STIGQter: STIG Summary: WLAN Bridge Security Technical Implementation Guide (STIG) Version: 6 Release: 15 Benchmark Date: 26 Apr 2019:

Wireless access points and bridges must be placed in dedicated subnets outside the enclave’s perimeter.

DISA Rule

SV-15654r2_rule

Vulnerability Number

V-14886

Group Title

WLAN infrastructure network placement

Rule Version

WIR0135

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Remove wireless network devices with direct connections to an enclave network. If feasible, reconfigure network connections to isolate the WLAN infrastructure from the enclave network, separating them with a firewall or equivalent protection.

Check Contents

Detailed policy requirements:

Wireless access points and bridges must not be directly connected to the enclave network. A network device must separate wireless access from other elements of the enclave network. Sites must also comply with the Network Infrastructure STIG configuration requirements for DMZ, VLAN, and VPN configurations, as applicable.

Examples of acceptable architectures include placing access points or controllers in a screened subnet (e.g. DMZ separating intranet and wireless network) or dedicated virtual LAN (VLAN) with ACLs.

Check Procedures:

Review network architecture with the network administrator.
1. Verify compliance by inspecting the site network topology diagrams.
2. Since many network diagrams are not kept up-to-date, walk through the connections with the network administrator using network management tools or diagnostic commands to verify the diagrams are current.

If the site’s wireless infrastructure, such as access points and bridges, is not isolated from the enclave network, this is a finding.

Vulnerability Number

V-14886

Documentable

False

Rule Version

WIR0135

Severity Override Guidance

Detailed policy requirements:

Wireless access points and bridges must not be directly connected to the enclave network. A network device must separate wireless access from other elements of the enclave network. Sites must also comply with the Network Infrastructure STIG configuration requirements for DMZ, VLAN, and VPN configurations, as applicable.

Examples of acceptable architectures include placing access points or controllers in a screened subnet (e.g. DMZ separating intranet and wireless network) or dedicated virtual LAN (VLAN) with ACLs.

Check Procedures:

Review network architecture with the network administrator.
1. Verify compliance by inspecting the site network topology diagrams.
2. Since many network diagrams are not kept up-to-date, walk through the connections with the network administrator using network management tools or diagnostic commands to verify the diagrams are current.

If the site’s wireless infrastructure, such as access points and bridges, is not isolated from the enclave network, this is a finding.

Check Content Reference

M

Responsibility

System Administrator

Target Key

1535

Comments