A LAN access switchport supporting a VVoIP or VTC endpoint containing a PC port that is required to be disabled is not configured such that the switch’s “unused” VLAN is assigned as the endpoint’s “default data” VLAN.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19651	VVoIP 5320 (LAN)	SV-21792r1_rule	ECSC-1	Medium

Description
A PC port on a VVoIP or VTC endpoint that is not intended for regular use is required to be disabled. Unused LAN access switchports and LAN drops are also to be disabled per the Network Infrastructure STIG. From the Network Infrastructure Checklist NET1435 vulnerability discussion: “It is possible that a disabled port that is assigned to a user or management VLAN becomes enabled by accident or by an attacker and as a result gains access to that VLAN as a member.” The resulting requirement is: “ensure disabled ports are placed in an unused VLAN (do not use VLAN 1 ).” Similarly, a PC port on a VVoIP or VTC endpoint that is disabled may become “un-disabled” (activated). If this were to occur, and the switchport is statically assigned to the VVoIP or VTC VLAN, the connected device, PC or otherwise would have direct access to the VLAN that the VVoIP or VTC endpoint is configured to use and thereby compromising it. This could provide unauthorized access to the VVoIP or VTC traffic, endpoints, and core control devices.

Description

A PC port on a VVoIP or VTC endpoint that is not intended for regular use is required to be disabled. Unused LAN access switchports and LAN drops are also to be disabled per the Network Infrastructure STIG. From the Network Infrastructure Checklist NET1435 vulnerability discussion: “It is possible that a disabled port that is assigned to a user or management VLAN becomes enabled by accident or by an attacker and as a result gains access to that VLAN as a member.” The resulting requirement is: “ensure disabled ports are placed in an unused VLAN (do not use VLAN 1 ).” Similarly, a PC port on a VVoIP or VTC endpoint that is disabled may become “un-disabled” (activated). If this were to occur, and the switchport is statically assigned to the VVoIP or VTC VLAN, the connected device, PC or otherwise would have direct access to the VLAN that the VVoIP or VTC endpoint is configured to use and thereby compromising it. This could provide unauthorized access to the VVoIP or VTC traffic, endpoints, and core control devices.

STIG	Date
Voice/Video over Internet Protocol STIG	2015-01-05

Details

Check Text ( C-24000r1_chk )
Inspect LAN access switchport configuration settings to confirm compliance with the following requirement: In the event a LAN access switchport supports a VVoIP or VTC endpoint containing a PC port that is not intended for regular use and is therefore is to be disabled under an earlier requirement, ensure the switchport is configured such that the switch’s “unused data” for untagged PC traffic is assigned as the endpoint’s “default data” VLAN in the event the PC port is activated and used. NOTE: The endpoint LAN access switchport would be configured normally with a VVoIP VLAN for the VVoIP traffic. NOTE: This is IAW and supports the NI STIG requirement NET1435.

Check Text ( C-24000r1_chk )

Inspect LAN access switchport configuration settings to confirm compliance with the following requirement:

In the event a LAN access switchport supports a VVoIP or VTC endpoint containing a PC port that is not intended for regular use and is therefore is to be disabled under an earlier requirement, ensure the switchport is configured such that the switch’s “unused data” for untagged PC traffic is assigned as the endpoint’s “default data” VLAN in the event the PC port is activated and used.
NOTE: The endpoint LAN access switchport would be configured normally with a VVoIP VLAN for the VVoIP traffic.
NOTE: This is IAW and supports the NI STIG requirement NET1435.

Fix Text (F-20355r1_fix)
Configure LAN access switchports that support VVoIP or VTC endpoints whose PC ports are disabled with the “unused port” VLAN on the switch as the endpoint’s “default data” VLAN for untagged PC traffic as well as the secondary VVoIP or VTC VLAN as would be the case if the PC port would be used. Do not statically assign the switchport to the VVoIP or VTC VLAN.