DISA STIGS Viewer

Network WLAN Controller Platform Security Technical Implementation Guide

Overview

Version Date Finding Count (6) Downloads
7 2023-02-13 CAT I (High): 0 CAT II (Medium): 6 CAT III (Low): 0 Excel JSON XML
Stig Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
Classified Public Sensitive  
I - Mission Critical Classified I - Mission Critical Public I - Mission Critical Sensitive II - Mission Critical Classified II - Mission Critical Public II - Mission Critical Sensitive III - Mission Critical Classified III - Mission Critical Public III - Mission Critical Sensitive

Findings - All

Finding ID Severity Title Description
V-243238 Medium The network device must not be configured to have any feature enabled that calls home to the vendor. Call-home services will routinely send data such as configuration and diagnostic information to the vendor for routine or emergency analysis and troubleshooting. There is a risk that transmission of sensitive data sent to unauthorized persons could result in data loss or downtime due to an attack. (See SRG-NET-000131-RTR-000083.)
V-243237 Medium The network device must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface. The OOBM access switch will connect to the management interface of the managed network elements. The management interface can be a true OOBM interface or a standard interface functioning as the management interface. In either case, the management interface of the managed network element will be directly connected to the...
V-243236 Medium WLAN EAP-TLS implementation must use certificate-based PKI authentication to connect to DoD networks. DoD certificate-based PKI authentication is strong, two-factor authentication that relies on carefully evaluated cryptographic modules. Implementations of EAP-TLS that are not integrated with certificate-based PKI could have security vulnerabilities. For example, an implementation that uses a client certificate on laptop without a second factor could enable an adversary with access...
V-243235 Medium WLAN components must be FIPS 140-2 or FIPS 140-3 certified and configured to operate in FIPS mode. If the DoD WLAN components (WLAN AP, controller, or client) are not NIST FIPS 140-2/FIPS 140-3 (Cryptographic Module Validation Program, CMVP) certified, the WLAN system may not adequately protect sensitive unclassified DoD data from compromise during transmission.
V-243234 Medium WLAN must use EAP-TLS. EAP-TLS provides strong cryptographic mutual authentication and key distribution services not found in other EAP methods, and thus provides significantly more protection against attacks than other methods. Additionally, EAP-TLS supports two-factor user authentication on the WLAN client, which provides significantly more protection than methods that rely on a password or...
V-243233 Medium The WLAN inactive/idle session timeout must be set for 30 minutes or less. A WLAN session that never terminates due to inactivity may allow an opening for an adversary to highjack the session to obtain access to the network.