Harris SecNet 11 / 54 Security Technical Implementation Guide (STIG)
| Version 6 Release 7 |
| 2014-04-25 |
| U_Network_Harris_SecNet_11_54_V6R9_Manual-xccdf.xml |
| This STIG contains the technical security controls for the operation of the Harris SecNet 11 or 54 classified WLAN devices in the DoD environment. |
|
Vulnerabilities (12)
NSA Type1 products and required procedures must be used to protect classified data at rest (DAR) on wireless devices used on a classified WLAN or WMAN.
Discussion
NSA Type 1 products provide a high level of assurance that cryptography is implemented correctly and meets the standards for storage of classified information. Use of cryptography that is not Type 1 certified violates policy and increases the risk that classified data will be compromised.
Fix Text
Immediately discontinue use of the non-compliant device.
Check Content
Detailed Policy requirements: Type 1 products and required procedures must be used to protect classified data-at-rest on wireless computers that are used on a classified WLAN or WMAN. If NSA Type1 certified DAR encryption is not available, the following requirements apply: - The storage media shall be physically removed from the computer and stored within a COMSEC-approved security container when the computer is not being used. - The entire computer shall be placed within a COMSEC-approved security container, if the computer has embedded storage media that cannot be removed. Check Procedures: Interview the IAO to determine if devices with wireless functionality (e.g., laptops or PDAs with embedded radios) are used to store classified data. If yes, verify the device is an NSA Type 1 certified product. Mark as a finding if a Type 1 product is not used, or if the storage media or device is not stored in a COMSEC-approved security container when not in use.
Responsibility
Information Assurance Officer
IA Controls
ECWN-1
A Secure WLAN (SWLAN) must conform to an approved network architecture.
Discussion
Approved network architectures have been assessed for IA risk. Non-approved architectures provide less assurance than approved architectures because they have not undergone the same level of evaluation.
Fix Text
Disable or remove the non-compliant SWLAN or reconfigure it to conform to one of the approved architectures.
Check Content
Detailed Policy Requirements: The SWLAN architecture conforms to one of the approved configurations: LAN Extension: This architecture provides wireless access to the wired infrastructure using a Harris SecNet 11/ 54 or L3 KOV-26 Talon. In this architecture, the boundary is controlled either with fencing or inspection. See Figure 2.2 in the DISA FSO Wireless Overview for an example of the LAN Extension architecture. Wireless Bridging: This architecture provides point-to-point bridging using Harris SecNet 11/ 54 or Talon. In this architecture, the boundary is controlled either with fencing or inspection. See Figure 2.3 in the DISA FSO Wireless Overview for an example of the Wireless Bridging architecture. Wireless Peer-to-Peer: This architecture provides point-to-point communications between wireless clients using Harris SecNet 11/ 54 or Talon. In this architecture, the boundary is controlled either with fencing or inspection. See Figure 3.2 in the DISA FSO Wireless Overview for an example of the Wireless Peer-to-Peer architecture. Check Procedures: Interview the SA or IAO to obtain SWLAN network diagrams. Review the SWLAN architecture and ensure it conforms to one of the approved use cases.
Responsibility
Information Assurance Officer
IA Controls
ECSC-1, ECWN-1
The site must have written procedures for the protection, handling, accounting, and use of NSA Type 1 products.
Discussion
Written procedures provide assurance that personnel take the required steps to prevent loss of keys or other breaches of system security.
Fix Text
Document procedures for the protection, handling, accounting, and use of NSA Type 1 certified WLAN products and keys.
Check Content
Interview IAO. Verify written operating procedures exist for the protection, handling, accounting, and use of NSA Type 1 certified WLAN products and keys in a SWLAN operational environment.
Responsibility
Information Assurance Officer
IA Controls
ECSC-1
A device’s wired network interfaces (e.g., Ethernet) must be disconnected or otherwise disabled when wireless connections are in use.
Discussion
If a client device supports simultaneous use of wireless and wired connections, then this increases the probability that an adversary who can access the device using its wireless interface can then route traffic through the device’s wired interface to attack devices on the wired network or obtain sensitive DoD information.
Fix Text
Ensure the wired network interfaces on a WLAN client are disconnected or otherwise disabled when wireless network connections are in use.
Check Content
Review client devices and verify that there is some technical procedure to disable the wireless network interface when the wired network interface is active (e.g., connected to a network via an Ethernet cable). Examples of compliant implementations: - Client side connection management software products have configuration settings that disable wireless connections when a wired connection is active. - Microsoft Windows hardware profiles can be created that disable assigned wireless network interfaces when the Ethernet connection is active. To check compliance, select a sample of devices (3-4), and establish a network connection using the wireless interface. Test that the wireless interface is active using a command line utility such as ifconfig (UNIX/Linux), or ipconfig (Windows), or management tools such as Network Connections within the Windows Control Panel. Then plug the device into an active Ethernet port (or other wired network). Repeat the process used to check that the connection was active to verify it is now disabled. Mark as a finding if one or more of the tested devices do not disable the wireless interface upon connection to a wired network. Also mark as finding if the device does not have the capability to disable the wireless interface when the wired interface is active.
Responsibility
System Administrator
IA Controls
ECWN-1
WLAN SSIDs must be changed from the manufacturer’s default to a pseudo random word that does not identify the unit, base, organization, etc.
Discussion
An SSID identifying the unit, site or purpose of the WLAN or is set to the manufacturer default may cause an OPSEC vulnerability.
Fix Text
Change the SSID to a pseudo random word that does not identify the unit, base, or organization.
Check Content
Review device configuration. 1. Obtain the SSID using a wireless scanner or the AP or WLAN controller management software. 2. Verify the name is not meaningful (e.g., site name, product name, room number, etc.) or set to the manufacturer's default value. Mark as a finding if the SSID does not meet the requirement listed above.
Responsibility
System Administrator
IA Controls
ECSC-1, ECWN-1
Wireless access points and bridges must be placed in dedicated subnets outside the enclave’s perimeter.
Discussion
If an adversary is able to compromise an access point or controller that is directly connected to an enclave network, then the adversary can easily surveil and attack other devices from that beachhead. A defense-in-depth approach requires an additional layer of protection exist between the WLAN and the enclave network. This is particularly important for wireless networks, which may be vulnerable to attack from outside physical perimeter of the facility or base given the inherent nature of radio communications to penetrate walls, fences, and other physical boundaries.
Fix Text
Remove wireless network devices with direct connections to an enclave network. If feasible, reconfigure network connections to isolate the WLAN infrastructure from the enclave network, separating them with a firewall or equivalent protection.
Check Content
Detailed policy requirements: Wireless access points and bridges must not be directly connected to the enclave network. A network device must separate wireless access from other elements of the enclave network. Sites must also comply with the Network Infrastructure STIG configuration requirements for DMZ, VLAN, and VPN configurations, as applicable. Examples of acceptable architectures include placing access points or controllers in a screened subnet (e.g. DMZ separating intranet and wireless network) or dedicated virtual LAN (VLAN) with ACLs. Check Procedures: Review network architecture with the network administrator. 1. Verify compliance by inspecting the site network topology diagrams. 2. Since many network diagrams are not kept up-to-date, walk through the connections with the network administrator using network management tools or diagnostic commands to verify the diagrams are current. If the site’s wireless infrastructure, such as access points and bridges, is not isolated from the enclave network, this is a finding.
Responsibility
System Administrator
IA Controls
ECSC-1, ECTM-2, ECWN-1
Any wireless technology used to transmit classified information must be an NSA Type 1 product.
Discussion
NSA Type 1 certification provides the level of assurance required for transmission of classified data. Systems without this certification are more likely to be compromised by a determined and resourceful adversary.
Fix Text
Immediately remove the uncertified device from the network. Install and operate a Type 1 product if wireless functionality is still required.
Check Content
Visually verify the site is using a Harris Corporation SecNet 11 or SecNet 54 or L3 KOV-26 Talon (version 1.1.04 or later) for the classified WLAN.
Responsibility
System Administrator
IA Controls
ECWM-1
A Secure WLAN (SWLAN) connected to the SIPRNet must have a SIPRNet connection approval package must be on file with the Classified Connection Approval Office (CCAO).
Discussion
The CCAO approval process provides assurance that the SWLAN use is appropriate and does not introduce unmitigated risks into the SIPRNET.
Fix Text
Disable or remove the non-compliant SWLAN until the site has all required approvals for operation.
Check Content
Review documentation. - Verify the SWLAN system SCAO approval documentation exists and has been approved and has a SIPRNet or NIPRNet Interim Approval to Operate (IATO) or Approval to Operate (ATO) in GIAP database. - Verify the SWLAN system is included in the SSAA/SSP and is signed by the DAA. Mark as a finding if requirements are not met.
IA Controls
ECWN-1
Before a Secure WLAN (SWLAN) becomes operational and is connected to the SIPRNet the Certified TEMPEST Technical Authority (CTTA) must be notified.
Discussion
Wireless signals are extremely vulnerable to both detection and interception, which can provide an adversary with the location and intensity of particular DoD activities and potentially reveal classified DoD information. TEMPEST reviews provide assurance that unacceptable risks have been identified and mitigated.
Fix Text
Notify the CTTA of the need to review the SWLAN.
Check Content
Review documentation. Verify the local CTTA has been notified of the site’s intent to install and operate a SWLAN. Mark as a finding if the local CTTA has not been notified.
Responsibility
Information Assurance Officer
IA Controls
ECWN-1
Physical security controls must be implemented for SWLAN access points.
Discussion
If an adversary is able to gain physical access to a SWLAN device, it may be able to compromise the device in a variety of ways, some of which could enable the adversary to obtain classified data. Physical security controls greatly mitigate this risk.
Fix Text
Implement required physical security controls for the SWLAN.
Check Content
Detailed Policy Requirements: The following physical security controls must be implemented for SWLAN access points: - Secure WLAN access points shall be physically secured, and methods shall exist to facilitate the detection of tampering. WLAN APs are part of a communications system and shall have controlled physical security, in accordance with DoDD 5200.08-R. SWLAN access points not within a location that provides limited access shall have controlled physical security with either fencing or inspection. - Either physical inventories or electronic inventories shall be conducted daily by viewing or polling the serial number or MAC address. Access points not stored in a COMSEC-approved security container shall be physically inventoried. Check Procedures: It is recommended the Traditional Reviewer assist with this check. Review the physical security controls of the SWLAN access points. - Verify site SWLAN access points are physically secured - -- Verify there is some method for alerting site security if the access point has been tampered with. - Determine if site SWLAN access points are in locations that provide limited access to only authorized personnel who are approved to access the access points. - Determine how the site conducts a daily physical inventory of SWLAN access points. Verify that required inventory methods are used, depending on if the access points are stored in a COMSEC container. - Mark as a finding if any requirement has not been met.
Responsibility
System Administrator
IA Controls
ECTM-2, ECWN-1
SWLAN access points must implement MAC filtering.
Discussion
Medium access control (MAC) filtering is a mechanism for ensuring that only authorized devices connect to the WLAN. While there are other methods to achieve similar protection with greater assurance, MAC filtering can be employed as a defense-in-depth measure.
Fix Text
Implement MAC filtering on the SWLAN access point.
Check Content
Detailed Policy Requirements: MAC filtering must be implemented to enable the SWLAN AP to perform client device access control. Check Procedures: Verify MAC address filtering has been implemented on site SWLAN access points. Have the system administrator log into a sample of site SWLAN access points (2-3 devices) and show MAC address filtering has been enabled. Mark as a finding if MAC filtering has not been enabled.
Responsibility
System Administrator
IA Controls
ECWN-1
SWLAN must be rekeyed at least every 90 days.
Discussion
The longer a key remains in use, the more likely it will be compromised. If an adversary can compromise an SWLAN key, then it can obtain classified information.
Fix Text
Write and implement rekeying procedures that specify the keys must be changed at least every 90 days.
Check Content
Detailed Policy Requirements: SWLAN system will be rekeyed at least every 90 days. Check Procedures: Interview IAO and obtain the site’s procedures for rekeying the WLAN. Mark a finding if the procedures do not exist or they do not include a requirement to rekey at least every 90 days.
IA Controls
ECWN-1