STIGQter STIGQter: STIG Summary:

WLAN Access Point (Internet Gateway Only Connection) Security Technical Implementation Guide (STIG)

Version: 6

Release: 14 Benchmark Date: 27 Apr 2018

SV-3012r4_ruleNetwork devices must be password protected.
SV-3013r5_ruleNetwork devices must display the DoD-approved logon banner warning.
SV-3014r4_ruleThe network devices must timeout management connections for administrative access after 10 minutes or less of inactivity.
SV-3056r7_ruleGroup accounts must not be configured for use on the network device.
SV-3057r6_ruleAuthorized accounts must be assigned the least privilege level necessary to perform assigned duties.
SV-3058r5_ruleUnauthorized accounts must not be configured for access to the network device.
SV-3069r5_ruleManagement connections to a network device must be established using secure protocols with FIPS 140-2 validated cryptographic modules.
SV-3070r4_ruleNetwork devices must log all attempts to establish a management connection for administrative access.
SV-3143r4_ruleNetwork devices must not have any default manufacturer passwords.
SV-3160r4_ruleNetwork devices must be running a current and supported operating system with all IAVMs addressed.
SV-3175r5_ruleThe network device must require authentication prior to establishing a management connection for administrative access.
SV-3196r4_ruleThe network device must use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography for any SNMP agent configured on the device.
SV-3210r4_ruleThe network device must not use the default or well-known SNMP community strings public and private.
SV-3966r6_ruleIn the event the authentication server is unavailable, the network device must have a single local account of last resort defined.
SV-3967r4_ruleThe network devices must time out access to the console port at 10 minutes or less of inactivity.
SV-3969r5_ruleNetwork devices must only allow SNMP read-only access.
SV-4582r5_ruleThe network device must require authentication for console access.
SV-5611r5_ruleThe network devices must only allow management connections for administrative access from hosts residing in the management network.
SV-5613r4_ruleThe network device must be configured for a maximum number of unsuccessful SSH logon attempts set at 3 before resetting the interface.
SV-7365r4_ruleThe auxiliary port must be disabled unless it is connected to a secured modem providing encryption and authentication.
SV-15327r6_ruleNetwork devices must authenticate all NTP messages received from NTP servers and peers.
SV-15459r4_ruleThe network device must not allow SSH Version 1 to be used for administrative access.
SV-15614r1_ruleWLAN SSIDs must be changed from the manufacturer’s default to a pseudo random word that does not identify the unit, base, organization, etc.
SV-15656r1_ruleThe WLAN inactive session timeout must be set for 30 minutes or less.
SV-15657r1_ruleWLAN signals must not be intercepted outside areas authorized for WLAN access.
SV-16259r4_ruleNetwork devices must use two or more authentication servers for the purpose of granting administrative access.
SV-16261r5_ruleThe emergency administration account must be set to an appropriate authorization level to perform necessary administrative functions when the authentication server is not online.
SV-19075r4_ruleThe network devices OOBM interface must be configured with an OOBM network address.
SV-19076r4_ruleThe network devices management interface must be configured with both an ingress and egress ACL.
SV-28651r4_ruleNetwork devices must use at least two NTP servers to synchronize time.
SV-31426r1_ruleWLAN access point must be configured for Wi-Fi Alliance WPA2 security.
SV-31427r2_ruleThe password configured on the WLAN Access Point for key generation and client access must be set to a 14 character or longer complex password as required by USCYBERCOM CTO 07-15Rev1.
SV-36774r5_ruleA service or feature that calls home to the vendor must be disabled.
SV-102339r1_ruleWLAN components must be FIPS 140-2 certified.
SV-102341r1_ruleWLAN components must be Wi-Fi Alliance certified with WPA2 or WPA3.
SV-102343r1_ruleDoD Components providing guest WLAN access (Internet access only) must use separate WLAN or logical segmentation of the enterprise WLAN (e.g., separate service set identifier (SSID) and virtual LAN) or DoD network.