Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-19633 | VVoIP 5525 (LAN) | SV-21774r1_rule | ECSC-1 | Medium |
Description |
---|
VLAN and IP address segmentation enables access and traffic control for the VVoIP system components. Only the required protocols are to reach a given VVoIP device thereby protecting it from non-essential protocols. This protection is afforded on the LAN by implementing ACLs based on VLAN/subnet, protocol and in some instances specific IP addresses. While a firewall placed between the core equipment and endpoint VLANs might provide better protection for the core equipment as a whole, a router is best suited to control the varying traffic patterns between the various devices. |
STIG | Date |
---|---|
Voice/Video over Internet Protocol STIG | 2014-04-07 |
Check Text ( C-23959r1_chk ) |
---|
Inspect the configurations of the LAN devices supporting VVoIP endpoints or their traffic to determine compliance with the following requirement: In the event the device supports VVoIP endpoints directly or indirectly, ensure the following VLANs are established and configured on this device: > Hardware Endpoints: multiple VLANs generally in parallel with data LAN VLANs the number of which is dependant on the size of the LAN and as required for the reduction of broadcast domains per good LAN design. For small networks there will be a minimum of one. > Software endpoints on workstations: multiples as with hardware endpoints. NOTE: In the event there are no software based endpoints on workstations, the associated VLAN is not required. |
Fix Text (F-20337r1_fix) |
---|
In the event the device supports VVoIP endpoints directly or indirectly, ensure the following VLANs are established and configured on this device: > Hardware Endpoints: multiple VLANs generally in parallel with data LAN VLANs the number of which is dependant on the size of the LAN and as required for the reduction of broadcast domains per good LAN design. For small networks there will be a minimum of one. > Software endpoints on workstations: multiples as with hardware endpoints. NOTE: In the event there are no software based endpoints on workstations, the associated VLAN is not required. |