfigure network connections to isolate the WLAN infrastructure from the enclave network, separating them with a firewall or equivalent protection.
Visually verify the site is using a Harris Corporation SecNet 11 or SecNet 54 or L3 KOV-26 Talon (version 1.1.04 or later) for the classified WLAN.
Immediately remove the uncertified device from the network. Install and operate a Type 1 product if wireless functionality is still required.
Review documentation. - Verify the SWLAN system SCAO approval documentation exists and has been approved and has a SIPRNet or NIPRNet Interim Approval to Operate (IATO) or Approval to Operate (ATO) in GIAP database. - Verify the SWLAN system is included in the SSAA/SSP and is signed by the DAA. Mark as a finding if requirements are not met.
Disable or remove the non-compliant SWLAN until the site has all required approvals for operation.
Review documentation. Verify the local CTTA has been notified of the site’s intent to install and operate a SWLAN. Mark as a finding if the local CTTA has not been notified.
Notify the CTTA of the need to review the SWLAN.
Detailed Policy Requirements: The following physical security controls must be implemented for SWLAN access points: - Secure WLAN access points shall be physically secured, and methods shall exist to facilitate the detection of tampering. WLAN APs are part of a communications system and shall have controlled physical security, in accordance with DoDD 5200.08-R. SWLAN access points not within a location that provides limited access shall have controlled physical security with either fencing or inspection. - Either physical inventories or electronic inventories shall be conducted daily by viewing or polling the serial number or MAC address. Access points not stored in a COMSEC-approved security container shall be physically inventoried. Check Procedures: It is recommended the Traditional Reviewer assist with this check. Review the physical security controls of the SWLAN access points. - Verify site SWLAN access points are physically secured - -- Verify there is some method for alerting site security if the access point has been tampered with. - Determine if site SWLAN access points are in locations that provide limited access to only authorized personnel who are approved to access the access points. - Determine how the site conducts a daily physical inventory of SWLAN access points. Verify that required inventory methods are used, depending on if the access points are stored in a COMSEC container. - Mark as a finding if any requirement has not been met.
Implement required physical security controls for the SWLAN.
Detailed Policy Requirements: MAC filtering must be implemented to enable the SWLAN AP to perform client device access control. Check Procedures: Verify MAC address filtering has been implemented on site SWLAN access points. Have the system administrator log into a sample of site SWLAN access points (2-3 devices) and show MAC address filtering has been enabled. Mark as a finding if MAC filtering has not been enabled.
Implement MAC filtering on the SWLAN access point.
Detailed Policy Requirements: SWLAN system will be rekeyed at least every 90 days. Check Procedures: Interview IAO and obtain the site’s procedures for rekeying the WLAN. Mark a finding if the procedures do not exist or they do not include a requirement to rekey at least every 90 days.
Write and implement rekeying procedures that specify the keys must be changed at least every 90 days.
Determine the model numbers of a site’s classified wireless routers. If the Harris SecNet 11 or 54 wireless routers are being used, this is a finding.
Remove all versions of the Harris SecNet 11 or 54 wireless routers from service and properly dispose of the devices.