wirelesschecklistv3r11.docx
- 文档编号:18453612
- 上传时间:2023-08-18
- 格式:DOCX
- 页数:125
- 大小:62.96KB
wirelesschecklistv3r11.docx
《wirelesschecklistv3r11.docx》由会员分享,可在线阅读,更多相关《wirelesschecklistv3r11.docx(125页珍藏版)》请在冰点文库上搜索。
wirelesschecklistv3r11
WIRELESS
SECURITYCHECKLIST
Version3,Release1.1
01November2004
DevelopedbyDISAfortheDOD
DatabaseReferenceNumber:
__________________CATI:
_____
Databaseenteredby:
____________________Date:
_______CATII:
_____
TechnicalQ/Aby:
______________________Date:
_______CATIII:
_____
FinalQ/Aby:
__________________________Date:
_______CATIV:
_____
TOTAL:
_____
UnclassifiedUNTILFILLEDIN
CIRCLEONE
FOROFFICIALUSEONLY(markeachpage)
CONFIDENTIALandSECRET(markeachpageandeachfinding)
Classificationisbasedonclassificationofsystemreviewed:
UnclassifiedSystem=FOUOChecklist
ConfidentialSystem=CONFIDENTIALChecklist
SecretSystem=SECRETChecklist
TopSecretSystem=SECRETChecklist
Thispageisintentionallyleftblank.
TABLEOFCONTENTS
SummaryofChanges1
WirelessSecurityChecklistInstructions4
SRRWorksheets7
WirelessEquipmentInventoryWorksheets8
1.REQUIREMENTSAPPLICABLETOALLTECHNOLOGIES13
Performthechecksinthissectionforallwirelesstechnologies.13
WIR0010AllwirelesssystemsmusthaveDAAapproval.13
WIR0011PersonallyownedwirelessdeviceswillnotbeusedforprocessingDoDinformation14
WIR0015Maintainalistofwirelessdevices14
WIR0020Secureallindividualfunctionsofmulti-functionaldevices15
WIR0030DocumentwirelessdevicesintheSSAA16
WIR0040OSconfigurationmustcomplybeSTIGcompliant16
WIR0050Anti-VirussoftwaremustbeSTIGcompliant17
2.WLANANDWPANTechnogies18
2.1ComplianceChecksforWLANandWPANDevices18
WIR0060WLANsmustbecompliantwithDODD8100.218
WIR0280WLANdevicesusedforremoteconnectionviatheInternet,mustcomplywithPDApolicies19
WIR0070WLANsoutsidetheUSmusthaveUSForcesandhostnationapproval19
WIR0075PerformperiodicWLAN/WPANdiscovery20
WIR0290InstallWLANnetworkdevices(AP,bridges)inDMZorVLAN20
WIR0270UseFIPS140-2VPN(layer2or3withAESor3DES)tosecureWLAN21
WIR0300UseanIDS/IPStomonitortheWLAN21
WIR0320DisablemanagementportsonWLANnetworkdeviceswhennotinuse22
WIR0230WLANmusthavesessiontimeoutcapabilityandmustbesetto15minutesorless22
WIR0250SetWLANAPtransmitpowertolowestpossibletoobtainsignalstrengthrequired23
WIR0330PasswordprotectWLANAPandbridges23
WIR0080UseFIPS140-2encryptionwithunclassifiedBluetoothWLANdevices24
WIR0083DisableBluetoothondeviceswithoutFIPS140-2encryption25
WIR0240UseDoDPKIcertificatestoprotectunclassifiedWLANs25
WIR0090PasswordprotectfoldersandfilesonWLANdevices26
WIR0100802.11-enableddevicesmusthaveaDISAcompliantpersonalfirewall26
WIR0110PoweroffWLANreceiversandtransmitterswhennotinuse27
WIR0125Enablemutualauthenticationforpeer-to-peerWLANs27
WIR0130Forpeer-to-peerWLANs,donotuseNICsthatcannotbedisabled28
WIR0140ChangedefaultSSID28
WIR0150DisableSSIDbroadcastmode29
WIR0160EnableMACaddressfiltering29
WIR0163DisableWindowsZeroConfiguration(WZC)serviceontheWLANclient30
WIR0164UseWLANdriversandmanagementutilitiesthatworkwithoutWZCservice30
WIR0165RemoveWLANNICsfromWindowsstationswhennotinuse31
WIR0166EmbeddedWLANNICsshouldnotrequireWindowsWZCtooperate32
WIR0167ChangedefaultsettingforWLANNICradioto“Off”33
2.2WirelessKeyboardsandMice34
WIR0132WirelesskeyboardsmustcomplywithallapplicableWLANrequirements34
2.3Voice-over-IP35
WIR0133WirelessVoIPsystemsmustcomplywithapplicablerequirements35
2.4MitigatingRiskstoClassifiedInformation36
WIR0170DonotuseWLANdevicestoaccessTSandSCIinformation36
WIR0180DonotallowWLANdevicesinSCIFs36
WIR0181DisableRFandIRonWPANdevices(e.g.Bluetooth)ifallowedintoSCIFs37
WIR0182Bluetoothdevicescannotbeusedtoprocessclassified37
WIR0200CoordinatewithCTTAbeforeinstallingWLANdevices(SecNet-11)forclassified38
WIR0203UseNSAType1WLANdevicesfortransmittingclassified38
WIR0204ObtainDSAWGapprovalforWLANsystemsconnectedtotheSIPRNet39
WIR0210UseDoDHighAssurancePKIcertificatesforSecretandConfidentialWLANs39
WIR0225CoordinatewithCTTAanddisablerecordingforWLANs/WPANsusedinclassifiedareas40
WIR0190DonotuseclientswithembeddedwirelessNICsthatarenotremovableforclassified41
WIR0193LaptopswithembeddedwirelessNICsareconnectedtoSIPRNET41
WIR0220UseNSAType1encryptionforSecretandConfidentialWLANs42
3.WIRELESSREMOTEACCESSTCHNOLOGIES44
3.1WirelessCellularandPCSTelephones44
WIR0350UseNSAType1telephonesforclassifiedtransmission44
WIR0356Donotallowwirelessphoneswithcamerasintoclassifieddocumentprocessingareas44
WIR0360DisableRFandIRoncellularphoneswheninaSCIF45
WIR0370CoordinatewithCTTAanddonothotsyncwirelessphonesinclassifiedprocessingareas45
WIR0371Wirelessphoneswithcamerasmustbeapprovedbyphysicalsecuritypolicies46
3.2BroadbandWireless47
3.2.1MitigatingRiskstoClassifiedInformation47
WIR0373Donotusebroadbandwirelesssystemsforclassified47
WIR0374DonotpermitbroadbandwirelessinaSCIF47
WIR0375CoordinatewithCTTAbeforeusingbroadbandwirelessinareaswithclassified48
3.2.2ComplianceChecksforBroadbandWirelessDevices48
WIR0376UseDoDPKIcertificatesforI&Ainunclassifiedbroadbandwireless48
WIR0377UseaFIPS140-2VPN(AESor3DES)tosecurebroadbandwirelesssystems49
WIR0378BroadbandwirelessmustcomplywithpoliciesoftheSecureRemoteComputingSTIG49
WIR0379UseapersonalfirewallandIDStoprotectthebroadbandwirelessstation50
3.3PersonalDigitalAssistants(PDAs)51
3.3.1ComplianceChecksforPDAs51
WIR0450ConfigurepasswordprotectionIAWDISArequirements51
WIR0460UseencryptiontoprotectdataandfilesonthePDA52
WIR0465Donotdownloadmobilecodefromnon-DoDsources52
WIR0470DisableIRportonthePDAwhennotinuse53
WIR0480PDAhotsyncingofunclassifieddatamustcomplywithDISArequirements54
WIR0490ForPDAaccessviaInternet,useencryption,PKIandturnoffmodemwhennotinuse55
3.3.2MitigatingRiskstoClassifiedInformation56
WIR0380UseNSAType1end-to-endencryptionclassifiedPDAs56
WIR0390DisableRFandIRonPDAsifpermittedinSCIFs56
WIR0400ForPDAsusedwhereclassifiedisprocessed,coordinatewithCTTAanddisablerecording57
WIR0410DonotconnectPDAdirectlytoclassifiedworkstationsorinclassifiedareas57
WIR0420DonothotsynctoorinstallPDAsynchronizationsoftwareonworkstationsinaSCIF58
WIR0425EncryptclassifieddataonPDAusingNSAapprovedencryption58
4.WIRELESSTWO-WAYMESSAGINGANDE-MAILTECHNOLOGIES60
4.1MitigatingRiskstoClassifiedInformation60
WIR0500Donotusewirelessmessagingdevicestoprocessclassified60
WIR0510DisableRFandIRforwirelessmessagingdevicesifpermittedinaSCIF60
WIR0520CoordinatewithCTTAforSMS/pagersbeforeenteringareaswhereclassifiedisprocessed61
WIR0530Donotinstallsynchronizationsoftwareonsystemsprocessingclassifiedinformation61
4.2ComplianceChecksforWirelessMessagingDevices62
WIR0540UseSMSandtwo-waypagersforroutineadministrativeinformationonly62
WIR0550UsemessagingservicesthatprovidelinkencryptionforSMSandtwo-waypagers62
WIR0580ConfigurepasswordprotectionIAWDISArequirements63
4.2.1BlackBerryEmailDevices63
WIR0590UseonlyBlackBerryenterpriseserveremailredirectors63
WIR0600EncryptdataandfilesontheBlackBerrydevice64
WIR0605DownloadmobilecodefromDoDsourcesonly64
WIR0610DisableBlackBerryIRportwhenitisnotinuse;exchangedatawithtrusteddevicesonly65
WIR0620DeactivateBlackBerrydevicesattheserverwhenreportedlostorstolen65
WIR0630BlackberrypasswordprotectionmustcomplywithDISApolicy66
AppendixA.cRITICALLEVEL1CHECKS68
AppendixBDISABLINGWINDOWSWIRELESSZEROCONFIGURATION(WZC)74
AppendixCWirelessProductslists75
Thispageisintentionallyleftblank.
SummaryofChanges
GENERALCHANGES:
-ThepreviousreleasewasVersion2,Release1.1,dated30July2003
-Updatedandaddedwirelessinventoryworksheets
-AddedPDInumbersanddescriptiontoTableofContentstohelpuserbetternavigatechecklist
-WirelessSecurityChecklistProceduresaddedgivinginstructionsforusingthechecklist
-Addedintroductoryparagraphstosectionsandsubsectionsasneeded.
-FIPS140-1/2changedtoFIPS140-2throughout
SECTIONCHANGES
SECTION1.REQUIRMENTSAPPLICABLETOALLTECHNOLOGIES
-WIR0010–UpdatedProcedureandReferences
-WIR0011–Personallyowneddevices.ChangedfromWIR0560,renumberedandmovedfromSection4
-WIR0015–UpdatedPDIandaddedmoredetailtoprocedure
-WIR0030–DeletedPDI
-WIR0050–Updatedtoremove“ifavailable”UpdatedwithnotregardingautomaticCATIVforSMS
SECTION2.wlanANDwpanTechnologies
-AddedWPANtosectiontitle
-WIR0070–Deletedandnumberreusedwithrequirementforhostnationapproval
-WIR0075–Added
-WIR0080–RewordedtomaketherequirementapplicabletoallWPANsratherthanspecifictoBluetooth
-WIR0083–AddedrequireddisablingofBluetoothondeviceswithoutFIPS140-2encryption
-WIR0090–Deletedphrase“ifavailable”
-WIR0100–Deletedphrase“ifavailable”
-WIR0110–UpdatedwithCSACTTArequirement
-WIR0120–RegardingCommonCriteriapeer-to-peerprotectionprofiledeleted
-WIR0125–Added.Requiresenablingofmutualauthenticationforpeer-to-peerWLANs
-WIR0136–Added
-WIR0137–Added
-WIR0160–Changedshouldtowill
-WIR0166–Reworded
-WIR0167–Added
-WIR182,WIR0181andWIR0225–Added.Regardin
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- wirelesschecklistv3r11