LAN access switchport supporting a VVoIP or VTC endpoint that does not, or is not configured to, apply 802.1Q VLAN tags to its traffic is NOT statically assigned to the appropriate local VVoIP or VTC VLAN.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19649	VVoIP 5550 (LAN)	SV-21790r1_rule		Medium

Description
VVoIP or VTC endpoints that are not configured to or cannot provide a 802.1Q VLAN tag to its VVoIP traffic have no control over what VLAN their traffic ends up in, if any. Therefore the responsibility of placing VVoIP or VTC traffic in an appropriate VLAN for the type of traffic falls to the LAN switch. As such each switchport on a LAN NE that supports a VVoIP or VTC endpoint must place the traffic in the correct VLAN. This means that, in lieu of any other means to sort the traffic, each switchport must be statically assigned to the appropriate VLAN. NOTE: In some cases a LAN NE can use some other endpoint or traffic characteristic other than 802.1Q tagging to assign the traffic to the correct VLAN.

Description

VVoIP or VTC endpoints that are not configured to or cannot provide a 802.1Q VLAN tag to its VVoIP traffic have no control over what VLAN their traffic ends up in, if any. Therefore the responsibility of placing VVoIP or VTC traffic in an appropriate VLAN for the type of traffic falls to the LAN switch. As such each switchport on a LAN NE that supports a VVoIP or VTC endpoint must place the traffic in the correct VLAN. This means that, in lieu of any other means to sort the traffic, each switchport must be statically assigned to the appropriate VLAN. NOTE: In some cases a LAN NE can use some other endpoint or traffic characteristic other than 802.1Q tagging to assign the traffic to the correct VLAN.

STIG	Date
VOICE and VIDEO over INTERNET PROTOCOL (VVoIP) POLICY SECURITY TECHNICAL IMPLEMENTATION GUIDE	2010-08-17

Details

Check Text ( C-23998r1_chk )
Inspect LAN access switchport configuration settings to confirm compliance with the following requirement: In the event a VVoIP or VTC endpoint does not, or is not configured to, apply 802.1Q VLAN tags to its VVoIP or VTC traffic, ensure the supporting LAN access switchport is statically assigned to the appropriate local VVoIP or VTC VLAN. This is not a finding in the event the LAN NE is configured to place the VVoIP or VTC traffic in the correct VLAN by some other method (e.g., MAC based). This is a finding in the event static VLAN assignment of the LAN access switchport is not configured to place the VVoIP VTC traffic in the correct VLAN in lieu of another method being configured. NOTE: While some LAN NEs have the capability of sorting traffic into VLANs based upon the protocol type, this method does not meet the intent of this requirement (i.e., the separation of VVoIP or VTC traffic to limit access to it and protect the system) since a PC could use similar protocols to those used by VVoIP or VTC endpoints for applications that are not associated with the VVoIP or VTC system which should therefore be kept separate. Using this method, the separation and resulting protection of the VVoIP or VTC system is diminished and a malicious user might be capable of using this to compromise the system.

Check Text ( C-23998r1_chk )

Inspect LAN access switchport configuration settings to confirm compliance with the following requirement:
In the event a VVoIP or VTC endpoint does not, or is not configured to, apply 802.1Q VLAN tags to its VVoIP or VTC traffic, ensure the supporting LAN access switchport is statically assigned to the appropriate local VVoIP or VTC VLAN.

This is not a finding in the event the LAN NE is configured to place the VVoIP or VTC traffic in the correct VLAN by some other method (e.g., MAC based).

This is a finding in the event static VLAN assignment of the LAN access switchport is not configured to place the VVoIP VTC traffic in the correct VLAN in lieu of another method being configured.

NOTE: While some LAN NEs have the capability of sorting traffic into VLANs based upon the protocol type, this method does not meet the intent of this requirement (i.e., the separation of VVoIP or VTC traffic to limit access to it and protect the system) since a PC could use similar protocols to those used by VVoIP or VTC endpoints for applications that are not associated with the VVoIP or VTC system which should therefore be kept separate. Using this method, the separation and resulting protection of the VVoIP or VTC system is diminished and a malicious user might be capable of using this to compromise the system.

Fix Text (F-20353r1_fix)
In the event the VVoIP or VTC endpoint does not, or is not configured to, apply 802.1Q VLAN tags to its VVoIP traffic; and the switchport is not configured to place the VVoIP or VTC traffic in the correct VLAN by some other method (other than by protocol type) ensure the supporting LAN access switchport is statically assigned to the appropriate local VVoIP or VTC VLAN.