| V-243216 | | The site must conduct continuous wireless Intrusion Detection System (IDS) scanning. | DoD networks are at risk and DoD data could be compromised if wireless scanning is not conducted to identify unauthorized WLAN clients and access poin... |
| V-243218 | | The WLAN inactive/idle session timeout must be set for 30 minutes or less. | A WLAN session that never terminates due to inactivity may allow an opening for an adversary to highjack the session to obtain access to the network.... |
| V-243219 | | WLAN components must be Wi-Fi Alliance certified with WPA2 or WPA3. | Wi-Fi Alliance certification ensures compliance with DoD interoperability requirements between various WLAN products.... |
| V-243220 | | WLAN must use EAP-TLS. | EAP-TLS provides strong cryptographic mutual authentication and key distribution services not found in other EAP methods, and thus provides significan... |
| V-243221 | | WLAN components must be FIPS 140-2 or FIPS 140-3 certified and configured to operate in FIPS mode. | If the DoD WLAN components (WLAN AP, controller, or client) are not NIST FIPS 140-2/FIPS 140-3 (Cryptographic Module Validation Program, CMVP) certifi... |
| V-243222 | | WLAN EAP-TLS implementation must use certificate-based PKI authentication to connect to DoD networks. | DoD certificate-based PKI authentication is strong, two-factor authentication that relies on carefully evaluated cryptographic modules. Implementation... |
| V-243224 | | Wireless access points and bridges must be placed in dedicated subnets outside the enclave's perimeter. | If an adversary is able to compromise an access point or controller that is directly connected to an enclave network, the adversary can easily surveil... |
| V-243225 | | The network device must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface. | The OOBM access switch will connect to the management interface of the managed network elements. The management interface can be a true OOBM interface... |
| V-243226 | | The network device must not be configured to have any feature enabled that calls home to the vendor. | Call-home services will routinely send data such as configuration and diagnostic information to the vendor for routine or emergency analysis and troub... |
| V-243217 | | WLAN SSIDs must be changed from the manufacturer's default to a pseudo random word that does not identify the unit, base, organization, etc. | An SSID identifying the unit, site, or purpose of the WLAN or that is set to the manufacturer default may cause an OPSEC vulnerability.... |
| V-243223 | | WLAN signals must not be intercepted outside areas authorized for WLAN access. | Most commercially available WLAN equipment is preconfigured for signal power appropriate to most applications of the WLAN equipment. In some cases, th... |
