Separate the wireless access points and bridges from the wired network through use of a firewall.

UCF ID: 04588
Control Type: Process or Activity
Status: Live

Supporting and supported controls

This control directly supports:

    Establish and maintain a firewall standard for an overarching placement of all types of firewalls. [UCF Control ID 00546]

There are no supporting controls.

Authority documents complied with:

DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2, § 3.1 (WIR0290), § 4.4 (WIR0391); Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48, Revision 1, § 6.3.4; Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007, Table 8-2 Item 13; The Center for Internet Security Wireless Networking Benchmark, Version 1.0 April 2005, § 2.2 (2.2.160)

NIST Guidance

Client devices should be logically separated from the wired networks by installing a firewall between the WLAN and the wired network. [§ 6.3.4, Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48, Revision 1]

Access point connections to the wired network should be made through a dedicated Virtual LAN (VLAN). [Table 8-2 Item 13, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007]

Other Configuration Guidance

All wireless access points and Free Space Optic (FSO) bridges should be separated from the wired network via a wireless VPN concentrator or wireless gateway or placed in a demilitarized zone (DMZ) or virtual LAN (VLAN).
Examine the network architecture by inspecting the network diagrams and firewall interface configurations to ensure WLAN network devices and FSO bridges are isolated from the wired network.
Walk through the connections with the Network Administrator to verify that the network diagrams are up to date. [§ 3.1 (WIR0290), § 4.4 (WIR0391), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2]

A DMZ or VLAN should be used to separate the wireless network from the wired network. [§ 2.2 (2.2.160), The Center for Internet Security Wireless Networking Benchmark, Version 1.0 April 2005]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.