Check: WIR0135
WMAN Access Point STIG (STIG):
WIR0135
(in versions v6 r13 through v6 r11)
Title
Wireless access points and bridges must be placed in dedicated subnets outside the enclave’s perimeter. (Cat II impact)
Discussion
If an adversary is able to compromise an access point or controller that is directly connected to an enclave network, then the adversary can easily surveil and attack other devices from that beachhead. A defense-in-depth approach requires an additional layer of protection exist between the WLAN and the enclave network. This is particularly important for wireless networks, which may be vulnerable to attack from outside physical perimeter of the facility or base given the inherent nature of radio communications to penetrate walls, fences, and other physical boundaries.
Check Content
Detailed policy requirements: Wireless access points and bridges must not be directly connected to the enclave network. A network device must separate wireless access from other elements of the enclave network. Sites must also comply with the Network Infrastructure STIG configuration requirements for DMZ, VLAN, and VPN configurations, as applicable. Examples of acceptable architectures include placing access points or controllers in a screened subnet (e.g. DMZ separating intranet and wireless network) or dedicated virtual LAN (VLAN) with ACLs. Check Procedures: Review network architecture with the network administrator. 1. Verify compliance by inspecting the site network topology diagrams. 2. Since many network diagrams are not kept up-to-date, walk through the connections with the network administrator using network management tools or diagnostic commands to verify the diagrams are current. If the site’s wireless infrastructure, such as access points and bridges, is not isolated from the enclave network, this is a finding.
Fix Text
Remove wireless network devices with direct connections to an enclave network. If feasible, reconfigure network connections to isolate the WLAN infrastructure from the enclave network, separating them with a firewall or equivalent protection.
Additional Identifiers
Rule ID: SV-15654r2_rule
Vulnerability ID: V-14886
Group Title: WLAN infrastructure network placement
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |