| V-266557 | | AOS must use Transport Layer Security (TLS) 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access. | Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that explo... |
| V-266559 | | AOS must protect wireless access to the network using authentication of users and/or devices. | Allowing devices and users to connect to the system without first authenticating them allows untrusted access and can lead to a compromise or attack.
... |
| V-266560 | | The network element must protect wireless access to the system using Federal Information Processing Standard (FIPS)-validated Advanced Encryption Standard (AES) block cipher algorithms with an approved confidentiality mode. | Allowing devices and users to connect to the system without first authenticating them allows untrusted access and can lead to a compromise or attack. ... |
| V-266577 | | AOS must be configured to disable nonessential capabilities. | It is detrimental for network elements to provide, or enable by default, functionality exceeding requirements or mission objectives. These unnecessary... |
| V-266591 | | AOS must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks. | A network element experiencing a DoS attack will not be able to handle production traffic load. The high utilization and CPU caused by a DoS attack wi... |
| V-266627 | | AOS must require devices to reauthenticate when organization-defined circumstances or situations requiring reauthentication. | Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity on the network.
In additi... |
| V-266632 | | The network element must authenticate all network-connected endpoint devices before establishing any connection. | Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
For distributed architect... |
| V-266639 | | AOS must use cryptographic algorithms approved by the National Security Agency (NSA) to protect national security systems (NSS) when transporting classified traffic across an unclassified network. | Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data.
National Institute of Standards and Techno... |
| V-266644 | | AOS, in conjunction with a remote device, must prevent the device from simultaneously establishing nonremote connections with the system and communicating via some other connection to resources in external networks. | Split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizati... |
| V-266703 | | When AOS is used as a wireless local area network (WLAN) controller, WLAN Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) implementation must use certificate-based public key infrastructure (PKI) authentication to connect to DOD networks. | DOD certificate-based PKI authentication is strong, two-factor authentication that relies on carefully evaluated cryptographic modules. Implementation... |
| V-266704 | | The site must conduct continuous wireless Intrusion Detection System (IDS) scanning. | DOD networks are at risk and DOD data could be compromised if wireless scanning is not conducted to identify unauthorized wireless local area network ... |
| V-266705 | | AOS, when configured as a WLAN bridge, must not be configured to have any feature enabled that calls home to the vendor. | Call-home services will routinely send data such as configuration and diagnostic information to the vendor for routine or emergency analysis and troub... |
| V-266707 | | AOS, when used as a WLAN bridge or controller, must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface. | The OOBM access switch will connect to the management interface of the managed network elements. The management interface can be a true OOBM interface... |
| V-266708 | | AOS wireless local area network (WLAN) service set identifiers (SSIDs) must be changed from the manufacturer's default to a pseudo random word that does not identify the unit, base, organization, etc. | An SSID that identifies the unit, site, or purpose of the WLAN or is set to the manufacturer default may cause an operational security vulnerability.... |
