STIGQter STIGQter: STIG Summary:

WLAN Bridge Security Technical Implementation Guide (STIG)

Version: 6

Release: 15 Benchmark Date: 26 Apr 2019

SV-3012r4_ruleNetwork devices must be password protected.
SV-3013r5_ruleNetwork devices must display the DoD-approved logon banner warning.
SV-3014r4_ruleThe network devices must timeout management connections for administrative access after 10 minutes or less of inactivity.
SV-3043r4_ruleThe network device must use different SNMP community names or groups for various levels of read and write access.
SV-3056r7_ruleGroup accounts must not be configured for use on the network device.
SV-3057r6_ruleAuthorized accounts must be assigned the least privilege level necessary to perform assigned duties.
SV-3058r5_ruleUnauthorized accounts must not be configured for access to the network device.
SV-3069r5_ruleManagement connections to a network device must be established using secure protocols with FIPS 140-2 validated cryptographic modules.
SV-3070r4_ruleNetwork devices must log all attempts to establish a management connection for administrative access.
SV-3143r4_ruleNetwork devices must not have any default manufacturer passwords.
SV-3160r4_ruleNetwork devices must be running a current and supported operating system with all IAVMs addressed.
SV-3175r5_ruleThe network device must require authentication prior to establishing a management connection for administrative access.
SV-3196r4_ruleThe network device must use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography for any SNMP agent configured on the device.
SV-3210r4_ruleThe network device must not use the default or well-known SNMP community strings public and private.
SV-3966r6_ruleIn the event the authentication server is unavailable, the network device must have a single local account of last resort defined.
SV-3967r4_ruleThe network devices must time out access to the console port at 10 minutes or less of inactivity.
SV-3969r5_ruleNetwork devices must only allow SNMP read-only access.
SV-4582r5_ruleThe network device must require authentication for console access.
SV-5611r5_ruleThe network devices must only allow management connections for administrative access from hosts residing in the management network.
SV-5612r4_ruleThe network devices must be configured to timeout after 60 seconds or less for incomplete or broken SSH sessions.
SV-5613r4_ruleThe network device must be configured for a maximum number of unsuccessful SSH logon attempts set at 3 before resetting the interface.
SV-7365r4_ruleThe auxiliary port must be disabled unless it is connected to a secured modem providing encryption and authentication.
SV-15327r6_ruleNetwork devices must authenticate all NTP messages received from NTP servers and peers.
SV-15459r4_ruleThe network device must not allow SSH Version 1 to be used for administrative access.
SV-15614r1_ruleWLAN SSIDs must be changed from the manufacturer’s default to a pseudo random word that does not identify the unit, base, organization, etc.
SV-15654r2_ruleWireless access points and bridges must be placed in dedicated subnets outside the enclave’s perimeter.
SV-16259r4_ruleNetwork devices must use two or more authentication servers for the purpose of granting administrative access.
SV-16261r5_ruleThe emergency administration account must be set to an appropriate authorization level to perform necessary administrative functions when the authentication server is not online.
SV-19075r4_ruleThe network devices OOBM interface must be configured with an OOBM network address.
SV-19076r4_ruleThe network devices management interface must be configured with both an ingress and egress ACL.
SV-28651r4_ruleNetwork devices must use at least two NTP servers to synchronize time.
SV-36774r5_ruleA service or feature that calls home to the vendor must be disabled.
SV-102339r1_ruleWLAN components must be FIPS 140-2 certified.
SV-102341r1_ruleWLAN components must be Wi-Fi Alliance certified with WPA2 or WPA3.