The site will conduct continuous wireless IDS scanning. Note: This requirement applies to all DoD sites that operate DoD computer networks, including sites that have no authorized WLAN systems.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18596	NET-WIDS-001	SV-20145r4_rule	ECWN-1	Medium

Description
DoD networks are at risk and DoD data could be compromised if wireless scanning is not conducted to identify unauthorized WLAN clients and access points connected to or attempting to connect to the network.

STIG	Date
WLAN Access Point Policy Security Technical Implementation Guide	2011-10-10

Details

Check Text ( C-22258r3_chk )
Detailed Policy Requirements: DoD components will ensure that a Wireless Intrusion detection System (WIDS) is implemented that allows for monitoring of WLAN activity and the detection of WLAN-related policy violations on all unclassified and classified DoD wired and wireless LANs. The WIDS shall be capable of monitoring IEEE 802.11 transmissions within all DoD LAN environments and detect nearby unauthorized WLAN devices. WIDS shall not be required to monitor non-IEEE 802.11 transmissions. WIDS Implementation Criteria. The WIDS shall continuously scan for and detect authorized and unauthorized WLAN activities 24 hours a day, 7 days a week. Note: Exceptions to WIDS implementation criteria may be made by the DAA for DoD wired and wireless LAN operating environments. This exception allows the DAA to implement periodic scanning conducted by designated personnel using handheld scanners during walk-through assessments. Periodic scanning may be conducted as the alternative to the continuous scanning only in special circumstances, where it has been determined on a case-by-case basis that continuous scanning is either infeasible or unwarranted. The DAA exception must be documented. The "infeasible" criteria includes the following use case examples: - It's not my building - this scenario means that for contractual, or other similar reasons, the DoD component is not allowed to install a WIDS. - There's no power or space is limited - this scenarios means that for space weight and power (SWAP) reasons, the addition of continuous scanning capabilities cannot be accomplished because it would exceeds SWAP availability. Another reason power would affect your decision to waive continuous scanning requirements is if the entire LAN is only in operation periodically (e.g. the wired/wireless LAN is enabled on a vehicle that is only operating when the vehicle is being used for a specific operation). - The exception for "Minimal Impact WLAN Systems" that: Do not provide connectivity to WLAN-enabled PEDs (i.e., backhaul systems); have no available FIPS 140 validated 802.1X EAP-TLS supplicant; support a very small number of users for a specific mission (i.e., 10 or less users); are standalone networks; or are highly specialized WLAN systems that are isolated from the GIG (e.g., handheld personal digital assistants (PDAs) used as radio-frequency identification (RFID) readers, a network of WLAN-enabled Voice over Internet Protocol (VoIP) phones)] allows the DAA to waive any of the security requirements in the Instruction. This includes using non-standard/proprietary FIPS validated encryption, using an alternative FIPS validated EAP type, and not having a continuous WIDS. -The cost of the continuous WIDS capability is more expensive that the total cost of the LAN without a WIDS. The DAA must conduct a wireless threat risk assessment where it has been shown by analysis that the threat environment is extremely unlikely to non-existent to meet the "unwarranted" exception criteria. Check Procedures: Interview the site IAO. Determine if the scanning by a WIDS is being conducted and if it is continuous or periodic. If a continuous scanning WIDS is used, there is no finding. If periodic scanning is used, verify the exception to policy is documented and signed by the DAA. Verify the exception meets one of the required criteria. Mark as a finding if periodic scanning is being performed but requirements have not been met. Mark as a finding if no WIDS scanning is being performed at the site.

Check Text ( C-22258r3_chk )

Detailed Policy Requirements:

DoD components will ensure that a Wireless Intrusion detection System (WIDS) is implemented that allows for monitoring of WLAN activity and the detection of WLAN-related policy violations on all unclassified and classified DoD wired and wireless LANs.

The WIDS shall be capable of monitoring IEEE 802.11 transmissions within all DoD LAN environments and detect nearby unauthorized WLAN devices. WIDS shall not be required to monitor non-IEEE 802.11 transmissions.

WIDS Implementation Criteria. The WIDS shall continuously scan for and detect authorized and unauthorized WLAN activities 24 hours a day, 7 days a week.

Note: Exceptions to WIDS implementation criteria may be made by the DAA for DoD wired and wireless LAN operating environments. This exception allows the DAA to implement periodic scanning conducted by designated personnel using handheld scanners during walk-through assessments. Periodic scanning may be conducted as the alternative to the continuous scanning only in special circumstances, where it has been determined on a case-by-case basis that continuous scanning is either infeasible or unwarranted. The DAA exception must be documented.

The "infeasible" criteria includes the following use case examples:
- It's not my building - this scenario means that for contractual, or other similar reasons, the DoD component is not allowed to install a WIDS.
- There's no power or space is limited - this scenarios means that for space weight and power (SWAP) reasons, the addition of continuous scanning capabilities cannot be accomplished because it would exceeds SWAP availability. Another reason power would affect your decision to waive continuous scanning requirements is if the entire LAN is only in operation periodically (e.g. the wired/wireless LAN is enabled on a vehicle that is only operating when the vehicle is being used for a specific operation).
- The exception for "Minimal Impact WLAN Systems" that: Do not provide connectivity to WLAN-enabled PEDs (i.e., backhaul systems); have no available FIPS 140 validated 802.1X EAP-TLS supplicant; support a very small number of users for a specific mission (i.e., 10 or less users); are standalone networks; or are highly specialized WLAN systems that are isolated from the GIG (e.g., handheld personal digital assistants (PDAs) used as radio-frequency identification (RFID) readers, a network of WLAN-enabled Voice over Internet Protocol (VoIP) phones)] allows the DAA to waive any of the security requirements in the Instruction. This includes using non-standard/proprietary FIPS validated encryption, using an alternative FIPS validated EAP type, and not having a continuous WIDS.
-The cost of the continuous WIDS capability is more expensive that the total cost of the LAN without a WIDS.

The DAA must conduct a wireless threat risk assessment where it has been shown by analysis that the threat environment is extremely unlikely to non-existent to meet the "unwarranted" exception criteria.

Check Procedures:

Interview the site IAO. Determine if the scanning by a WIDS is being conducted and if it is continuous or periodic.

If a continuous scanning WIDS is used, there is no finding.

If periodic scanning is used, verify the exception to policy is documented and signed by the DAA. Verify the exception meets one of the required criteria. Mark as a finding if periodic scanning is being performed but requirements have not been met.

Mark as a finding if no WIDS scanning is being performed at the site.

Fix Text (F-19231r1_fix)
Perform required WIDS scanning