Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Interview the site ISSO. Determine if the scanning by a WIDS is being conducted and if it is continuous or periodic. If a continuous scanning WIDS is used, there is no finding. If periodic scanning is used, verify the exception to policy is documented and signed by the AO. Verify the exception meets one of the required criteria. If periodic scanning is being performed but requirements have not been met, this is a finding. If no WIDS scanning is being performed at the site, this is a finding.
Perform required WIDS scanning.
Review device configuration. 1. Obtain the SSID using a wireless scanner or the AP or WLAN controller management software. 2. Verify the name is not meaningful (e.g., site name, product name, room number, etc.) and is not set to the manufacturer's default value. If the SSID does not meet the requirement listed above, this is a finding.
Change the SSID to a pseudo random word that does not identify the unit, base, or organization.
1. Review the relevant configuration screen of the WLAN controller or access point. 2. Verify the inactive/idle session timeout setting is set for 30 minutes or less. If the inactive/idle session timeout is not set to 30 minutes or less for the entire WLAN, or the WLAN does not have the capability to enable the session timeout feature, this is a finding.
Set the WLAN inactive/idle session timeout to 30 minutes or less.
Review the WLAN equipment specification and verify it is Wi-Fi Alliance certified with either the older WPA2 certification or the newer WPA3 certification. WPA3 is preferred but not required at this time. If the WLAN equipment is not Wi-Fi Alliance certified with WPA2 or WPA3, this is a finding.
Use WLAN equipment that is Wi-Fi Alliance certified with WPA2 or WPA3.
Note: If the equipment is WPA2/WPA3 certified by the Wi-Fi Alliance, it is capable of supporting this requirement. Review the WLAN equipment configuration to verify that EAP-TLS is actively used and no other methods are enabled. If EAP-TLS is not used or if the WLAN system allows users to connect with other methods, this is a finding.
Change the WLAN configuration so it supports EAP-TLS, implementing supporting PKI and AAA infrastructure as necessary. If the WLAN equipment is not capable of supporting EAP-TLS, procure new equipment capable of such support.
Review the WLAN equipment specification and verify it is FIPS 140-2/3 (CMVP) certified for data in transit, including authentication credentials. Verify the component is configured to operate in FIPS mode. If the WLAN equipment is not is FIPS 140-2/3 (CMVP) certified or is not configured to operate in FIPS mode, this is a finding.
Use WLAN equipment that is FIPS 140-2/3 (CMVP) certified. Configure the component to operate in FIPS mode.
Interview the site ISSO and SA. Determine if the site's network is configured to require certificate-based PKI authentication before a WLAN user is connected to the network. If certificate-based PKI authentication is not required prior to a DoD WLAN user accessing the DoD network, this is a finding. Note: This check does not apply to medical devices. Medical devices are permitted to connect to the WLAN using pre-shared keys.
Integrate certificate-based PKI authentication into the WLAN authentication process.
Review documentation and inspect access point locations. 1. Review documentation showing signal strength analysis from site survey activities, if available. 2. Use testing equipment or WLAN clients to determine if the signal strength is, in the reviewer's judgment, excessively outside the required area (e.g., strong signal in the parking area, public areas, or uncontrolled spaces). 3. Lower-end access points will not have this setting available. In this case, verify the access points are located away from exterior walls to achieve compliance with this requirement. If any of the following is found, this is a finding: - Visual inspection of equipment shows obvious improper placement of access points where they will emanate into uncontrolled spaces (e.g., next to external walls, windows, or doors; uncontrolled areas; or public areas). - Building walk-through testing shows signals of sufficient quality and strength to allow wireless access to exist in areas not authorized for WLAN access.
Move access points to areas in which signals do not emanate in a way that makes them usable outside the areas authorized for WLAN access. Alternatively, replace omni-directional antennae with directional antennae if this will solve the problem. If these solutions are not effective, adjust the transmission power settings on the access point to reduce the usability of signals in unauthorized areas. If the WLAN equipment does not allow the transmission power to be adjusted, and the access points are placed in a location where the ISSO determines there is significant risk that an adversary could be present where signals may be intercepted, the site should procure WLAN equipment that permits power adjustment.
Review network architecture with the network administrator. 1. Verify compliance by inspecting the site network topology diagrams. 2. Since many network diagrams are not kept up to date, walk through the connections with the network administrator using network management tools or diagnostic commands to verify the diagrams are current. If the site's wireless infrastructure, such as access points and bridges, is not isolated from the enclave network, this is a finding.
Remove wireless network devices with direct connections to an enclave network. If feasible, reconfigure network connections to isolate the WLAN infrastructure from the enclave network, separating them with a firewall or equivalent protection.
Review the device configuration to determine if the OOB management interface is assigned an appropriate IP address from the authorized OOB management network. If an IP address assigned to the interface is not from an authorized OOB management network, this is a finding.
Configure the network device so that only management traffic that ingresses and egresses the OOBM interface is permitted.
Review the device configuration to determine if the call home service or feature is disabled on the device. If the call home service is enabled on the device, this is a finding. Note: This feature can be enabled if the communication is only to a server residing in the local area network or enclave.
Configure the network device to disable the call home service or feature. Note: This feature can be enabled if the communication is only to a server residing in the local area network or enclave.