An ACE work unit assessment uncovered issues with FAU_SAA.1.2 and FMT_SMF.1/WIDS regarding showing assignment completions and refinements.

“Wi-Fi Protected Setup” authentication is not a feature of enterprise class wireless access points and there is no delineation between an alert and audit event in several evaluation activities. 

FAU_SAA.1.2 in MOD_WIDS_V1.0 has several issues:

• Item a. is "Accumulation or combination of [assignment: subset of defined auditable events] known to indicate a potential security violation". It is not clear how it is intended for a device to satisfy rule a) as there is no additional information provided in the way of an application note, and no corresponding test.
• Item i. is "detection of traffic with excessive transmit power level". It is not possible to determine the transmit power level of a detected EUD/AP.
• While FAU_INV_EXT.3.1 states "The TSF shall detect the physical location of APs and EUDs to within [assignment: value equal or less than 25] feet of their actual location.", the corresponding item ab in FAU_SAA.1.2 is "Detection of the physical location of an identified WLAN threat by using triangulation". This item has a corresponding Test 27 in the MOD_WIDS_V1.0 SD with a different distance measurement :

Test 27: Detection of the physical location of an identified WLAN threat by using triangulation:

Step 1: Deploy a non-allowlisted AP or EUD within range of the TSF.

Step 2: Verify that the TSF can track and locate the AP or EUD to within 5 meters.

This TD consolidates changes made in TDs 0558, 0750, and 0799, which are now archived.

FAU_SAA.1.2 in MOD_WIDS_V1.0 is updated as follows, with green-highlighted underlines denoting additions and red-highlighted strikethroughs denoting deletions:

FAU_SAA.1.2

The TSF shall enforce the following rules for monitoring wireless traffic:

a. Accumulation or combination of [selection: [assignment: subset of defined auditable events], no defined auditable events] known to indicate a potential security violation,

b. [Detection of non-allowlisted AP,

c. Detection of non-allowlisted EUD,

d. Detection of authorized EUD establishing peer-to-peer connection with any other EUD,

e. Detection of EUD bridging two network interfaces,

f. Detection of unauthorized point-to-point wireless bridges by allowlisted APs,

g. Alert generated by violation of user defined signature,

h. Detection of ICS connection,

i. Detection of traffic with excessive transmit power level,

ij. Detection of MAC spoofing,

jk. Detection of unauthorized AP broadcasting authorized SSIDs,

kl. Detection of authorized AP broadcasting an unauthorized SSID,

lm. Detection of allowlisted EUD connected to unauthorized SSID,

mn. Detection of NULL SSID associations,

no. Detection of active probing,

op. Detection of packet flooding/DoS/DDoS,

pq. Detection of RF-based denial of service,

qr. Detection of deauthentication flooding,

rs. Detection of disassociation flooding,

st. Detection of request-to-send/clear-to-send abuse,

tu. Detection of unauthorized authentication scheme use,

uv. Detection of unauthorized encryption scheme use,

vw. Detection of unencrypted traffic,

wx. Detection of allowlisted EUD or AP that is using weak/outdated WLAN protocols and protocol implementations,

xy. Detection of extremely high numbers of client devices using a particular allowlisted AP,

yz. Detection of a high number of failed attempts to join the WLAN in a short period of time,

zaa. Detection of the use of active WLAN scanners (e.g. wardriving tools) to generate WLAN traffic, such as Probes, Auths, and Assoc frames,

aab. Detection of the physical location of an identified WLAN threat by using triangulation,

abc. Detection of an SSID using weak/unsupported/disallowed encryption options,

acd. Detection of AP SSID larger than 32 bytes,

ae. Detection of excessive WPS negotiations,

adf. [assignment: any other rules]].

Application Note: These rules are used to detect a potential security violation. A malicious actor who has gained unauthorized access to the TSF possesses the ability to alter its configuration and overall security posture. Maintenance of the rules by adding, modifying or deletion of rules from the set of rules is handled by FMT_SMF.1/WIDS.

There is no expectation that the TOE classify or categorize audit records related to TSF configuration changes as malicious activity. If a potential security violation is detected the alert generated for the Administrator is handled by FAU_ARP.1.

FMT_SMF.1/WIDS is updated as follows, with green underlined highlighting denoting additions (bolding of "for WIDS functionality and italicizing of first 6 bullets):

FMT_SMF.1.1/WIDS

The TSF shall be capable of performing the following management functions for WIDS functionality: [

- Define an inventory of authorized APs based on [selection: MAC addresses, [assignment: other unique device identifier]],

- Define an inventory of authorized EUDs based on MAC addresses,

- Define rules for monitoring and alerting on the wireless traffic,

- Define authorized SSID(s),

- Define authorized WLAN authentication schemes,

- Define authorized WLAN encryption schemes,

...

]].

The guidance activity, tests 8, 27, and 30 for FAU_SAA.1 in MOD_WIDS_V1.0-SD are modified as follows, with green-highlighted underlines denoting additions and red-highlighted strikethroughs denoting deletions:

Guidance

If the ability of the TSF to detect the different potential security violations is configurable, the evaluator shall verify that the operational guidance provides instructions on how to configure the TOE. The TSF should generate an alert or audit event for all potential violations contained within rule set forth in FAU_SAA.1

Test 8: Detection of traffic with excessive transmit power level:

• Step 1: Configure a source of network traffic that can exceed the maximum transmit power levels of 100mW on 2.4GHz and 200mW on 5GHz.
• Step 2: Configure a user defined signature to detects traffic with transmit power levels that exceed the maximum.
• Step 3: Commence with the transmission of network traffic at excessive power levels.
• Step 4: Collect wireless traffic with range of the TSF.
• Step 5: Verify that the TSF detects wireless traffic that exceeds 100mW on 2.4GHz and 200mW on 5GHz.

Test 27: Detection of the physical location of an identified WLAN threat by using triangulation:

• Step 1: Deploy a non-allowlisted AP or EUD within range of the TSF.
• Step 2: Verify that the TSF can track and locate the AP or EUD to within 5 meters25 feet.

Test 30: Detection of excessive WPS negotiations:

• Step 1: Deploy an allowlisted AP and permit WPS authentication.
• Step 2: Configure a threshold amount of WPS connections that are allowed in a specific amount of time on the AP
• Step 3: Verify that the TSF detects when the AP's WPS connection threshold has been exceeded.

See Issue Description.