{ "name": "stig_harris_secnet_11_54", "date": "2016-11-14", "description": "This STIG contains the technical security controls for the operation of the Harris SecNet 11 or 54 classified WLAN devices in the DoD environment.", "title": "Harris SecNet 11 / 54 Security Technical Implementation Guide (STIG)", "version": "6", "item_syntax": "^\\w-\\d+$", "section_separator": null, "items": [ { "id": "V-14002", "title": "A device’s wired network interfaces (e.g., Ethernet) must be disconnected or otherwise disabled when wireless connections are in use.", "description": "If a client device supports simultaneous use of wireless and wired connections, then this increases the probability that an adversary who can access the device using its wireless interface can then route traffic through the device’s wired interface to attack devices on the wired network or obtain sensitive DoD information.", "severity": "medium" }, { "id": "V-14846", "title": "WLAN SSIDs must be changed from the manufacturer’s default to a pseudo random word that does not identify the unit, base, organization, etc. ", "description": "An SSID identifying the unit, site or purpose of the WLAN or is set to the manufacturer default may cause an OPSEC vulnerability.", "severity": "low" }, { "id": "V-14886", "title": "Wireless access points and bridges must be placed in dedicated subnets outside the enclave’s perimeter.", "description": "If an adversary is able to compromise an access point or controller that is directly connected to an enclave network, then the adversary can easily surveil and attack other devices from that beachhead. A defense-in-depth approach requires an additional layer of protection exist between the WLAN and the enclave network. This is particularly important for wireless networks, which may be vulnerable to attack from outside physical perimeter of the facility or base given the inherent nature of radio communications to penetrate walls, fences, and other physical boundaries.", "severity": "medium" }, { "id": "V-15300", "title": "Any wireless technology used to transmit classified information must be an NSA Type 1 product. ", "description": "NSA Type 1 certification provides the level of assurance required for transmission of classified data. Systems without this certification are more likely to be compromised by a determined and resourceful adversary.", "severity": "high" }, { "id": "V-18582", "title": "A Secure WLAN (SWLAN) connected to the SIPRNet must have a SIPRNet connection approval package must be on file with the Classified Connection Approval Office (CCAO). ", "description": "The CCAO approval process provides assurance that the SWLAN use is appropriate and does not introduce unmitigated risks into the SIPRNET.", "severity": "high" }, { "id": "V-18583", "title": "Before a Secure WLAN (SWLAN) becomes operational and is connected to the SIPRNet the Certified TEMPEST Technical Authority (CTTA) must be notified.", "description": "Wireless signals are extremely vulnerable to both detection and interception, which can provide an adversary with the location and intensity of particular DoD activities and potentially reveal classified DoD information. TEMPEST reviews provide assurance that unacceptable risks have been identified and mitigated.", "severity": "medium" }, { "id": "V-18584", "title": "Physical security controls must be implemented for SWLAN access points. ", "description": "If an adversary is able to gain physical access to a SWLAN device, it may be able to compromise the device in a variety of ways, some of which could enable the adversary to obtain classified data. Physical security controls greatly mitigate this risk.", "severity": "medium" }, { "id": "V-30359", "title": "SWLAN access points must implement MAC filtering. ", "description": "Medium access control (MAC) filtering is a mechanism for ensuring that only authorized devices connect to the WLAN. While there are other methods to achieve similar protection with greater assurance, MAC filtering can be employed as a defense-in-depth measure. ", "severity": "low" }, { "id": "V-30369", "title": "SWLAN must be rekeyed at least every 90 days. ", "description": "The longer a key remains in use, the more likely it will be compromised. If an adversary can compromise an SWLAN key, then it can obtain classified information. ", "severity": "high" }, { "id": "V-3512", "title": "NSA Type1 products and required procedures must be used to protect classified data at rest (DAR) on wireless devices used on a classified WLAN or WMAN. ", "description": "NSA Type 1 products provide a high level of assurance that cryptography is implemented correctly and meets the standards for storage of classified information. Use of cryptography that is not Type 1 certified violates policy and increases the risk that classified data will be compromised. ", "severity": "high" }, { "id": "V-4636", "title": "A Secure WLAN (SWLAN) must conform to an approved network architecture.", "description": "Approved network architectures have been assessed for IA risk. Non-approved architectures provide less assurance than approved architectures because they have not undergone the same level of evaluation.", "severity": "high" }, { "id": "V-7075", "title": "The site must have written procedures for the protection, handling, accounting, and use of NSA Type 1 products.", "description": "Written procedures provide assurance that personnel take the required steps to prevent loss of keys or other breaches of system security.", "severity": "low" }, { "id": "V-72525", "title": "Only supported versions of the Harris SecNet 11/54 should be used.", "description": "If an unsupported version of the Harris SecNet wireless router is being used, the device is not being updated with security patches and may contain vulnerabilities that may expose classified data to unauthorized people. The SecNet 11 and 54 support old and obsolete wireless technologies and are no longer being supported by Harris.", "severity": "high" } ] }