Title

The WLAN must use AES-CCMP to protect data-in-transit. (Cat II impact)

Discussion

AES-CCMP provides all required WLAN security services for data in transit. The other encryption protocol available for IEEE 802.11i compliant robust security networks and WPA2 certified solutions is the Temporal Key Integrity Protocol (TKIP). TKIP relies on the RC4 cipher, which has known vulnerabilities. Some WLANs also rely on Wireless Equivalent Privacy (WEP), which also uses RC4, and is easily cracked in minutes on active WLANs. Use of protocols other than AES-CCMP places DoD WLANs at greater risk of security breaches than other available approaches.

Check Content

Detailed Policy requirements: Encryption requirements for data in transit: - The WLAN infrastructure (e.g., access point, bridge, or WLAN controller) and WLAN client device must be configured to use the AES-CCMP encryption protocol. Check procedures: - Interview IAO and review WLAN system documentation. - Determine if the WLAN network and client components encryption setting has been configured to use the AES-CCMP encryption protocol and no others. - Mark as a finding if the WLAN is configured to support any encryption protocol other than AES-CCMP, even if AES-CCMP is one of several supported options.

Fix Text

Implement AES-CCMP to protect data in transit. Deactivate encryption protocols other than AES-CCMP.

Additional Identifiers

Rule ID: SV-3515r2_rule

Vulnerability ID: V-3515

Group Title: Transmitted WLAN AES-CCMP

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.