10.3 Wireless security

Ensure that all wireless systems are approved before the system is installed or used to transfer, receive, store, or process information. This applies to wireless local area network (WLAN) devices (access points, routers, bridges, switches, IDSs, firewalls, and laptops), wireless cellular and satellite telephones, PDAs, SMS devices, two-way pagers, and two way e-mail devices.

Ensure that multifunctional wireless devices meet the security requirements for all functions. For example, both the cellular phone and PDA sections apply to devices combining the cellular phone and PDA functions. If there are conflicts between security requirements for each function, the most stringent requirement will be used. Multifunctional devices combined with cameras are also evaluated using the PDA section guidance.

Ensure that wireless devices that connect directly or indirectly (hotsync) to the network are added to site system security authorization agreements (SSAAs).

Ensure that all wireless devices, particularly laptops, comply with applicable operating system STIGs. (As of spring 2003 there were no STIGs available for either the Palm or the Windows Pocket PC operating systems.)

Ensure that vendor-supported, approved, antivirus software is installed and configured in accordance with the Desktop Application STIG on all wireless devices, particularly laptops and PDAs, and kept up-to-date with the most recent virus definition tables. This applies to all wireless, handheld, or mobile devices.

Ensure that WLAN systems are compliant with overall network security architecture and appropriate enclave security requirements before they are installed.

Ensure that wireless devices that do not meet all wireless security requirements are not used to transfer, receive, store, or process information.

Ensure that password-protection mechanisms such as encryption will be placed on folders and files on all 802.11-enabled devices, if available.

Ensure that approved personal firewalls and IDSs will be implemented on each wireless client.

Ensure that infrared WLAN receivers and transmitters are turned off when not in use.

Ensure that WLAN network interface cards (NICs) that do not have the capability to disable peer-to-peer WLAN communications are not used.

Ensure that the SSID broadcast mode is disabled. WLAN access points that do not allow the SSID broadcast mode to be disabled will not be used.

Ensure that MAC address filtering is enabled at each access point.

Ensure that WLAN devices are not used to transfer, receive, store, or process classified information categorized as sensitive compartmented information (SCI) and top secret (TS).

Ensure that WLAN devices are not permitted in any sensitive compartmented information facility (SCIF), regardless of the classification or sensitivity level of the device.

Ensure that computers with embedded WLAN systems that cannot be removed by the user will not be used to transfer, receive, store, or process classified information.

For WLANs approved for processing secret or confidential information, ensure that the SecNet 11 or other NSA approved Type I network interface card is used.

For WLANs approved for processing secret or confidential information, ensure that high-assurance PKI certificates will be used for authentication in compliance with policy. (SecNet 11 does not provide user identification and authentication.)

For WLANs approved for processing secret or confidential information, ensure that filesystem encryption is used on all WLAN client devices with an NSA-approved Type 1 encryption software or technique.

Ensure that if the WLAN provides seamless roaming between access points (session persistence), the WLAN provides a session time-out capability. The session time-out will be set for 15 minutes or less, depending on local security policy.

Ensure that the WLAN access point is set to the lowest possible transmit power setting that will meet the required signal strength of the area serviced by the access point.

Ensure that a FIPS 140-1/2 compliant VPN (with 3DES or AES) will be used to secure the WLAN system.

Ensure that PKI certificates are used for identification and authentication of the user on unclassified WLAN systems.

Ensure that if a WLAN device is used to access to a network via the Internet through a public WLAN/Internet gateway (e.g., airport or hotel 'hotspot'), the device must comply with requirements for PDA remote Internet access listed in the wireless checklist.

For internal enclave WLANs, the information assurance officer (IAO) will ensure that access points are logically placed in a screened subnetwork (DMZ) or virtual LAN (VLAN) and separated from the wired internal network.

Ensure that an IDS will be used to monitor the wireless network. An optional firewall may be used to filter WLAN communications, implement local access-control policies, or to enable remote management of the access point.

Ensure that HTTP, SNMP, and other management interfaces will be turned off after initial configuration.

Ensure that password access to the access point is enabled.

For sites with WLAN systems supporting joint operations, ensure that IPSec technology will be used to meet the FIPS 140-1/2 compliance requirement.

Ensure that only NSA-approved Type 1 cellular or satellite telephones will be used for classified voice or classified data wireless telephone transmissions. The classification level of information transmitted over the phone will not exceed the classification level approved for the phone.