The hardware Voice Video Endpoint must apply 802.1Q VLAN tags to signaling and media traffic.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-66701	SRG-NET-000520-VVEP-00010	SV-81191r1_rule		Medium

Description
When Voice Video Endpoints do not dynamically assign 802.1Q VLAN tags as data is created and combined, it is possible the VLAN tags will not correctly reflect the data type with which they are associated. VLAN tags are used as security attributes in this context and used as abstractions representing basic properties of an active entity with respect to safeguarding information. These attributes are typically associated with signaling and media streams within the application and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. Security labels for packets may include traffic flow information (e.g., source, destination, protocol combination); traffic classification based on QoS markings for preferred treatment; and VLAN identification. When signaling or media streams are created or combined, the security attributes must be dynamically applied to reflect the appropriate sensitivity and characteristics. Assignment to the correct VLAN, application of precedence, and responding to preemption are all ways voice video signaling and media streams must be dynamically controlled.

Description

When Voice Video Endpoints do not dynamically assign 802.1Q VLAN tags as data is created and combined, it is possible the VLAN tags will not correctly reflect the data type with which they are associated. VLAN tags are used as security attributes in this context and used as abstractions representing basic properties of an active entity with respect to safeguarding information. These attributes are typically associated with signaling and media streams within the application and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. Security labels for packets may include traffic flow information (e.g., source, destination, protocol combination); traffic classification based on QoS markings for preferred treatment; and VLAN identification. When signaling or media streams are created or combined, the security attributes must be dynamically applied to reflect the appropriate sensitivity and characteristics. Assignment to the correct VLAN, application of precedence, and responding to preemption are all ways voice video signaling and media streams must be dynamically controlled.

STIG	Date
Voice Video Endpoint Security Requirements Guide	2017-04-06

Details

Check Text ( C-67327r1_chk )
If the Voice Video Endpoint is not a hardware endpoint, this check procedure is Not Applicable. Verify the hardware Voice Video Endpoint applies 802.1Q VLAN tags to signaling and media traffic. If the hardware Voice Video Endpoint does not apply 802.1Q VLAN tags to signaling and media traffic, this is a finding.

Fix Text (F-72777r1_fix)
Configure the hardware Voice Video Endpoint to apply 802.1Q VLAN tags to signaling and media traffic.