VVoIP endpoints receive improper IP address assignment/configuration information or receive it from a DHCP server that is NOT dedicated to the VVoIP system

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19630	VVoIP 5235 (LAN)	SV-21771r2_rule	ECSC-1	Medium

Description
When using Dynamic Host Configuration Protocol (DHCP) for address assignment and host configuration, different DHCP scopes (different address space, subnets, and VLANs) must be used for voice components and data components. Ideally this means that there would be a DHCP server dedicated to providing IP address and configuration information to the VVoIP endpoints which is separate from that providing IP address and configuration information to data hosts (workstations etc). That is to say that a DHCP server serving VVoIP devices needs to be in the V_VUC domain i.e., same address space and VLAN(s). This alleviates the need to route DHCP requests into the data environment on the LAN which would degrade the separation of the VVoIP environment and the Data environment. NOTE: The best practice is to manually assign addresses when authorizing the instrument by generating its configuration file. In the event a dedicated DHCP server for VVoIP endpoints is not implemented, the network (i.e., the router controlling access to and from the VVoIP endpoint VLANs) must route VVoIP endpoint DHCP requests directly to the DHCP server in such a manner that prevents traffic to flow between the VVoIP and data VLANs. Additionally the DHCP server must prevent such traffic flows while providing the VVoIP endpoints with proper VVoIP addresses and other information within the VVoIP address/subnet range (scope).

Description

When using Dynamic Host Configuration Protocol (DHCP) for address assignment and host configuration, different DHCP scopes (different address space, subnets, and VLANs) must be used for voice components and data components. Ideally this means that there would be a DHCP server dedicated to providing IP address and configuration information to the VVoIP endpoints which is separate from that providing IP address and configuration information to data hosts (workstations etc). That is to say that a DHCP server serving VVoIP devices needs to be in the V_VUC domain i.e., same address space and VLAN(s). This alleviates the need to route DHCP requests into the data environment on the LAN which would degrade the separation of the VVoIP environment and the Data environment. NOTE: The best practice is to manually assign addresses when authorizing the instrument by generating its configuration file. In the event a dedicated DHCP server for VVoIP endpoints is not implemented, the network (i.e., the router controlling access to and from the VVoIP endpoint VLANs) must route VVoIP endpoint DHCP requests directly to the DHCP server in such a manner that prevents traffic to flow between the VVoIP and data VLANs. Additionally the DHCP server must prevent such traffic flows while providing the VVoIP endpoints with proper VVoIP addresses and other information within the VVoIP address/subnet range (scope).

STIG	Date
VOICE and VIDEO over INTERNET PROTOCOL (VVoIP) POLICY SECURITY TECHNICAL IMPLEMENTATION GUIDE	2010-08-17

Details

Check Text ( C-23953r2_chk )
Interview the IAO to confirm compliance with the following requirement: In the event the VVoIP system is designed to use DHCP for VVoIP initial endpoint address assignment/configuration, Ensure the following: > The DHCP server provides addresses from the segregated VVoIP address space and associated configuration information to VVoIP endpoints exclusively. > In the event the DHCP server is not dedicated to VVoIP, ensure it does not provide data addresses and configuration information to the VVoIP endpoints and conversely does not provide VVoIP addresses and configuration information to the data endpoints (hosts or workstations). > In the event the DHCP server is not dedicated to VVoIP, ensure the DHCP server and associated network routing prevents traffic to flow between the VVoIP VLANs and data VLANs. Inspect the configuration of all DHCP servers within the enclave to determine their address scope(s), and placement within the network WRT the VVoIP, data, or other VLANs. This is a finding in the event the DHCP server that provides address and network configuration information to data components/hosts also provides this information to VVoIP endpoints or other system components. Conversely, this is a finding in the event the DHCP server that provides address and network configuration information to VVoIP endpoints can also provide VVoIP addresses and information to data components/hosts or other non VVoIP system components. NOTE: dedicated hardware IP-VTC endpoints that are integrated with the VVoIP system, (i.e., they establish calls/sessions by signaling with the VVoIP LSC) may utilize the services of the VVoIP DHCP server because they may reside in the VVoIP system of VLANs. Dedicated hardware IP-VTC endpoints that are not associated with the LSC are required to reside in their own system of VLANs and therefore should have their own DHCP server or, better yet, be statically addressed.

Check Text ( C-23953r2_chk )

Interview the IAO to confirm compliance with the following requirement:

In the event the VVoIP system is designed to use DHCP for VVoIP initial endpoint address assignment/configuration, Ensure the following:
> The DHCP server provides addresses from the segregated VVoIP address space and associated configuration information to VVoIP endpoints exclusively.
> In the event the DHCP server is not dedicated to VVoIP, ensure it does not provide data addresses and configuration information to the VVoIP endpoints and conversely does not provide VVoIP addresses and configuration information to the data endpoints (hosts or workstations).
> In the event the DHCP server is not dedicated to VVoIP, ensure the DHCP server and associated network routing prevents traffic to flow between the VVoIP VLANs and data VLANs.

Inspect the configuration of all DHCP servers within the enclave to determine their address scope(s), and placement within the network WRT the VVoIP, data, or other VLANs.

This is a finding in the event the DHCP server that provides address and network configuration information to data components/hosts also provides this information to VVoIP endpoints or other system components.

Conversely, this is a finding in the event the DHCP server that provides address and network configuration information to VVoIP endpoints can also provide VVoIP addresses and information to data components/hosts or other non VVoIP system components.

NOTE: dedicated hardware IP-VTC endpoints that are integrated with the VVoIP system, (i.e., they establish calls/sessions by signaling with the VVoIP LSC) may utilize the services of the VVoIP DHCP server because they may reside in the VVoIP system of VLANs. Dedicated hardware IP-VTC endpoints that are not associated with the LSC are required to reside in their own system of VLANs and therefore should have their own DHCP server or, better yet, be statically addressed.

Fix Text (F-20334r2_fix)
When using DHCP for VVoIP endpoint configuration or address assignment, ensure different DHCP scopes are used for VVoIP components, data components, and independent IP-VTC endpoints. Additionally ensure these servers reside in their respective voice, VTC, or data address space and VLANs and the VVoIP endpoints (or independent IP-VTC endpoints) only receive address/configuration information from the DHCP server dedicated to them. . Alternately if a dedicated DHCP server is not implemented, ensure the DHCP server provides addresses from the segregated VVoIP address space and associated configuration information to VVoIP endpoints exclusively; ensure it does not provide data addresses and configuration information to the VVoIP endpoints and conversely does not provide VVoIP addresses and configuration information to the data endpoints (hosts or workstations); and ensure the DHCP server and associated network routing prevents traffic to flow between the VVoIP VLANs and data VLANs. NOTE: Dedicated hardware IP-VTC endpoints that are integrated with the VVoIP system, (i.e., they establish calls/sessions by signaling with the VVoIP LSC) may utilize the services of the VVoIP DHCP server because they may reside in the VVoIP system of VLANs. Dedicated hardware IP-VTC endpoints that are not associated with the LSC are required to reside in their own system of VLANs and therefore should have their own DHCP server or, better yet, be statically addressed.

Fix Text (F-20334r2_fix)

When using DHCP for VVoIP endpoint configuration or address assignment, ensure different DHCP scopes are used for VVoIP components, data components, and independent IP-VTC endpoints. Additionally ensure these servers reside in their respective voice, VTC, or data address space and VLANs and the VVoIP endpoints (or independent IP-VTC endpoints) only receive address/configuration information from the DHCP server dedicated to them. .

Alternately if a dedicated DHCP server is not implemented, ensure the DHCP server provides addresses from the segregated VVoIP address space and associated configuration information to VVoIP endpoints exclusively; ensure it does not provide data addresses and configuration information to the VVoIP endpoints and conversely does not provide VVoIP addresses and configuration information to the data endpoints (hosts or workstations); and ensure the DHCP server and associated network routing prevents traffic to flow between the VVoIP VLANs and data VLANs.

NOTE: Dedicated hardware IP-VTC endpoints that are integrated with the VVoIP system, (i.e., they establish calls/sessions by signaling with the VVoIP LSC) may utilize the services of the VVoIP DHCP server because they may reside in the VVoIP system of VLANs. Dedicated hardware IP-VTC endpoints that are not associated with the LSC are required to reside in their own system of VLANs and therefore should have their own DHCP server or, better yet, be statically addressed.