WLAN Client Security Technical Implementation Guide (STIG)

  • Version/Release: V6R8
  • Published: 2014-03-18
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This STIG contains the technical security controls for the operation of a WLAN client in the DoD environment.
b
WLAN-capable devices must not use wireless peer-to-peer networks to connect to other devices.
Medium - V-3503 - SV-3503r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR0165
Vuln IDs
  • V-3503
Rule IDs
  • SV-3503r1_rule
WLANs may be configured into a peer-to-peer (also known as ad hoc) network that permits devices to communicate directly rather than through an access point. It is difficult to ensure required IA mechanisms are in place for such networks, because they inherently are not subject to centralized management. Consequently, there is a significant risk an adversary will defeat or circumvent authentication or encryption controls (if they even exist) on a peer-to-peer or ad hoc WLANs.Information Assurance OfficerECSC-1, ECWN-1
Checks: C-4002r1_chk

1. Use the site’s WIDS capability or any WLAN capable device to identify available WLAN connections. If the scan reveals there are devices supporting anything other than infrastructure connections (i.e., connections using peer-to-peer services rather via an access point), then record the advertised network names of these devices. Work with the SA or IAO to determine if any of these devices is associated with the site. 2. Check a sample (3-4) of WLAN client devices at the site. In the WLAN client management software, verify that the WLAN interfaces are configured to support WLAN infrastructure connections only. This may be indicated by check boxes stating “Infrastructure mode only” or “Connect to access point only” or “Disable peer-to-peer networking”. 3. Mark as a finding if: - If there are any WLAN clients advertising their availability for ad hoc WLAN connections. - If there are WLAN clients that have not configured WLAN interfaces to support infrastructure connections only (and thus prohibiting peer-to-peer or ad hoc connections). 4. Notify the IAM or IAO if there devices unaffiliated with the site advertising their availability for WLAN connections. This is not a finding because such devices are not under the site’s control, but they nonetheless pose an IA risk to the site of which IA and other personnel should be aware.

Fix: F-4561r1_fix

Configure WLAN client interfaces to support infrastructure connections only. Procure WLAN software and devices that have the capability to turn off or otherwise disable peer-to-peer WLAN communications.

b
The WLAN must use AES-CCMP to protect data-in-transit.
Medium - V-3515 - SV-3515r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR0125-01
Vuln IDs
  • V-3515
Rule IDs
  • SV-3515r2_rule
AES-CCMP provides all required WLAN security services for data in transit. The other encryption protocol available for IEEE 802.11i compliant robust security networks and WPA2 certified solutions is the Temporal Key Integrity Protocol (TKIP). TKIP relies on the RC4 cipher, which has known vulnerabilities. Some WLANs also rely on Wireless Equivalent Privacy (WEP), which also uses RC4, and is easily cracked in minutes on active WLANs. Use of protocols other than AES-CCMP places DoD WLANs at greater risk of security breaches than other available approaches.Information Assurance OfficerECSC-1, ECWN-1
Checks: C-22364r1_chk

Detailed Policy requirements: Encryption requirements for data in transit: - The WLAN infrastructure (e.g., access point, bridge, or WLAN controller) and WLAN client device must be configured to use the AES-CCMP encryption protocol. Check procedures: - Interview IAO and review WLAN system documentation. - Determine if the WLAN network and client components encryption setting has been configured to use the AES-CCMP encryption protocol and no others. - Mark as a finding if the WLAN is configured to support any encryption protocol other than AES-CCMP, even if AES-CCMP is one of several supported options.

Fix: F-3446r1_fix

Implement AES-CCMP to protect data in transit. Deactivate encryption protocols other than AES-CCMP.

b
WLAN must use EAP-TLS.
Medium - V-3692 - SV-3692r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR0115-01
Vuln IDs
  • V-3692
Rule IDs
  • SV-3692r2_rule
EAP-TLS provides strong cryptographic mutual authentication and key distribution services not found in other EAP methods, and thus provides significantly more protection against attacks than other methods. Additionally, EAP-TLS supports two-factor user authentication on the WLAN client, which provides significantly more protection than methods that rely on a password or certificate alone. EAP-TLS also can leverage DoD CAC in its authentication services, providing additional security and convenience.System AdministratorInformation Assurance OfficerECSC-1, ECWN-1
Checks: C-16042r3_chk

NOTE: If the equipment is WPA2 certified, then it is capable of supporting this requirement. Review the WLAN equipment configuration to check EAP-TLS is actively used and no other methods are enabled. Mark as a finding if either EAP-TLS is not used or if the WLAN system allows users to connect with other methods. Note: DoDI 8420.01 provides the capability for the DAA to grant limited exceptions to this requirement.

Fix: F-34114r1_fix

Change the WLAN configuration so it supports EAP-TLS, implementing supporting PKI and AAA infrastructure as necessary. If the WLAN equipment is not capable of supporting EAP-TLS, procure new equipment capable of such support.

b
Laptops with WLAN interfaces must have the WLAN card radio set to OFF as the default setting.
Medium - V-4632 - SV-4632r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR0180
Vuln IDs
  • V-4632
Rule IDs
  • SV-4632r1_rule
Laptop computers with wireless interfaces particularly susceptible to the Windows XP wireless vulnerabilities. If a user has an active wireless interface with security disabled, a hacker could connect to the laptop without the user being aware of the connection. Most laptop vendors provide a software utility to manage WLAN connections for the embedded wireless interfaces. The utility usually provides a feature that allows a laptop user to turn off the WLAN radio. Information Assurance OfficerECSC-1
Checks: C-16040r1_chk

NOTE: This requirement does not apply to tactical WLAN systems where the WLAN client is configured to connect to only specific tactical access point(s). Have the SA or IAO demonstrate the configuration of the WLAN interface in the interface's management utility. 1. Observe that the interface is set to off by default upon boot-up of the WLAN client device. 2. Verify this is standard practice by checking a sample of WLAN laptops/PDAs (at least 2-3 should be checked). Laptops can be checked by verifying the status of the wireless interface upon boot-up in each profile used on the laptop. 3. Verify users have been trained on this requirement by reviewing the site training records and the signed User Agreement. 4. Mark as a finding any of the following is found: - The WLAN radio functionality (transmit/receive setting) is enabled upon system boot. - If the WLAN interface management utility does not provide the ability to set the radio to OFF by default. - Users have not received required training on how to disable a wireless interface.

Fix: F-6765r1_fix

Change the default setting on each WLAN interface to OFF and train users on how to disable wireless interfaces after they are no longer in use.

a
WLAN clients must not be configured to connect to other WLAN devices without the user initiating a request to establish such a connection.
Low - V-7072 - SV-7456r1_rule
RMF Control
Severity
Low
CCI
Version
WIR0185
Vuln IDs
  • V-7072
Rule IDs
  • SV-7456r1_rule
Many WLAN clients have the capability to automatically connect to particular WLANs when they are available. This behavior means the user may not know to which WLAN they are connected or even be aware that a WLAN connection is active. This increases the probability that these open connections may be used for nefarious purposes, especially if an adversary is able to set up WLAN infrastructure to masquerade as the user’s preferred WLAN. Once the WLAN client is breached, the adversary may be able to obtain DoD sensitive information or use the client device to attack other systems.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-16041r1_chk

NOTE: This requirement does not apply to tactical wireless systems where the client is configured to connect only specified tactical access point(s). Detailed Requirement: - The wireless client must not automatically connect to any wireless network, whether preferred or non-preferred. Check Procedures: Review the configuration settings of the WLAN client on a sample of wireless clients (3-4) and verify it is not configured so that the wireless client automatically connects to any preferred or non-preferred network. In some wireless client management software, there is a list of preferred or known networks. There may also be a configuration option such as “Connect when this network is in range”. These options should be disabled or not selected. Mark as a finding if the wireless client is configured to automatically connect to a wireless network.

Fix: F-15751r1_fix

Disable all auto-connect preferences in wireless client devices.

b
A device’s wired network interfaces (e.g., Ethernet) must be disconnected or otherwise disabled when wireless connections are in use.
Medium - V-14002 - SV-14613r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR0170
Vuln IDs
  • V-14002
Rule IDs
  • SV-14613r2_rule
If a client device supports simultaneous use of wireless and wired connections, then this increases the probability that an adversary who can access the device using its wireless interface can then route traffic through the device’s wired interface to attack devices on the wired network or obtain sensitive DoD information.System AdministratorInformation Assurance OfficerECWN-1
Checks: C-11465r3_chk

Review client devices and verify that there is some technical procedure to disable the wireless network interface when the wired network interface is active (e.g., connected to a network via an Ethernet cable). Examples of compliant implementations: - Client side connection management software products have configuration settings that disable wireless connections when a wired connection is active. - Microsoft Windows hardware profiles can be created that disable assigned wireless network interfaces when the Ethernet connection is active. To check compliance, select a sample of devices (3-4), and establish a network connection using the wireless interface. Test that the wireless interface is active using a command line utility such as ifconfig (UNIX/Linux), or ipconfig (Windows), or management tools such as Network Connections within the Windows Control Panel. Then plug the device into an active Ethernet port (or other wired network). Repeat the process used to check that the connection was active to verify it is now disabled. Mark as a finding if one or more of the tested devices do not disable the wireless interface upon connection to a wired network. Also mark as finding if the device does not have the capability to disable the wireless interface when the wired interface is active.

Fix: F-13489r1_fix

Ensure the wired network interfaces on a WLAN client are disconnected or otherwise disabled when wireless network connections are in use.

a
WLAN equipment obtained through acquisition programs must be JITC interoperability certified.
Low - V-14004 - SV-14615r2_rule
RMF Control
Severity
Low
CCI
Version
WIR0130
Vuln IDs
  • V-14004
Rule IDs
  • SV-14615r2_rule
Interoperability certification assures that warfighters can communicate effectively in joint, combined, coalition, and interagency environments. There is some degree of risk that systems without JITC certification will fail to interoperate. WLAN equipment is also required to be WPA2 certified (verified in another check procedure), which also provides significant interoperability assurance. The Wi-Fi Alliance WPA2 certification is not granted unless the product also has a radio subsystem compliant with the IEEE 802.11a, b, g, or n specifications. Products are tested with many other products to ensure interoperability. Information Assurance OfficerECWN-1
Checks: C-11469r1_chk

Detailed policy Requirements: All systems obtained through an acquisition program must be JTIC certified before they are fielded. Fielded systems must be recertified every four years or after any changes that may affect interoperability. Check Procedures: - Verify the WLAN system has been certified by the JITC as meeting end-to-end interoperability. - Mark as a finding if the WLAN was implemented as part of an acquisition program and does not have JITC certification.

Fix: F-13491r1_fix

Acquire JITC-certified WLAN equipment.

b
FIPS 140-2 validated encryption modules must be used to encrypt unclassified sensitive data at rest on the wireless device (e.g., laptop, PDA, smartphone).
Medium - V-14202 - SV-14813r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR0190
Vuln IDs
  • V-14202
Rule IDs
  • SV-14813r2_rule
If a wireless device is lost or stolen without DAR encryption, sensitive DoD data could be compromised. Most known security breaches of cryptography result from improper implementation, not flaws in the cryptographic algorithms themselves. FIPS 140-2 validation provides assurance that cryptography is implemented correctly, and is required for Federal Government uses of cryptography in non-classified applications.System AdministratorInformation Assurance OfficerECWN-1
Checks: C-11537r2_chk

Detailed Policy Requirements: FIPS 140-2 validated encryption modules must be used to encrypt unclassified sensitive data at rest on the wireless device (e.g., laptop, PDA, smartphone). This requirement applies to any wireless device or non-wireless PDA storing sensitive information, as defined by Assistant Secretary of Defense for Networks and Information Integration/DoD Chief Information Officer Memorandum, “Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage,” July 3, 2007. This requirement also applies to removable memory cards (e.g., MicroSD) used in the PDA except when the PDA is connected to a Windows PC for the purpose of provisioning or transferring data. Check Procedures: Interview IAO and review documentation. 1. Determine if the wireless device is used to store sensitive data. Data approved for public release is not sensitive. Other unclassified data may also qualify as sensitive. Any device that stores any sensitive data must meet the requirements in this check. 2. Check a sample of wireless laptops, PDAs, smartphones, and other wireless devices used at the site (2-3 of each type). 3. Obtain the product’s FIPS certificate to confirm FIPS 140-2 validation for each model examined. The certificate may be obtained from the product documentation or the NIST web site. 4. Work with the IAO to determine if encryption is enabled on the wireless client device uses AES or 3DES. 5. Verify temp files with sensitive information are also protected with encryption. 6. Mark as a finding if encryption is not used or is not FIPS 140-2 validated.

Fix: F-34090r1_fix

Employ FIPS 140-2 validated encryption modules for sensitive DoD data at rest.

b
The WLAN implementation of AES-CCMP must be FIPS 140-2 validated.
Medium - V-19894 - SV-22064r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR0125-02
Vuln IDs
  • V-19894
Rule IDs
  • SV-22064r2_rule
Most known security breaches of cryptography result from improper implementation of the cryptography, not flaws in the cryptographic algorithms themselves. FIPS 140-2 validation provides assurance that cryptography is implemented correctly, and is required for Federal Government uses of cryptography in non-classified applications.System AdministratorInformation Assurance OfficerECCT-1, ECSC-1, ECWN-1
Checks: C-25502r1_chk

Check Procedures: Review the WLAN system product documentation (specification sheet, administration manual, etc.), which should include the FIPS 140-2 certificate for the WLAN system. Verify the certificate specifically covers the implementation of AES-CCMP. If there are any concerns about the currency or veracity of the certificate in the product documentation, the reviewer should check the NIST Internet web site (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm) and find the certificate.

Fix: F-34065r1_fix

Procure WLAN equipment whose implementation of AES-CCMP has been FIPS 140-2 validated.

b
The WLAN implementation of EAP-TLS must be FIPS 140-2 validated.
Medium - V-19900 - SV-22070r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR0115-02
Vuln IDs
  • V-19900
Rule IDs
  • SV-22070r1_rule
Most known security breaches of cryptography result from improper implementation of the cryptography, not flaws in the cryptographic algorithms themselves. FIPS 140-2 validation provides assurance that cryptography is implemented correctly, and is required for Federal Government uses of cryptography in non-classified applications.System AdministratorInformation Assurance OfficerECSC-1, ECWN-1
Checks: C-25550r1_chk

Review the WLAN system product documentation (specification sheet, administration manual, etc.), which should include the FIPS 140-2 certificate for the WLAN system. Verify the certificate specifically covers the implementation of TLS. If there are any concerns about the currency or veracity of the certificate in the product documentation, the reviewer should check the NIST Internet web site (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm) and find the certificate.

Fix: F-34115r1_fix

Procure WLAN equipment whose implementation of TLS has been FIPS 140-2 validated.

b
The WLAN must be WPA2-Enterprise certified.
Medium - V-30255 - SV-39891r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR0114
Vuln IDs
  • V-30255
Rule IDs
  • SV-39891r1_rule
The Wi-Fi Alliance WPA2-Enterprise certification means the WLAN equipment can support DoD requirements, most notably EAP-TLS and AES-CCMP. If the equipment has not been WPA-Enterprise certified, then the equipment may not have the required security functionality to protect DoD networks and information.Information Assurance OfficerECSC-1, ECWN-1
Checks: C-38911r1_chk

Check Procedures: Review the WLAN system product documentation (specification sheet, administration manual, etc.). Verify the system is WPA2-Enterprise certified. Mark as a finding if not WPA2-Enterprise certified. Note that WPA is the precursor certification to WPA2 and is not sufficient.

Fix: F-34048r1_fix

Procure WPA2-Enterprise certified WLAN equipment.

b
WLAN EAP-TLS implementation must use certificate-based PKI authentication to connect to DoD networks.
Medium - V-30257 - SV-39895r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR0116
Vuln IDs
  • V-30257
Rule IDs
  • SV-39895r2_rule
DoD certificate-based PKI authentication is strong, two-factor authentication that relies on carefully evaluated cryptographic modules. Implementations of EAP-TLS that are not integrated with certificate-based PKI could have security vulnerabilities. For example, an implementation that uses a client certificate on laptop without a second factor could enable an adversary with access to the laptop to connect to the WLAN without a PIN or password. Systems that do not use the certificate-based PKI are also much more likely to be vulnerable to weaknesses in the underlying public key infrastructure (PKI) that supports EAP-TLS.System AdministratorInformation Assurance OfficerECSC-1, ECWN-1
Checks: C-38915r3_chk

Detailed Policy Requirements: Certificate-based PKI authentication must be used to connect WLAN client devices to DoD networks. The certificate-based PKI authentication should directly support the WLAN EAP-TLS implementation. At least one layer of user authentication must enforce network authentication requirements found in JTF-GNO CTO 07-15Rev1 (e.g., CAC authentication) before the user is able to access DoD information resources. Check Procedures: Interview the site IAO and SA. Determine if the site’s network is configured to require certificate-based PKI authentication before a WLAN user is connected to the network. Mark as a finding if certificate-based PKI authentication is not required prior to a DoD WLAN user accessing the DoD network.

Fix: F-34052r2_fix

Integrate certificate-based PKI authentication into the WLAN authentication process.