UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

An inventory of authorized instruments must be documented and maintained in support of the detection of unauthorized instruments connected to the Enterprise Voice, Video, and Messaging system.


Overview

Finding ID Version Rule ID IA Controls Severity
V-259903 SRG-VOIP-000230 SV-259903r948747_rule Medium
Description
Traditional telephone systems require physical wiring and/or switch configuration changes to add an instrument to the system. This makes it difficult for someone to add unauthorized digital instruments to the system. However, this could be done more easily with older analog systems by tapping an existing analog line. With Enterprise Voice, Video, and Messaging, this is no longer the case. Most IPT/VoIP systems employ an automatic means of detecting and registering a new instrument on the network with the call management server and then downloading its configuration to the instrument. This presents a vulnerability whereby unauthorized instruments could be added to the system or instruments could be moved without authorization. Such activity can happen anywhere there is an active network port or outlet. This is not only a configuration management problem. It could also allow theft of services or some other malicious attack. It is recognized however, that auto-registration is necessary during large deployments of VoIP terminals, and for a short time thereafter, to facilitate additions and troubleshooting. This applies to initial system setup and any subsequent large redeployments or additions. Normal, day-to-day moves, adds, and changes will require manual registration. Because it may be possible for an unauthorized VoIP terminal to be added to the system easily during auto-registration, the registration logs must be compared to the authorized terminal inventory. Alternately, the system could have a method of automatically registering only preauthorized terminals. This feature would support VoIP terminals that are AO approved for connection from multiple local or remote locations. It is critical to the security of the system that all IPT/VoIP end instruments be authorized to connect to and use the system. Only authorized instruments should be configured in the system controller and therefore allowed to operate. Unauthorized instruments could lead to system compromise or abuse. A manual inventory of authorized end instruments will aid in the detection of unauthorized instruments registered to the system, particularly during the period when autodetection/registration is permitted. This will also aid in certification and accreditation efforts.
STIG Date
Enterprise Voice, Video, and Messaging Policy Security Requirements Guide 2024-03-12

Details

Check Text ( C-63634r946628_chk )
Verify that an inventory of authorized instruments is documented and maintained.

Inspect the authorized instrument inventory.

NOTE: This inventory will be separate from the inventory created within the Local Session Controller (LSC) from the listing of registered instruments. Authorized instruments must be added to this inventory before configuration in the LSC and instrument registration. The inventory may be offline or online on a separate server or workstation from the LSC (for example, the LSC management workstation).

If the inventory does not exist or does not appear to be up to date, this is a finding.

Ask how this inventory is generated and where it is stored. If it is located on the LSC, this is a finding.
Fix Text (F-63541r946629_fix)
Ensure that an inventory of authorized instruments is documented and maintained.

NOTE: This inventory will be separate from the inventory created within the LSC from the listing of registered instruments. Authorized instruments must be added to this inventory before configuration in the LSC and instrument registration. The inventory may be offline or online on a separate server or workstation from the LSC (for example, the LSC management workstation).

Prepare and maintain an inventory/database of authorized VoIP instruments. Generate and store the inventory on a separate workstation or server from the LSC (for example, the LSC management workstation).

Recommendation: Create the inventory in a format that can easily be compared through automation to the report of registered instruments from the LSC (if available). This will facilitate regular review of the inventory to detect unauthorized instruments and will make the IA review easier.