Secure protocols are not used for CODEC remote control and management

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17701	RTS-VTC 3120.00	SV-18875r1_rule	DCBP-1 ECSC-1	Medium

Description
Many VTC Endpoints are remotely accessed across a LAN via non-secure IP protocols such as telnet, FTP, and HTTP. This poses another confidentiality issue since these protocols do not meet DoD requirements for password encryption while in transit per DoDI 8500.2 IA control IAIA-1 and IAIA-2, nor do they meet the encryption requirements for sensitive information in transit as required by IA controls ECCT-1 and ECNK-1. Therefore, if possible, non-secure protocols should not be used. Some devices provide the option to select the secure versions of these protocols such as HTTPS, FTPS, and TelnetS, and/or SSH for remote access. Secure protocols are required over non-secure protocols if available. Of additional concern is that remote control/management/configuration is performed in-band. In other words, it is performed using the same Ethernet port as the VTC traffic utilizes. If non-secure protocols must be utilized, the VTC production and CODEC remote access traffic must be segregated on the LAN from the normal data traffic. This is so that the confidentiality of the remote access password and sensitive management/configuration information is protected to the greatest extent possible by limiting access to it. Segregation requirements are discussed later under the LAN configuration section. Note: During APL testing, this is a finding in the event encryption protocols are not supported by the VTC\VTU\CODEC.

Description

Many VTC Endpoints are remotely accessed across a LAN via non-secure IP protocols such as telnet, FTP, and HTTP. This poses another confidentiality issue since these protocols do not meet DoD requirements for password encryption while in transit per DoDI 8500.2 IA control IAIA-1 and IAIA-2, nor do they meet the encryption requirements for sensitive information in transit as required by IA controls ECCT-1 and ECNK-1. Therefore, if possible, non-secure protocols should not be used. Some devices provide the option to select the secure versions of these protocols such as HTTPS, FTPS, and TelnetS, and/or SSH for remote access. Secure protocols are required over non-secure protocols if available. Of additional concern is that remote control/management/configuration is performed in-band. In other words, it is performed using the same Ethernet port as the VTC traffic utilizes. If non-secure protocols must be utilized, the VTC production and CODEC remote access traffic must be segregated on the LAN from the normal data traffic. This is so that the confidentiality of the remote access password and sensitive management/configuration information is protected to the greatest extent possible by limiting access to it. Segregation requirements are discussed later under the LAN configuration section. Note: During APL testing, this is a finding in the event encryption protocols are not supported by the VTC\VTU\CODEC.

STIG	Date
Video Teleconference STIG	2014-02-11

Details

Check Text ( C-18971r1_chk )
[IP]; Interview the IAO and validate compliance with the following requirement: Ensure secure (encrypted) remote access protocols are used for CODEC “Remote Control/Management/Configuration” (e.g., HTTPS, FTPS, TelnetS, or SSH) Determine what protocols are in use for device management and configuration. This is a finding if the protocols used are not encrypted. Note: This is not a finding if unencrypted management protocols are passed through an encrypted VPN between the managing PC/workstation/server and the managed device. Note: During APL testing, this is a finding if the device does not support encrypted management protocols (e.g., HTTPS, FTPS, TelnetS, or SSH) OR an encrypted VPN between the managing PC/workstation/server and the managed device.

Check Text ( C-18971r1_chk )

[IP]; Interview the IAO and validate compliance with the following requirement:

Ensure secure (encrypted) remote access protocols are used for CODEC “Remote Control/Management/Configuration” (e.g., HTTPS, FTPS, TelnetS, or SSH)

Determine what protocols are in use for device management and configuration. This is a finding if the protocols used are not encrypted.

Note: This is not a finding if unencrypted management protocols are passed through an encrypted VPN between the managing PC/workstation/server and the managed device.

Note: During APL testing, this is a finding if the device does not support encrypted management protocols (e.g., HTTPS, FTPS, TelnetS, or SSH) OR an encrypted VPN between the managing PC/workstation/server and the managed device.

Fix Text (F-17598r1_fix)
[IP]; Perform the following tasks: Purchase and implement VTC CODECs and other VTC devices that support encryption of “Remote Control/Management/Configuration” protocols via the use of encrypted protocols or encrypted VPN tunnels between the managing PC/workstation and the managed device. AND Configure VTC CODECs and other VTC devices to use encrypted “Remote Control/Management/Configuration” protocols or an encrypted VPN tunnel between the managing PC/workstation/server and the managed device.

Fix Text (F-17598r1_fix)

[IP]; Perform the following tasks:
Purchase and implement VTC CODECs and other VTC devices that support encryption of “Remote Control/Management/Configuration” protocols via the use of encrypted protocols or encrypted VPN tunnels between the managing PC/workstation and the managed device.
AND
Configure VTC CODECs and other VTC devices to use encrypted “Remote Control/Management/Configuration” protocols or an encrypted VPN tunnel between the managing PC/workstation/server and the managed device.