Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Resources
Documents
Publishers
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Network WLAN AP-IG Platform Security Technical Implementation Guide
Network WLAN AP-IG Platform Security Technical Implementation Guide
An XCCDF Benchmark
Details
Profiles
Items
Prose
File Metadata
9 rules organized in 9 groups
SRG-NET-000514
1 Rule
The WLAN inactive/idle session timeout must be set for 30 minutes or less.
Medium Severity
A WLAN session that never terminates due to inactivity may allow an opening for an adversary to highjack the session to obtain access to the network.
SRG-NET-000063
1 Rule
WLAN components must be Wi-Fi Alliance certified with WPA2 or WPA3.
Medium Severity
Wi-Fi Alliance certification ensures compliance with DoD interoperability requirements between various WLAN products.
SRG-NET-000151
1 Rule
WLAN components must be FIPS 140-2 or FIPS 140-3 certified and configured to operate in FIPS mode.
Medium Severity
If the DoD WLAN components (WLAN AP, controller, or client) are not NIST FIPS 140-2/FIPS 140-3 (Cryptographic Module Validation Program, CMVP) certified, the WLAN system may not adequately protect sensitive unclassified DoD data from compromise during transmission.
SRG-NET-000384
1 Rule
WLAN signals must not be intercepted outside areas authorized for WLAN access.
Low Severity
Most commercially available WLAN equipment is preconfigured for signal power appropriate to most applications of the WLAN equipment. In some cases, this may permit the signals to be received outside the physical areas for which they are intended. This can occur when the intended area is relatively small, such as a conference room, or when the access point is placed near or window or wall, thereby allowing signals to be received in neighboring areas. In such cases, an adversary may be able to compromise the site's posture by measuring the presence of the signal and the quantity of data transmitted to obtain information about when personnel are active and what they are doing. If the signal is not appropriately protected through defense-in-depth mechanisms, the adversary could possibly use the connection to access DoD networks and sensitive information.
SRG-NET-000063
1 Rule
The WLAN access point must be configured for Wi-Fi Alliance WPA2 or WPA3 security.
Medium Severity
The Wi-Fi Alliance's WPA2/WPA3 certification provides assurance that the device has adequate security functionality and can implement the IEEE 802.11i standard for robust security networks. The previous version of the Wi-Fi Alliance certification, WPA, did not require AES encryption, which must be supported for DoD WLAN implementations. Devices without any WPA certification likely do not support required security functionality and could be vulnerable to a wide range of attacks.
SRG-NET-000512
1 Rule
DoD Components providing guest WLAN access (internet access only) must use separate WLAN or logical segmentation of the enterprise WLAN (e.g., separate service set identifier [SSID] and virtual LAN) or DoD network.
Medium Severity
The purpose of the Guest WLAN network is to provide WLAN services to authorized site guests. Guests, by definition, are not authorized access to the enterprise network. If the guest WLAN is not installed correctly, unauthorized access to the enterprise wireless and/or wired network could be obtained.
SRG-NET-000205
1 Rule
The network device must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.
Medium Severity
The OOBM access switch will connect to the management interface of the managed network elements. The management interface can be a true OOBM interface or a standard interface functioning as the management interface. In either case, the management interface of the managed network element will be directly connected to the OOBM network. (See SRG-NET-000205-RTR-000012.) Network boundaries, also known as managed interfaces, include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis, and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). Methods used for prohibiting interfaces within organizational information systems include, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses.
SRG-NET-000131
1 Rule
The network device must not be configured to have any feature enabled that calls home to the vendor.
Medium Severity
Call-home services will routinely send data such as configuration and diagnostic information to the vendor for routine or emergency analysis and troubleshooting. There is a risk that transmission of sensitive data sent to unauthorized persons could result in data loss or downtime due to an attack. (See SRG-NET-000131-RTR-000083.)
SRG-NET-000512
1 Rule
WLAN SSIDs must be changed from the manufacturer's default to a pseudo random word that does not identify the unit, base, organization, etc.
Low Severity
An SSID identifying the unit, site, or purpose of the WLAN or that is set to the manufacturer default may cause an OPSEC vulnerability.