800-53|AC-18(1)

Title

AUTHENTICATION AND ENCRYPTION

Description

The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption.

Reference Item Details

Related: SC-13,SC-8

Category: ACCESS CONTROL

Parent Title: WIRELESS ACCESS

Family: ACCESS CONTROL

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2 Ensure intra-zone traffic is not always allowedFortiGateCIS Fortigate Level 1 v1.0.0
1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device managementPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device managementPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - HTTPSPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - HTTPSPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SNMPPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SNMPPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SSHPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SSHPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
1.2.3 Ensure HTTP and Telnet options are disabled for the management interfacePalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
1.2.3 Ensure HTTP and Telnet options are disabled for the management interfacePalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - HTTPPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - HTTPPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - TelnetPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - TelnetPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
1.2.5 Ensure valid certificate is set for browser-based administrator interfacePalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L2
1.2.5 Ensure valid certificate is set for browser-based administrator interface - Authentication ProfilePalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L2
1.2.5 Ensure valid certificate is set for browser-based administrator interface - Certificate ProfilesPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L2
1.2.5 Ensure valid certificate is set for browser-based administrator interface - CertificatesPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L2
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Failed AttemptsPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Failed AttemptsPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Lockout TimePalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Lockout TimePalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
2.1.1 Ensure 'Pre-Login Banner' is set - enableFortiGateCIS Fortigate Level 1 v1.0.0
2.1.1 Ensure 'Pre-Login Banner' is set - warning messageFortiGateCIS Fortigate Level 1 v1.0.0
2.1.2 Ensure 'Post-Login-Banner' is set - enableFortiGateCIS Fortigate Level 1 v1.0.0
2.1.2 Ensure 'Post-Login-Banner' is set - warning messageFortiGateCIS Fortigate Level 1 v1.0.0
2.1.5 Ensure hostname is setFortiGateCIS Fortigate Level 1 v1.0.0
2.2 Ensure that WMI probing is disabledPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L2
2.2 Ensure that WMI probing is disabledPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L2
2.3 Ensure that User-ID is only enabled for internal trusted interfacesPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
2.3 Ensure that User-ID is only enabled for internal trusted interfacesPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
2.4.4 Ensure idle timeout time is configuredFortiGateCIS Fortigate Level 1 v1.0.0
2.6 Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'microsoft_azureCIS Microsoft Azure Foundations v1.5.0 L1
3.1 Ensure a fully-synchronized High Availability peer is configuredPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
3.1 Ensure a fully-synchronized High Availability peer is configuredPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
3.1 Ensure That the Default Network Does Not Exist in a ProjectGCPCIS Google Cloud Platform v1.3.0 L2
3.1.2 Ensure wireless interfaces are disabledUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
3.1.2 Set 'no ip proxy-arp'CiscoCIS Cisco IOS 16 L2 v1.1.2
3.1.3 Set 'no interface tunnel'CiscoCIS Cisco IOS 16 L1 v1.1.2
3.1.4 Set 'ip verify unicast source reachable-via'CiscoCIS Cisco IOS 16 L1 v1.1.2
3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring - Link Monitoring Failure ConditionPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring - Link Monitoring Failure ConditionPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring - Path Monitoring Failure ConditionPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring - Path Monitoring Failure ConditionPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
3.2 Ensure access to Configuration utility by clients using TLS version 1.2 or laterF5CIS F5 Networks v1.0.0 L1
3.2 Ensure Legacy Networks Do Not Exist for Older ProjectsGCPCIS Google Cloud Platform v1.3.0 L1
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Default deny configured'CiscoCIS Cisco IOS 16 L2 v1.1.2
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 0.0.0.0'CiscoCIS Cisco IOS 16 L2 v1.1.2
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 10.0.0.0'CiscoCIS Cisco IOS 16 L2 v1.1.2