Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
1. Use the site’s WIDS capability or any WLAN capable device to identify available WLAN connections. If the scan reveals there are devices supporting anything other than infrastructure connections (i.e., connections using peer-to-peer services rather via an access point), then record the advertised network names of these devices. Work with the SA or IAO to determine if any of these devices is associated with the site. 2. Check a sample (3-4) of WLAN client devices at the site. In the WLAN client management software, verify that the WLAN interfaces are configured to support WLAN infrastructure connections only. This may be indicated by check boxes stating “Infrastructure mode only” or “Connect to access point only” or “Disable peer-to-peer networking”. 3. Mark as a finding if: - If there are any WLAN clients advertising their availability for ad hoc WLAN connections. - If there are WLAN clients that have not configured WLAN interfaces to support infrastructure connections only (and thus prohibiting peer-to-peer or ad hoc connections). 4. Notify the IAM or IAO if there devices unaffiliated with the site advertising their availability for WLAN connections. This is not a finding because such devices are not under the site’s control, but they nonetheless pose an IA risk to the site of which IA and other personnel should be aware.
Configure WLAN client interfaces to support infrastructure connections only. Procure WLAN software and devices that have the capability to turn off or otherwise disable peer-to-peer WLAN communications.
Detailed Policy requirements: Type 1 products and required procedures must be used to protect classified data-at-rest on wireless computers that are used on a classified WLAN or WMAN. If NSA Type1 certified DAR encryption is not available, the following requirements apply: - The storage media shall be physically removed from the computer and stored within a COMSEC-approved security container when the computer is not being used. - The entire computer shall be placed within a COMSEC-approved security container, if the computer has embedded storage media that cannot be removed. Check Procedures: Interview the IAO to determine if devices with wireless functionality (e.g., laptops or PDAs with embedded radios) are used to store classified data. If yes, verify the device is an NSA Type 1 certified product. Mark as a finding if a Type 1 product is not used, or if the storage media or device is not stored in a COMSEC-approved security container when not in use.
Immediately discontinue use of the non-compliant device.
Detailed Policy requirements: Encryption requirements for data in transit: - The WLAN infrastructure (e.g., access point, bridge, or WLAN controller) and WLAN client device must be configured to use the AES-CCMP encryption protocol. Check procedures: - Interview IAO and review WLAN system documentation. - Determine if the WLAN network and client components encryption setting has been configured to use the AES-CCMP encryption protocol and no others. - Mark as a finding if the WLAN is configured to support any encryption protocol other than AES-CCMP, even if AES-CCMP is one of several supported options.
Implement AES-CCMP to protect data in transit. Deactivate encryption protocols other than AES-CCMP.
NOTE: If the equipment is WPA2 certified, then it is capable of supporting this requirement. Review the WLAN equipment configuration to check EAP-TLS is actively used and no other methods are enabled. Mark as a finding if either EAP-TLS is not used or if the WLAN system allows users to connect with other methods. Note: DoDI 8420.01 provides the capability for the DAA to grant limited exceptions to this requirement.
Change the WLAN configuration so it supports EAP-TLS, implementing supporting PKI and AAA infrastructure as necessary. If the WLAN equipment is not capable of supporting EAP-TLS, procure new equipment capable of such support.
NOTE: This requirement does not apply to tactical WLAN systems where the WLAN client is configured to connect to only specific tactical access point(s). Have the SA or IAO demonstrate the configuration of the WLAN interface in the interface's management utility. 1. Observe that the interface is set to off by default upon boot-up of the WLAN client device. 2. Verify this is standard practice by checking a sample of WLAN laptops/PDAs (at least 2-3 should be checked). Laptops can be checked by verifying the status of the wireless interface upon boot-up in each profile used on the laptop. 3. Verify users have been trained on this requirement by reviewing the site training records and the signed User Agreement. 4. Mark as a finding any of the following is found: - The WLAN radio functionality (transmit/receive setting) is enabled upon system boot. - If the WLAN interface management utility does not provide the ability to set the radio to OFF by default. - Users have not received required training on how to disable a wireless interface.
Change the default setting on each WLAN interface to OFF and train users on how to disable wireless interfaces after they are no longer in use.
NOTE: This requirement does not apply to tactical wireless systems where the client is configured to connect only specified tactical access point(s). Detailed Requirement: - The wireless client must not automatically connect to any wireless network, whether preferred or non-preferred. Check Procedures: Review the configuration settings of the WLAN client on a sample of wireless clients (3-4) and verify it is not configured so that the wireless client automatically connects to any preferred or non-preferred network. In some wireless client management software, there is a list of preferred or known networks. There may also be a configuration option such as “Connect when this network is in range”. These options should be disabled or not selected. Mark as a finding if the wireless client is configured to automatically connect to a wireless network.
Disable all auto-connect preferences in wireless client devices.
Review client devices and verify that there is some technical procedure to disable the wireless network interface when the wired network interface is active (e.g., connected to a network via an Ethernet cable). Examples of compliant implementations: - Client side connection management software products have configuration settings that disable wireless connections when a wired connection is active. - Microsoft Windows hardware profiles can be created that disable assigned wireless network interfaces when the Ethernet connection is active. To check compliance, select a sample of devices (3-4), and establish a network connection using the wireless interface. Test that the wireless interface is active using a command line utility such as ifconfig (UNIX/Linux), or ipconfig (Windows), or management tools such as Network Connections within the Windows Control Panel. Then plug the device into an active Ethernet port (or other wired network). Repeat the process used to check that the connection was active to verify it is now disabled. Mark as a finding if one or more of the tested devices do not disable the wireless interface upon connection to a wired network. Also mark as finding if the device does not have the capability to disable the wireless interface when the wired interface is active.
Ensure the wired network interfaces on a WLAN client are disconnected or otherwise disabled when wireless network connections are in use.
Detailed Policy Requirements: FIPS 140-2 validated encryption modules must be used to encrypt unclassified sensitive data at rest on the wireless device (e.g., laptop, PDA, smartphone). This requirement applies to any wireless device or non-wireless PDA storing sensitive information, as defined by Assistant Secretary of Defense for Networks and Information Integration/DoD Chief Information Officer Memorandum, “Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage,” July 3, 2007. This requirement also applies to removable memory cards (e.g., MicroSD) used in the PDA except when the PDA is connected to a Windows PC for the purpose of provisioning or transferring data. Check Procedures: Interview IAO and review documentation. 1. Determine if the wireless device is used to store sensitive data. Data approved for public release is not sensitive. Other unclassified data may also qualify as sensitive. Any device that stores any sensitive data must meet the requirements in this check. 2. Check a sample of wireless laptops, PDAs, smartphones, and other wireless devices used at the site (2-3 of each type). 3. Obtain the product’s FIPS certificate to confirm FIPS 140-2 validation for each model examined. The certificate may be obtained from the product documentation or the NIST web site. 4. Work with the IAO to determine if encryption is enabled on the wireless client device uses AES or 3DES. 5. Verify temp files with sensitive information are also protected with encryption. 6. Mark as a finding if encryption is not used or is not FIPS 140-2 validated.
Employ FIPS 140-2 validated encryption modules for sensitive DoD data at rest.
Detailed Policy Requirements: Certificate-based PKI authentication must be used to connect WLAN client devices to DoD networks. The certificate-based PKI authentication should directly support the WLAN EAP-TLS implementation. At least one layer of user authentication must enforce network authentication requirements found in JTF-GNO CTO 07-15Rev1 (e.g., CAC authentication) before the user is able to access DoD information resources. Check Procedures: Interview the site IAO and SA. Determine if the site’s network is configured to require certificate-based PKI authentication before a WLAN user is connected to the network. Mark as a finding if certificate-based PKI authentication is not required prior to a DoD WLAN user accessing the DoD network.
Integrate certificate-based PKI authentication into the WLAN authentication process.