Check: WIR0025
General Wireless Policy:
WIR0025
(in versions v1 r7 through v1 r6)
Title
All wireless network devices such as wireless Intrusion Detection System (IDS) and wireless routers, access points, gateways, and controllers must be located in a secure room with limited access or otherwise secured to prevent tampering or theft. (Cat II impact)
Discussion
DoD data and the network could be exposed to attack if wireless network devices are not physically protected. The Network Security Officer (NSO) will ensure all wireless network devices (i.e., IDS, routers, servers, Remote Access System (RAS), firewalls, WLAN access points, etc.), wireless management, and email servers are located in a secure room with limited access or otherwise secured to prevent tampering or theft.
Check Content
Detailed Policy Requirements: For WLAN Access Points: If the WLAN infrastructure network device (access point, bridge, WLAN switch/gateway/controller, etc.) is used in an unprotected public area, the following security controls are required: (The site Physical Security Officer should make a determination if a WLAN device installation location should be considered to be an unprotected public area.) One of the following security controls is required: - The WLAN device must be physically secured by placing it inside a securely mounted, pick-resistant, and lockable enclosure. - The encryption keys stored on the device must be encrypted on the device using an encryption module validated as meeting FIPS 140-2 Level 2, at a minimum. Check Procedures: The NSO will ensure all network devices (i.e., IDS, routers, servers, Remote Access System (RAS), firewalls, WLAN access points, etc.) are located in a secure room with limited access or otherwise secured to prevent tampering or theft. For WLAN Access Points: Determine if the WLAN network component of the WLAN system (e.g., access point or bridge) is installed in an unprotected public area where unauthorized personnel can get access to the device. The Physical Security Reviewer may be able to assist in this determination. If yes, the following requirements apply. Note: Access points installed above ceiling tiles in a controlled access area or installed 30 feet above the ground in a controlled access hanger can be considered to be installed in a protected non-public area. The site Physical Security Officer should make a determination if a WLAN device installation location should be considered to be in an unprotected public area. Determine if the WLAN device has been validated as meeting FIPS 140-2 Level 2, at a minimum, or physically secured by placing it inside a securely mounted, pick-resistant, and lockable enclosure. Mark as a finding if the requirements above are not met. For SME PED: During SRR walkthrough inspection, visually confirm the SME PED servers and network equipment (such as HAIPE) are installed in secured areas.
Fix Text
Place all network devices (i.e., Intrusion Detection System (IDS), routers, Remote Access System (RAS), firewalls, etc) in a secure room with limited access or otherwise secured to prevent tampering or theft. WIR0225 provides physical security requirements for classified WLAN systems.
Additional Identifiers
Rule ID: SV-15662r10_rule
Vulnerability ID: V-14894
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |