Free DISA STIG and SRG Library | Vaulted

Harris SecNet 11 / 54 Security Technical Implementation Guide (STIG)

Version 6 Release 107
2017-01-272014-04-25
U_Network_Harris_SecNet_11_54_V6R109_Manual-xccdf.xml
This STIG contains the technical security controls for the operation of the Harris SecNet 11 or 54 classified WLAN devices in the DoD environment.

Compare Summary

Compare V6R10 to V6R7
  • All
  • Updated 12
  • Added 0
  • Removed 1

Vulnerabilities (13)

Removed

V-72525

Only supported versions of the Harris SecNet 11/54 should be used.

Finding ID
WIR2017
Rule ID
SV-87149r1_rule
Severity
Cat I
CCE
(None)
Group Title
WIR2017
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

If an unsupported version of the Harris SecNet wireless router is being used, the device is not being updated with security patches and may contain vulnerabilities that may expose classified data to unauthorized people. The SecNet 11 and 54 support old and obsolete wireless technologies and are no longer being supported by Harris.

Fix Text

Remove all versions of the Harris SecNet 11 or 54 wireless routers from service and properly dispose of the devices.

Check Content

Determine the model numbers of a site’s classified wireless routers. If the Harris SecNet 11 or 54 wireless routers are being used, this is a finding.

Responsibility

System Administrator

A device’s wired network interfaces (e.g., Ethernet) must be disconnected or otherwise disabled when wireless connections are in use.

Finding ID
WIR0170
Rule ID
SV-14613r2_rule
Severity
Cat II
CCE
(None)
Group Title
Simultaneous use of wired and wireless interfaces
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

If a client device supports simultaneous use of wireless and wired connections, then this increases the probability that an adversary who can access the device using its wireless interface can then route traffic through the device’s wired interface to attack devices on the wired network or obtain sensitive DoD information.

Fix Text

Ensure the wired network interfaces on a WLAN client are disconnected or otherwise disabled when wireless network connections are in use.

Check Content

Review client devices and verify that there is some technical procedure to disable the wireless network interface when the wired network interface is active (e.g., connected to a network via an Ethernet cable). Examples of compliant implementations: - Client side connection management software products have configuration settings that disable wireless connections when a wired connection is active. - Microsoft Windows hardware profiles can be created that disable assigned wireless network interfaces when the Ethernet connection is active. To check compliance, select a sample of devices (3-4), and establish a network connection using the wireless interface. Test that the wireless interface is active using a command line utility such as ifconfig (UNIX/Linux), or ipconfig (Windows), or management tools such as Network Connections within the Windows Control Panel. Then plug the device into an active Ethernet port (or other wired network). Repeat the process used to check that the connection was active to verify it is now disabled. Mark as a finding if one or more of the tested devices do not disable the wireless interface upon connection to a wired network. Also mark as finding if the device does not have the capability to disable the wireless interface when the wired interface is active.

Responsibility

InformationSystem Assurance OfficerAdministrator

IA Controls

ECWN-1

WLAN SSIDs must be changed from the manufacturer’s default to a pseudo random word that does not identify the unit, base, organization, etc.

Finding ID
WIR0105
Rule ID
SV-15614r1_rule
Severity
Cat III
CCE
(None)
Group Title
Change WLAN SSID default
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

An SSID identifying the unit, site or purpose of the WLAN or is set to the manufacturer default may cause an OPSEC vulnerability.

Fix Text

Change the SSID to a pseudo random word that does not identify the unit, base, or organization.

Check Content

Review device configuration. 1. Obtain the SSID using a wireless scanner or the AP or WLAN controller management software. 2. Verify the name is not meaningful (e.g., site name, product name, room number, etc.) or set to the manufacturer's default value. Mark as a finding if the SSID does not meet the requirement listed above.

Responsibility

System Administrator

IA Controls

ECSC-1, ECWN-1

Wireless access points and bridges must be placed in dedicated subnets outside the enclave’s perimeter.

Finding ID
WIR0135
Rule ID
SV-15654r2_rule
Severity
Cat II
CCE
(None)
Group Title
WLAN infrastructure network placement
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

If an adversary is able to compromise an access point or controller that is directly connected to an enclave network, then the adversary can easily surveil and attack other devices from that beachhead. A defense-in-depth approach requires an additional layer of protection exist between the WLAN and the enclave network. This is particularly important for wireless networks, which may be vulnerable to attack from outside physical perimeter of the facility or base given the inherent nature of radio communications to penetrate walls, fences, and other physical boundaries.

Fix Text

Remove wireless network devices with direct connections to an enclave network. If feasible, reconfigure network connections to isolate the WLAN infrastructure from the enclave network, separating them with a firewall or equivalent protection.

Check Content

Detailed policy requirements: Wireless access points and bridges must not be directly connected to the enclave network. A network device must separate wireless access from other elements of the enclave network. Sites must also comply with the Network Infrastructure STIG configuration requirements for DMZ, VLAN, and VPN configurations, as applicable. Examples of acceptable architectures include placing access points or controllers in a screened subnet (e.g. DMZ separating intranet and wireless network) or dedicated virtual LAN (VLAN) with ACLs. Check Procedures: Review network architecture with the network administrator. 1. Verify compliance by inspecting the site network topology diagrams. 2. Since many network diagrams are not kept up-to-date, walk through the connections with the network administrator using network management tools or diagnostic commands to verify the diagrams are current. If the site’s wireless infrastructure, such as access points and bridges, is not isolated from the enclave network, this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1, ECTM-2, ECWN-1

Any wireless technology used to transmit classified information must be an NSA Type 1 product.

Finding ID
WIR0205
Rule ID
SV-16085r1_rule
Severity
Cat I
CCE
(None)
Group Title
Classified WLAN uses NSA Type 1 products
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

NSA Type 1 certification provides the level of assurance required for transmission of classified data. Systems without this certification are more likely to be compromised by a determined and resourceful adversary.

Fix Text

Immediately remove the uncertified device from the network. Install and operate a Type 1 product if wireless functionality is still required.

Check Content

Visually verify the site is using a Harris Corporation SecNet 11 or SecNet 54 or L3 KOV-26 Talon (version 1.1.04 or later) for the classified WLAN.

Responsibility

InformationSystem Assurance OfficerAdministrator

IA Controls

ECWM-1

A Secure WLAN (SWLAN) connected to the SIPRNet must have a SIPRNet connection approval package must be on file with the Classified Connection Approval Office (CCAO).

Finding ID
WIR0215
Rule ID
SV-20126r1_rule
Severity
Cat I
CCE
(None)
Group Title
SWLAN CCAO Approval
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The CCAO approval process provides assurance that the SWLAN use is appropriate and does not introduce unmitigated risks into the SIPRNET.

Fix Text

Disable or remove the non-compliant SWLAN until the site has all required approvals for operation.

Check Content

Review documentation. - Verify the SWLAN system SCAO approval documentation exists and has been approved and has a SIPRNet or NIPRNet Interim Approval to Operate (IATO) or Approval to Operate (ATO) in GIAP database. - Verify the SWLAN system is included in the SSAA/SSP and is signed by the DAA. Mark as a finding if requirements are not met.

IA Controls

ECWN-1

Before a Secure WLAN (SWLAN) becomes operational and is connected to the SIPRNet the Certified TEMPEST Technical Authority (CTTA) must be notified.

Finding ID
WIR0220
Rule ID
SV-20127r1_rule
Severity
Cat II
CCE
(None)
Group Title
SWLAN CTTA review
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Wireless signals are extremely vulnerable to both detection and interception, which can provide an adversary with the location and intensity of particular DoD activities and potentially reveal classified DoD information. TEMPEST reviews provide assurance that unacceptable risks have been identified and mitigated.

Fix Text

Notify the CTTA of the need to review the SWLAN.

Check Content

Review documentation. Verify the local CTTA has been notified of the site’s intent to install and operate a SWLAN. Mark as a finding if the local CTTA has not been notified.

Responsibility

DesignatedInformation ApprovingAssurance AuthorityOfficer

IA Controls

ECWN-1

Physical security controls must be implemented for SWLAN access points.

Finding ID
WIR0225
Rule ID
SV-20128r1_rule
Severity
Cat II
CCE
(None)
Group Title
SWLAN physical security controls
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

If an adversary is able to gain physical access to a SWLAN device, it may be able to compromise the device in a variety of ways, some of which could enable the adversary to obtain classified data. Physical security controls greatly mitigate this risk.

Fix Text

Implement required physical security controls for the SWLAN.

Check Content

Detailed Policy Requirements: The following physical security controls must be implemented for SWLAN access points: - Secure WLAN access points shall be physically secured, and methods shall exist to facilitate the detection of tampering. WLAN APs are part of a communications system and shall have controlled physical security, in accordance with DoDD 5200.08-R. SWLAN access points not within a location that provides limited access shall have controlled physical security with either fencing or inspection. - Either physical inventories or electronic inventories shall be conducted daily by viewing or polling the serial number or MAC address. Access points not stored in a COMSEC-approved security container shall be physically inventoried. Check Procedures: It is recommended the Traditional Reviewer assist with this check. Review the physical security controls of the SWLAN access points. - Verify site SWLAN access points are physically secured - -- Verify there is some method for alerting site security if the access point has been tampered with. - Determine if site SWLAN access points are in locations that provide limited access to only authorized personnel who are approved to access the access points. - Determine how the site conducts a daily physical inventory of SWLAN access points. Verify that required inventory methods are used, depending on if the access points are stored in a COMSEC container. - Mark as a finding if any requirement has not been met.

Responsibility

InformationSystem Assurance OfficerAdministrator

IA Controls

ECTM-2, ECWN-1

SWLAN access points must implement MAC filtering.

Finding ID
WIR0226
Rule ID
SV-40014r1_rule
Severity
Cat III
CCE
(None)
Group Title
SWLAN MAC Filtering
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Medium access control (MAC) filtering is a mechanism for ensuring that only authorized devices connect to the WLAN. While there are other methods to achieve similar protection with greater assurance, MAC filtering can be employed as a defense-in-depth measure.

Fix Text

Implement MAC filtering on the SWLAN access point.

Check Content

Detailed Policy Requirements: MAC filtering must be implemented to enable the SWLAN AP to perform client device access control. Check Procedures: Verify MAC address filtering has been implemented on site SWLAN access points. Have the system administrator log into a sample of site SWLAN access points (2-3 devices) and show MAC address filtering has been enabled. Mark as a finding if MAC filtering has not been enabled.

Responsibility

InformationSystem Assurance OfficerAdministrator

IA Controls

ECWN-1

SWLAN must be rekeyed at least every 90 days.

Finding ID
WIR0231
Rule ID
SV-40029r1_rule
Severity
Cat I
CCE
(None)
Group Title
SWLAN rekeying
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The longer a key remains in use, the more likely it will be compromised. If an adversary can compromise an SWLAN key, then it can obtain classified information.

Fix Text

Write and implement rekeying procedures that specify the keys must be changed at least every 90 days.

Check Content

Detailed Policy Requirements: SWLAN system will be rekeyed at least every 90 days. Check Procedures: Interview IAO and obtain the site’s procedures for rekeying the WLAN. Mark a finding if the procedures do not exist or they do not include a requirement to rekey at least every 90 days.

IA Controls

ECWN-1

NSA Type1 products and required procedures must be used to protect classified data at rest (DAR) on wireless devices used on a classified WLAN or WMAN.

Finding ID
WIR0235
Rule ID
SV-3512r1_rule
Severity
Cat I
CCE
(None)
Group Title
Classified wireless Type 1 DAR encryption
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

NSA Type 1 products provide a high level of assurance that cryptography is implemented correctly and meets the standards for storage of classified information. Use of cryptography that is not Type 1 certified violates policy and increases the risk that classified data will be compromised.

Fix Text

Immediately discontinue use of the non-compliant device.

Check Content

Detailed Policy requirements: Type 1 products and required procedures must be used to protect classified data-at-rest on wireless computers that are used on a classified WLAN or WMAN. If NSA Type1 certified DAR encryption is not available, the following requirements apply: - The storage media shall be physically removed from the computer and stored within a COMSEC-approved security container when the computer is not being used. - The entire computer shall be placed within a COMSEC-approved security container, if the computer has embedded storage media that cannot be removed. Check Procedures: Interview the IAO to determine if devices with wireless functionality (e.g., laptops or PDAs with embedded radios) are used to store classified data. If yes, verify the device is an NSA Type 1 certified product. Mark as a finding if a Type 1 product is not used, or if the storage media or device is not stored in a COMSEC-approved security container when not in use.

Responsibility

Information Assurance Officer

IA Controls

ECWN-1

A Secure WLAN (SWLAN) must conform to an approved network architecture.

Finding ID
WIR0210
Rule ID
SV-4636r1_rule
Severity
Cat I
CCE
(None)
Group Title
SWLAN architecture
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Approved network architectures have been assessed for IA risk. Non-approved architectures provide less assurance than approved architectures because they have not undergone the same level of evaluation.

Fix Text

Disable or remove the non-compliant SWLAN or reconfigure it to conform to one of the approved architectures.

Check Content

Detailed Policy Requirements: The SWLAN architecture conforms to one of the approved configurations: LAN Extension: This architecture provides wireless access to the wired infrastructure using a Harris SecNet 11/ 54 or L3 KOV-26 Talon. In this architecture, the boundary is controlled either with fencing or inspection. See Figure 2.2 in the DISA FSO Wireless Overview for an example of the LAN Extension architecture. Wireless Bridging: This architecture provides point-to-point bridging using Harris SecNet 11/ 54 or Talon. In this architecture, the boundary is controlled either with fencing or inspection. See Figure 2.3 in the DISA FSO Wireless Overview for an example of the Wireless Bridging architecture. Wireless Peer-to-Peer: This architecture provides point-to-point communications between wireless clients using Harris SecNet 11/ 54 or Talon. In this architecture, the boundary is controlled either with fencing or inspection. See Figure 3.2 in the DISA FSO Wireless Overview for an example of the Wireless Peer-to-Peer architecture. Check Procedures: Interview the SA or IAO to obtain SWLAN network diagrams. Review the SWLAN architecture and ensure it conforms to one of the approved use cases.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1, ECWN-1

The site must have written procedures for the protection, handling, accounting, and use of NSA Type 1 products.

Finding ID
WIR0230
Rule ID
SV-7459r1_rule
Severity
Cat III
CCE
(None)
Group Title
Procedures for Type 1 SWLANs
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Written procedures provide assurance that personnel take the required steps to prevent loss of keys or other breaches of system security.

Fix Text

Document procedures for the protection, handling, accounting, and use of NSA Type 1 certified WLAN products and keys.

Check Content

Interview IAO. Verify written operating procedures exist for the protection, handling, accounting, and use of NSA Type 1 certified WLAN products and keys in a SWLAN operational environment.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1