Network WLAN Controller Platform Security Technical Implementation Guide
Overview
| Version | Date | Finding Count (6) | Downloads | ||
| 7 | 2023-02-13 | CAT I (High): 0 | CAT II (Medium): 6 | CAT III (Low): 0 | |
| STIG Description |
| This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. |
Findings - All
| Finding ID | Severity | Title | Description |
|---|---|---|---|
| V-243233 | The WLAN inactive/idle session timeout must be set for 30 minutes or less. | A WLAN session that never terminates due to inactivity may allow an opening for an adversary to highjack the session to obtain access to the network.... | |
| V-243234 | WLAN must use EAP-TLS. | EAP-TLS provides strong cryptographic mutual authentication and key distribution services not found in other EAP methods, and thus provides significan... | |
| V-243235 | WLAN components must be FIPS 140-2 or FIPS 140-3 certified and configured to operate in FIPS mode. | If the DoD WLAN components (WLAN AP, controller, or client) are not NIST FIPS 140-2/FIPS 140-3 (Cryptographic Module Validation Program, CMVP) certifi... | |
| V-243236 | WLAN EAP-TLS implementation must use certificate-based PKI authentication to connect to DoD networks. | DoD certificate-based PKI authentication is strong, two-factor authentication that relies on carefully evaluated cryptographic modules. Implementation... | |
| V-243237 | The network device must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface. | The OOBM access switch will connect to the management interface of the managed network elements. The management interface can be a true OOBM interface... | |
| V-243238 | The network device must not be configured to have any feature enabled that calls home to the vendor. | Call-home services will routinely send data such as configuration and diagnostic information to the vendor for routine or emergency analysis and troub... |