Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-17683 | RTS-VTC 1220.00 | SV-18857r2_rule | ECCT-1 ECNK-1 ECSC-1 | Medium |
Description |
---|
Early VTC CODECs did not support confidentiality of the media or signaling streams directly. As security and conference confidentiality have become an IA concern, VTU vendors have standardized on DES and AES encryption standards for VTC media streams. H.235 has been developed to help to secure the signaling protocols used in the H.323 suite of protocols. Most VTC media traffic is considered to be sensitive information requiring protection. Minimally all endpoints and MCUs must employ FIPS-validated or NSA-approved cryptography for data in transit, including both media and signaling. Much of the legacy VTC gear used today either supports DES or has no encryption. Newer CODECs support FIPS 140-2 encryption for media and signaling and typically have three encryption options on, off or automatic/negotiate. The preferred setting is ON and used when the other VTUs that a VTU needs to communicate with support encryption. Auto/negotiate is the preferred setting when this is not known. |
STIG | Date |
---|---|
Video Services Policy STIG | 2020-02-25 |
Check Text ( C-18953r2_chk ) |
---|
If a VTU under review is connected to classified IP networks and the conference information owners provide is written confirmation that encryption is not required within the classified enclave, this requirement is not applicable. If the VTC systems, endpoints, and MCUs under review are on a physically separate network from the enclave’s LAN and use dedicated point-to-point circuits outside the enclave to interconnect to MCUs and other endpoints, this requirement is not applicable. If the VTC systems, endpoints, and MCUs under review are on a logically separate network on the enclave’s LAN using a dedicated and closed VTC VLAN, and protected on the WAN using an encrypted VPN between endpoints and the MCU, this requirement is not applicable. Review the VTC system architecture and ensure the VTC data in transit is encrypted. If the VTC data in transit is not encrypted, this is a finding. Ensure the strongest encryption algorithm is used for VTC media streams as supported by all communicating VTUs and associated MCUs. |
Fix Text (F-17580r2_fix) |
---|
Configure the VTC system architecture to require all data in transit be encrypted, with a preference for FIPS-validated or NSA-approved cryptography over legacy encryption. |