VTC endpoints simultaneously connect to a wired LAN and a wireless LAN.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17715	RTS-VTC 4320.00	SV-18889r1_rule	ECWN-1	Medium

Description
A consideration regarding wireless LAN capabilities in VTC endpoints is the possibility that, with some implementations, a VTU could be connected to a wired LAN while also supporting a wireless connection in either ad hoc or infrastructure mode. Activating wireless capabilities on a VTU while it is connected to a wired LAN can provide an attack vector to that LAN. If the VTU connects via infrastructure mode to a non DoD WLAN in the vicinity of the VTU, a bridge could be formed between the 2 LANs compromising the DoD wired LAN as well as any conference sessions in which the VTU is included. If connected via an ad hoc connection, the same vulnerabilities exist for the conference since the other connected device may or may not be connected to another LAN. Either way, this has the potential of creating a back door to the DoD wired LAN, a vulnerability which must be mitigated by preventing this dual connectivity. The Wireless STIG describes security requirements for both ad hoc and infrastructure mode wireless connections. The following requirement parallels the Wireless STIG requirement WIR0161 for Personal Computers (PCs) and Personal Electronic Devices (PEDs).

Description

A consideration regarding wireless LAN capabilities in VTC endpoints is the possibility that, with some implementations, a VTU could be connected to a wired LAN while also supporting a wireless connection in either ad hoc or infrastructure mode. Activating wireless capabilities on a VTU while it is connected to a wired LAN can provide an attack vector to that LAN. If the VTU connects via infrastructure mode to a non DoD WLAN in the vicinity of the VTU, a bridge could be formed between the 2 LANs compromising the DoD wired LAN as well as any conference sessions in which the VTU is included. If connected via an ad hoc connection, the same vulnerabilities exist for the conference since the other connected device may or may not be connected to another LAN. Either way, this has the potential of creating a back door to the DoD wired LAN, a vulnerability which must be mitigated by preventing this dual connectivity. The Wireless STIG describes security requirements for both ad hoc and infrastructure mode wireless connections. The following requirement parallels the Wireless STIG requirement WIR0161 for Personal Computers (PCs) and Personal Electronic Devices (PEDs).

STIG	Date
Video Teleconference STIG	2014-02-11

Details

Check Text ( C-18985r1_chk )
[IP]; Interview the IAO and validate compliance with the following requirement: Ensure VTC endpoints do not simultaneously connect to a wired LAN and a wireless LAN if traffic can pass between the two LANs (e.g., acts as a LAN bridge or IP router). Note: This is not a finding if it is proven that the VTU cannot pass network traffic from the wired LAN to the wireless LAN when dual connected and vice versa. Note: During APL testing, this is a finding in the event the VTU provides a bridge (passes traffic) between the wired and wireless LAN connections. If the VTU supports an active wireless LAN connection (802.11x), and if it is connected to a wired LAN, determine if the VTU can pass traffic to/from the wireless LAN connection to/from the wired LAN connection.

Check Text ( C-18985r1_chk )

[IP]; Interview the IAO and validate compliance with the following requirement:

Ensure VTC endpoints do not simultaneously connect to a wired LAN and a wireless LAN if traffic can pass between the two LANs (e.g., acts as a LAN bridge or IP router).

Note: This is not a finding if it is proven that the VTU cannot pass network traffic from the wired LAN to the wireless LAN when dual connected and vice versa.

Note: During APL testing, this is a finding in the event the VTU provides a bridge (passes traffic) between the wired and wireless LAN connections.

If the VTU supports an active wireless LAN connection (802.11x), and if it is connected to a wired LAN, determine if the VTU can pass traffic to/from the wireless LAN connection to/from the wired LAN connection.

Fix Text (F-17612r1_fix)
[IP]; Perform the following tasks: Purchase and install only those VTUs that do not, or can be configured to not provide a bridge between a wireless and a wired LAN connection, or VTUs that do not support wireless LAN connectivity OR Configure the VTU to not provide a bridge (pass traffic) between its wired and wireless LAN ports. OR Use only one connection method. That is either a wired LAN connection or if absolutely required, a wireless LAN connection which is in compliance with the Wireless STIG.

Fix Text (F-17612r1_fix)

[IP]; Perform the following tasks:
Purchase and install only those VTUs that do not, or can be configured to not provide a bridge between a wireless and a wired LAN connection, or VTUs that do not support wireless LAN connectivity
OR
Configure the VTU to not provide a bridge (pass traffic) between its wired and wireless LAN ports.
OR
Use only one connection method. That is either a wired LAN connection or if absolutely required, a wireless LAN connection which is in compliance with the Wireless STIG.