Threat LS.L.VSPSH-P.3

Indicates provision of network LogicalSubnet is disabled at device Gateway, meaning the subnet is not available to potential attackers. This strategy does not represent a contingency plan, but a permanent restriction introduced by design or in accordance with an operational policy or user preference. It also triggers threats representing side effects that would be caused by such a restriction. The most common situation where provision of a subnet is possible but would not be used in practice is where a mobile device provides a WiFi hotspot, which it could do in any location, but the user will keep the hotspot functionality switched off in some locations.

Control access to subnet LogicalSubnet using a (usually remote) AAA service that verifies keys provisioned in SIM cards to authorised supplicants. You should also specify SIM cards be used by supplicant devices or they will be unable to connect.

Control access to subnet LogicalSubnet using a pre-shared key. This is installed at the device Gateway providing the network, which also verifies that supplicants have the same key, preventing unauthorised access. You should also specify shared keys for supplicant devices or they will be unable to connect.

Control access to subnet LogicalSubnet using authentication via X509 or otherwise trusted public-private key pairs. The gateway device Gateway providing the network has an (X509 certified) key, and a means to verify (X509 certified) keys registered by authorised supplicants. You should also specify that supplicant devices have (X509 certified) key pairs or they will be unable to connect.