Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-19652 | VVoIP 5300 (LAN) | SV-21793r1_rule | ECSC-1 | Medium |
Description |
---|
The Network Infrastructure (NI) STIG provides DoD policy for the use of “port security” or LAN access control on LAN access switchports. One of the methods is MAC based port security which limits the number of devices that can be connected to a LAN drop and LAN access switchport thereby protecting the LAN by providing a measure of access control. Allowing too many MAC addresses on a switch port could allow a mini-hub or switch to be added to the voice VLAN port or PC/data port on a VVoIP or VTC endpoint to which additional unauthorized devices or workstations to be connected. Thus, the entire VVoIP or VTC systems or the LAN may be compromised. This requirement works in association with the NI STIG requirements on MAC based port security. In some cases this requirement might conflict with or modify the requirements contained therein. This is because the focus of the NI STIG is data networks where typically only one data device is authorized to connect to any given LAN drop. This follows through for VVoIP or VTC endpoints providing the workspace in which they are to be installed is provisioned with enough LAN drops to support the number of devices to be used in the workspace. This also requires that each LAN drop that is to be used must be connected to a LAN access switchport. In such a scenario, it is best practice to limit the devices that are permitted to connect to any given LAN drop/switchport combination to one. There are two methods for effecting this limitation. The first is to statically map the MAC address of a pre-authorized device into the configuration of the PAN access switchport. The second method is called sticky (MAC based) port security in which the MAC address of the first device to connect to the switchport is learned and added to the configuration. This becomes the authorized device. Sticky port security requires that care be exercised regarding what device is connected to a port for the first time. In both cases an alarm will be generated if an unauthorized device is connected. Many VVoIP or VTC endpoints provide an extra Ethernet port called a PC port that permits the endpoint and a PC (or other device) to share the same LAN drop. This has several advantages. First, a VVoIP or VTC endpoint can be added to a LAN that heretofore only supported PCs without having to run additional cable or activate additional LAN drops. This provides a cost savings in both initial installation and operating costs for the LAN infrastructure. This is because this method reduces the number of active LAN access switchports thereby reducing energy consumption. This reduction not only reduces the energy needed to operate the LAN equipment but the energy required to cool the equipment is reduced thereby providing another reduction (or lack of increase) in energy usage and operating cost. Sharing LAN drops is green. There are other devices such as access control devices that can also share a LAN drop. It is possible to share a single LAN drop with a VVoIP endpoint, a desktop VTC endpoint, and a PC. The following limitations for MAC based port security are to be implemented to support VVoIP or VTC endpoints in various scenarios: > A single authorized VVoIP or VTC endpoint on a LAN drop/switchport requires one MAC to be statically configured or the learned maximum set to one whether it provides a PC port or not. In this case the PC port is disabled. Connecting a device to the PC port will cause an alarm. > A single VVoIP or VTC endpoint on a LAN drop/switchport that provides a PC port to which a PC will be connected will require two statically mapped MAC addresses or a maximum of three dynamically learned addresses. While there are two authorized devices permitted to connect, the endpoint address may be learned twice in association with the data VLAN and the VVoIP or VTC VLAN. > In the event a VVoIP endpoint, VTC endpoint, and a PC are to be daisy chained on one LAN drop/switchport and switchport, the switchport will need to be configured for 3 statically mapped addresses or a maximum of 5 dynamically learned MAC addresses. This is because both the VVoIP and VTC endpoints will typically be assigned to the VVoIP VLAN due to switchport mode configuration limitations and both endpoints may be learned twice in association with the data VLAN and the VVoIP or VTC VLAN. NOTE: another green initiative where a single LAN drop is shared among several devices is called "hot desking" which is related to conservation of office space and teleworking. Hot desking is where several people are assigned to work at the same desk at different times, each with their own laptop PC. In this case, a different MAC address needs to be permitted for each laptop that is supposed to connect to the LAN drop in the workspace. Additionally, this workspace could contain a single phone (and possibly desktop VTC endpoint) used by all assignees and the PC port on it might be the connection for their laptop. In this case it is best not to use sticky port security but to use a static mapping of pre-authorized devices or implement 802.1x. |
STIG | Date |
---|---|
Voice/Video over Internet Protocol STIG | 2015-01-05 |
Check Text ( C-24001r1_chk ) |
---|
If sticky MAC based port security is used for port security where MAC addresses are learned; Inspect LAN access switchport configuration settings to confirm compliance as follows: > A LAN switchport supporting a single authorized VVoIP or VTC endpoint is configured for a learned maximum of one whether it provides a PC port or not. In this case the PC port is disabled. Connecting a device to the PC port will cause an alarm. > A LAN switchport supporting a single authorized VVoIP or VTC endpoint that provides a PC port to which a PC will be connected is configured for a learned maximum of three dynamically learned addresses. While there are two authorized devices permitted to connect, the endpoint address may be learned twice in association with the data VLAN and the VVoIP or VTC VLAN. > If a VVoIP endpoint, VTC endpoint, and a PC are to be daisy chained on one LAN drop and switchport, the switchport is configured for a learned maximum of five dynamically learned addresses. This is because both the VVoIP and VTC endpoints will typically be assigned to the VVoIP VLAN due to switchport mode configuration limitations and both endpoints may be learned twice in association with the data VLAN and the VVoIP or VTC VLAN. If the switchport supports a third VLAN in access mode, additional MAC addresses may be learned by the multiple VLANs thereby requiring the maximum to be set higher but only if absolutely necessary. |
Fix Text (F-20356r1_fix) |
---|
Configure LAN access switchport security in compliance with the following requirement: In the event MAC based port security is implemented as the required LAN access control method, ensure only those MAC addresses are configured on a switchport as required to support the devices that are pre-authorized to connect to the switchport. Additionally, if sticky or dynamic MAC based port security is implemented ensure the maximum number of MAC addresses that can be dynamically configured (learned) on a given switch port is limited to that which is required to support the connection of authorized devices (i.e., 1, 3, or in some special cases more). NOTE: the following conditions and number of MACs apply: > A single authorized VVoIP or VTC endpoint requires one MAC to be statically configured or the learned maximum set to one whether it provides a PC port or not. In this case the PC port is disabled. Connecting a device to the PC port will cause an alarm. > A VVoIP or VTC endpoint that provides a PC port to which a PC will be connected will require two statically mapped MAC addresses or a maximum of three dynamically learned addresses. While there are two authorized devices permitted to connect, the endpoint address may be learned twice in association with the data VLAN and the VVoIP or VTC VLAN. > In the event a VVoIP endpoint, VTC endpoint, and a PC are to be daisy chained on one LAN drop and switchport, the switchport will need to be configured for 3 statically mapped addresses or a maximum of 5 dynamically learned MAC addresses. This is because both the VVoIP and VTC endpoints will typically be assigned to the VVoIP VLAN due to switchport mode configuration limitations and both endpoints may be learned twice in association with the data VLAN and the VVoIP or VTC VLAN. |