UCF STIG Viewer Logo

DoD Components providing Internet-only guest access must use separate WLAN or logical segmentation of the host WLAN (e.g., separate service set identifier (SSID) and virtual LAN) or DoD network.


Overview

Finding ID Version Rule ID IA Controls Severity
V-25319 WIR0123 SV-31432r4_rule Medium
Description
If the access point or its supporting authentication server is placed in front of the perimeter firewall, then it has no firewall protection against an attack. If the access point or its supporting authentication server is placed behind the perimeter firewall (on the internal network), then any breach of these devices could lead to attacks on other DoD information systems.
STIG Date
Network Infrastructure Policy Security Technical Implementation Guide 2016-12-22

Details

Check Text ( C-31754r3_chk )
Have the SA show how the guest WLAN is physically connected to the firewall or supporting switch and how it is logically connected through firewall or switch configuration settings. Verify the equipment is connected via a separate WLAN or logical segmentation of the host WLAN (e.g., separate service set identifier (SSID) and virtual LAN).

If a guest WLAN is set up as a separate WLAN from the DoD network or not set up as a logical segmentation from the DoD network or DoD WLAN, this is a finding.
Fix Text (F-28238r1_fix)
Reconfigure physical and logical connections as needed so the Internet-only WLAN infrastructure resides in a dedicated subnet off the perimeter firewall.