Hardware based VVoIP or VTC endpoint web browser capabilities that permit the endpoint to browse the internet or intranet are NOT disabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-21514	VVoIP/VTC 1610 (GENERAL)	SV-23723r1_rule	ECSC-1	Medium

Description
Permitting hardware based VVoIP or VTC endpoints to browse the internet or enterprise intranet freely opens the endpoint to the possibility of inadvertently downloading malicious code to the endpoint for which it may have no protection. VVoIP and VTC endpoints cannot typically support host based intrusion detection or anti-virus software. While the downloaded malicious code might not effect the endpoint itself, the endpoint could be used by the malicious code as a launching pad into the network and attached workstations or servers.

Description

Permitting hardware based VVoIP or VTC endpoints to browse the internet or enterprise intranet freely opens the endpoint to the possibility of inadvertently downloading malicious code to the endpoint for which it may have no protection. VVoIP and VTC endpoints cannot typically support host based intrusion detection or anti-virus software. While the downloaded malicious code might not effect the endpoint itself, the endpoint could be used by the malicious code as a launching pad into the network and attached workstations or servers.

STIG	Date
Video Teleconference STIG	2015-01-05

Details

Check Text ( C-25756r1_chk )
Interview the IAO to validate compliance with the following requirement: Ensure hardware based VVoIP or VTC endpoint web browser capabilities that permit the endpoint to browse the internet or intranet are disabled unless such capabilities are specifically required for the proper function of the endpoint or to access specific external applications. Determine the web browsing capabilities of the hardware based VVoIP or VTC endpoints. This is a finding in the event the endpoint can access general web pages on the Internet or enterprise intranet other than approved external applications. NOTE: This requirement does not apply to limited web browsing capabilities required to access external applications and services that have been approved for accessibility on the endpoint and implemented by the enterprise.

Check Text ( C-25756r1_chk )

Interview the IAO to validate compliance with the following requirement:

Ensure hardware based VVoIP or VTC endpoint web browser capabilities that permit the endpoint to browse the internet or intranet are disabled unless such capabilities are specifically required for the proper function of the endpoint or to access specific external applications.

Determine the web browsing capabilities of the hardware based VVoIP or VTC endpoints. This is a finding in the event the endpoint can access general web pages on the Internet or enterprise intranet other than approved external applications.

NOTE: This requirement does not apply to limited web browsing capabilities required to access external applications and services that have been approved for accessibility on the endpoint and implemented by the enterprise.

Fix Text (F-22304r1_fix)
Ensure hardware based VVoIP or VTC endpoint web browser capabilities that permit the endpoint to browse the internet or intranet are disabled unless such capabilities are specifically required for the proper function of the endpoint or to access specific external applications.