WLAN Client Security Technical Implementation Guide (STIG)

This STIG contains the technical security controls for the operation of a WLAN client in the DoD environment.


Version / Release: V6R9

Published: 2014-08-26

Updated At: 2018-09-23 13:38:23

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements




Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-3503r1_rule WIR0165 MEDIUM WLAN-capable devices must not use wireless peer-to-peer networks to connect to other devices. WLANs may be configured into a peer-to-peer (also known as ad hoc) network that permits devices to communicate directly rather than through an access point. It is difficult to ensure required IA mechanisms are in place for such networks, because they inh
    SV-67727r1_rule WIR0235 HIGH NSA Type1 products and required procedures must be used to protect classified data at rest (DAR) on wireless devices used on a classified WLAN or WMAN. NSA Type 1 products provide a high level of assurance that cryptography is implemented correctly and meets the standards for storage of classified information. Use of cryptography that is not Type 1 certified violates policy and increases the risk that c
    SV-3515r2_rule WIR0125-01 MEDIUM The WLAN must use AES-CCMP to protect data-in-transit. AES-CCMP provides all required WLAN security services for data in transit. The other encryption protocol available for IEEE 802.11i compliant robust security networks and WPA2 certified solutions is the Temporal Key Integrity Protocol (TKIP). TKIP relies
    SV-3692r2_rule WIR0115-01 MEDIUM WLAN must use EAP-TLS. EAP-TLS provides strong cryptographic mutual authentication and key distribution services not found in other EAP methods, and thus provides significantly more protection against attacks than other methods. Additionally, EAP-TLS supports two-factor user au
    SV-4632r1_rule WIR0180 MEDIUM Laptops with WLAN interfaces must have the WLAN card radio set to OFF as the default setting. Laptop computers with wireless interfaces particularly susceptible to the Windows XP wireless vulnerabilities. If a user has an active wireless interface with security disabled, a hacker could connect to the laptop without the user being aware of the con
    SV-7456r1_rule WIR0185 LOW WLAN clients must not be configured to connect to other WLAN devices without the user initiating a request to establish such a connection. Many WLAN clients have the capability to automatically connect to particular WLANs when they are available. This behavior means the user may not know to which WLAN they are connected or even be aware that a WLAN connection is active. This increases the
    SV-14613r2_rule WIR0170 MEDIUM A device’s wired network interfaces (e.g., Ethernet) must be disconnected or otherwise disabled when wireless connections are in use. If a client device supports simultaneous use of wireless and wired connections, then this increases the probability that an adversary who can access the device using its wireless interface can then route traffic through the device’s wired interface to a
    SV-14813r2_rule WIR0190 MEDIUM FIPS 140-2 validated encryption modules must be used to encrypt unclassified sensitive data at rest on the wireless device (e.g., laptop, PDA, smartphone). If a wireless device is lost or stolen without DAR encryption, sensitive DoD data could be compromised. Most known security breaches of cryptography result from improper implementation, not flaws in the cryptographic algorithms themselves. FIPS 140-2 v
    SV-39895r2_rule WIR0116 MEDIUM WLAN EAP-TLS implementation must use certificate-based PKI authentication to connect to DoD networks. DoD certificate-based PKI authentication is strong, two-factor authentication that relies on carefully evaluated cryptographic modules. Implementations of EAP-TLS that are not integrated with certificate-based PKI could have security vulnerabilities. Fo