STIGQter: STIG Summary: Voice Video Services Policy Security Technical Implementation Guide Version: 3 Release: 17 Benchmark Date: 25 Oct 2019:

A hardware based VVoIP or VTC endpoint possesses or provides a “PC Port” but does not maintain the required VLAN separation through the implementation of an Ethernet switch (not a hub).

DISA Rule

SV-8801r1_rule

Vulnerability Number

V-8306

Group Title

Deficient design: EI “PC port” switch VLAN suppt

Rule Version

VVoIP 5700 (LAN)

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Ensure a VVoIP or VTC hardware endpoint possessing a “PC Port” contains an Ethernet switch such that VLAN separation can be maintained and that it does not contain an Ethernet hub OR ensure the “PC Port” is physically disabled.

Check Contents

In the event the endpoints do not support VLAN separation or cannot/do not tag their traffic with the appropriate VLAN ID (802.1Q tag), Physically inspect a random sampling of VVoIP or VTC endpoints to determine if the PC port is physically disabled or blocked from use. Of not, plug a PC into the PC port and determine if it has access to the LAN or the configuration of or communications traffic from the phone. This is a finding if this condition is true and the PC port is not physically disabled or blocked or the PC has access to the LAN or the phone.

Vulnerability Number

V-8306

Documentable

False

Rule Version

VVoIP 5700 (LAN)

Mitigations

VVoIP 5700

Severity Override Guidance

In the event the endpoints do not support VLAN separation or cannot/do not tag their traffic with the appropriate VLAN ID (802.1Q tag), Physically inspect a random sampling of VVoIP or VTC endpoints to determine if the PC port is physically disabled or blocked from use. Of not, plug a PC into the PC port and determine if it has access to the LAN or the configuration of or communications traffic from the phone. This is a finding if this condition is true and the PC port is not physically disabled or blocked or the PC has access to the LAN or the phone.

Check Content Reference

M

Potential Impact

Denial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. Loss of confidentiality. Degradation of the data and VoIP network segregation and associated problems.

Mitigation Control

Physically disable or incapacitate the PC port so that it cannot be activated and used.

Responsibility

Information Assurance Officer

Target Key

594

Comments