Back

Configure Wireless Access Points in accordance with organizational standards.


CONTROL ID
12477
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system hardening procedures., CC ID: 12001

This Control has the following implementation support Control(s):
  • Enable MAC address filtering for Wireless Access Points., CC ID: 04592
  • Disable Service Set Identifier broadcast., CC ID: 04590
  • Configure Service Set Identifiers in accordance with organizational standards., CC ID: 16447
  • Configure the Wireless Access Point transmit power setting to the lowest level possible., CC ID: 04593
  • Use Wireless Local Area Network Network Interface Cards that turn off or disable Peer-To-Peer Wireless Local Area Network communications., CC ID: 04594
  • Enable two-factor authentication for identifying and authenticating Wireless Local Area Network users., CC ID: 04595
  • Verify wired network interface cards and Wireless Network Interface Cards are not simultaneously active for network devices other than a Wireless Access Point., CC ID: 04596
  • Enable an authorized version of Wi-Fi Protected Access., CC ID: 04832
  • Synchronize the Wireless Access Points' clocks., CC ID: 04834
  • Disable unnecessary applications, ports, and protocols on Wireless Access Points., CC ID: 04835
  • Enable or disable all BIOS wireless devices, as appropriate., CC ID: 05754
  • Enable or disable all wireless interfaces, as necessary., CC ID: 05755
  • Include or exclude device drivers for wireless devices from the kernel, as appropriate., CC ID: 05756
  • Reset wireless access points, as necessary., CC ID: 14317


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Appropriately configuring and securing remote access devices (Critical components of information security 25) iii.c., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network. (Security Control: 1317; Revision: 2, Australian Government Information Security Manual, March 2021)
  • Wireless access points enable the use of the 802.11w amendment to protect management frames. (Control: ISM-1335; Revision: 1, Australian Government Information Security Manual, June 2023)
  • SSID broadcasting is not disabled on wireless access points. (Control: ISM-1318; Revision: 3, Australian Government Information Security Manual, June 2023)
  • 802.1X authentication with EAP-TLS, using X.509 certificates, is used for mutual authentication; with all other EAP methods disabled on supplications and authentication servers. (Control: ISM-1321; Revision: 2, Australian Government Information Security Manual, June 2023)
  • Wireless access points enable the use of the 802.11w amendment to protect management frames. (Control: ISM-1335; Revision: 1, Australian Government Information Security Manual, September 2023)
  • SSID broadcasting is not disabled on wireless access points. (Control: ISM-1318; Revision: 3, Australian Government Information Security Manual, September 2023)
  • 802.1X authentication with EAP-TLS, using X.509 certificates, is used for mutual authentication; with all other EAP methods disabled on supplications and authentication servers. (Control: ISM-1321; Revision: 2, Australian Government Information Security Manual, September 2023)
  • Wireless client isolation should be enabled to ensure wireless clients cannot communicate with each other, unless there is a specific business requirement. (§ 2.3.1 (2.3.1.120), The Center for Internet Security Wireless Networking Benchmark, 1)
  • Wireless client isolation should be enabled for all access points to restrict client-to-client traffic. (§ 1.2 (2.3.1.120), The Center for Internet Security Wireless Networking Benchmark, Cisco Addendum, 1)
  • Wireless client isolation should be enabled for all access points to restrict client-to-client traffic. (§ 1.2 (2.3.1.120), The Center for Internet Security Wireless Networking Benchmark, Linksys Addendum, 1)
  • Authorized and unauthorized wireless access points are managed as follows: (11.2.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Authorized and unauthorized wireless access points are managed as follows: (11.2.1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Authorized and unauthorized wireless access points are managed as follows: (11.2.1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Authorized and unauthorized wireless access points are managed as follows: (11.2.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Wireless Access Points should be configured and managed centrally (e.g., in a Network Operations Center or security operations center). (CF.09.06.03c, The Standard of Good Practice for Information Security)
  • Wireless Access Points should be configured and managed centrally (e.g., in a Network Operations Center or security operations center). (CF.09.06.03c, The Standard of Good Practice for Information Security, 2013)
  • For wireless devices, the organization must implement intrusion detection agents on the wireless side of the firewall. (CSR 10.10.5(9), Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Wireless devices should be configured according to the applicable operating system security technical implementation guide (STIG). RFID systems that connect to a DoD network or computers that process, transmit, or store DoD information should meet the appropriate network and operating system STIG re… (§ 3.2 (WIR0040), § 4.2 (WIR0040), § 4.3 (WIR0495), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2)
  • Ensure all management access and authentication occurs via FIPS compliant secure protocols (e.g. SFTP, HTTPS, SNMP over TLS, etc.). Disable non-FIPS compliant secure access to the management interface. (§ 5.13.1.1 ¶ 2(13), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Examples of wireless communication technologies include, but are not limited to: 802.11, cellular, Bluetooth, satellite, microwave, and land mobile radio (LMR). Wireless technologies require at least the minimum security applied to wired technology and, based upon the specific technology or implemen… (§ 5.13.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Agencies shall implement the following controls for all agency-managed wireless access points with access to an agency's network that processes unencrypted CJI: (§ 5.13.1.1 ¶ 2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Change the default service set identifier (SSID) in the APs. Disable the broadcast SSID feature so that the client SSID must match that of the AP. Validate that the SSID character string does not contain any agency identifiable information (division, department, street, etc.) or services. (§ 5.13.1.1 ¶ 2(8), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Ensure the hotspot SSID does not identify the device make/model or agency ownership (§ 5.13.1.4 ¶ 2(2)(a), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Only allow connections from agency controlled devices (§ 5.13.1.4 ¶ 2(5), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Agencies shall implement the following controls for all agency-managed wireless access points with access to an agency's network that processes unencrypted CJI: (§ 5.13.1.1 ¶ 2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Ensure the reset function on APs is used only when needed and is only invoked by authorized personnel. Restore the APs to the latest security settings, when the reset functions are used, to ensure the factory default settings are not utilized. (§ 5.13.1.1 ¶ 2 7., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Enable all security features of the wireless product, including the cryptographic authentication, firewall, and other available privacy features. (§ 5.13.1.1 ¶ 2 9., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Have the default security settings for the Wireless Local Area Network access points, wireless routers, and wireless bridges been appropriately configured? (IT - WLANS Q 9, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • When the access point is reset, the security settings typically are reset to the default settings. The organization should ensure all security settings are reconfigured after a system reset occurs on an access point. (Table 8-5 Item 53, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007)
  • Wireless access points should be configured to have a unique service set identifier (SSID), disable SSID broadcast, and enable MAC filtering at a minimum. (§ 6.2.1.5 ICS-specific Recommendations and Guidance ¶ 1 Bullet 4, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The wireless access points and data servers for wireless worker devices should be located on an isolated network with documented and minimal (single if possible) connections to the ICS network. (§ 6.2.1.5 ICS-specific Recommendations and Guidance ¶ 1 Bullet 3, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • "Beacon frames" are transmitted from APs to announce their existence to client stations. The AP should be configured to maximize the beacon interval. The maximum value is approximately every 67 seconds. (§ 6.3.3.2 (Maximizing the beacon interval), Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48, Revision 1)