A VVoIP or VTC endpoint that provides a PC data Port is not configured to disable the PC port (or the port is not physically blocked from use) if a PC or other device is not normally attached

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19660	VVoIP 5715 (LAN)	SV-21801r1_rule	ECSC-1	Low

Description
Many IP hardware phones provide a separate data port for the connection of a PC to the phone so that only a single cable is required to provide data and voice connectivity to the end users desktop. Additionally, some IP hardware phones are only capable of providing basic layer 2 connectivity, acting like a hub and combining the data and voice network segments. While other IP phones offer enhanced Layer 2 connectivity providing the option to use VLAN technology, to place the phone and the data traffic on two different VLANs. To ensure logical separation of voice and data in order to maintain the security of the VoIP environment, only layer 2 enhanced or VLAN capable phones should be considered for use. Many attacks on DOD computer systems are launched from within the network by dissatisfied or disgruntled employees, therefore, it is imperative that any active IP Phone data ports be disabled the same as unused physical ports on a network switch. If unauthorized personnel gain access to the VoIP or data environment through an unsecured data port, they could cause disruptions, denial of service conditions, or access sensitive information. Disabling data ports on IP Phones prevents this type of unauthorized and unwanted activity. NOTE: It is not typical that the PC port will be used on all endpoints. For example, phones and VTC units in offices typically might be used, while phones in common areas such as a lobby, hallway, or kitchen, etc. will not. Phones and VTC units in conference rooms may or may not, depending upon site policy. In general, these PC ports are the most vulnerable to unauthorized use, and therefore should be disabled until actually required to be used by an authorized LAN user. The specific vulnerability addressed here is unauthorized access to the LAN and/or the endpoints’ configuration and communications traffic.

Description

Many IP hardware phones provide a separate data port for the connection of a PC to the phone so that only a single cable is required to provide data and voice connectivity to the end users desktop. Additionally, some IP hardware phones are only capable of providing basic layer 2 connectivity, acting like a hub and combining the data and voice network segments. While other IP phones offer enhanced Layer 2 connectivity providing the option to use VLAN technology, to place the phone and the data traffic on two different VLANs. To ensure logical separation of voice and data in order to maintain the security of the VoIP environment, only layer 2 enhanced or VLAN capable phones should be considered for use. Many attacks on DOD computer systems are launched from within the network by dissatisfied or disgruntled employees, therefore, it is imperative that any active IP Phone data ports be disabled the same as unused physical ports on a network switch. If unauthorized personnel gain access to the VoIP or data environment through an unsecured data port, they could cause disruptions, denial of service conditions, or access sensitive information. Disabling data ports on IP Phones prevents this type of unauthorized and unwanted activity. NOTE: It is not typical that the PC port will be used on all endpoints. For example, phones and VTC units in offices typically might be used, while phones in common areas such as a lobby, hallway, or kitchen, etc. will not. Phones and VTC units in conference rooms may or may not, depending upon site policy. In general, these PC ports are the most vulnerable to unauthorized use, and therefore should be disabled until actually required to be used by an authorized LAN user. The specific vulnerability addressed here is unauthorized access to the LAN and/or the endpoints’ configuration and communications traffic.

STIG	Date
Voice/Video over Internet Protocol STIG	2015-01-05

Details

Check Text ( C-24020r1_chk )
Interview the IAO to determine if the VVoIP or VTC endpoints provide a PC Port. Further determine the following: Is the port is regularly used on most endpoints? Which endpoints and PC ports are NOT used? NOTE: It is not typical that the PC port will be used on all endpoints. For example, phones and VTC units in offices typically might be used, while phones in common areas such as a lobby, hallway, or kitchen, etc. will not. Phones and VTC units in conference rooms may or may not, depending upon site policy. In general, though, these PC ports are the most vulnerable to unauthorized use and therefore should be disabled until actually required to be used by an authorized LAN user. Ensure all VVoIP or VTC endpoints that provide a PC Port are configured to disable the PC data port if a PC or other device is not normally attached.

Check Text ( C-24020r1_chk )

Interview the IAO to determine if the VVoIP or VTC endpoints provide a PC Port. Further determine the following:
Is the port is regularly used on most endpoints?
Which endpoints and PC ports are NOT used?

NOTE: It is not typical that the PC port will be used on all endpoints. For example, phones and VTC units in offices typically might be used, while phones in common areas such as a lobby, hallway, or kitchen, etc. will not. Phones and VTC units in conference rooms may or may not, depending upon site policy. In general, though, these PC ports are the most vulnerable to unauthorized use and therefore should be disabled until actually required to be used by an authorized LAN user.

Ensure all VVoIP or VTC endpoints that provide a PC Port are configured to disable the PC data port if a PC or other device is not normally attached.

Fix Text (F-20364r1_fix)
Ensure all VVoIP or VTC endpoints that provide a PC Port are configured to disable the PC data port if a PC or other device is not normally attached. NOTE: A partial mitigation to the vulnerability addressed here is to configure the LAN access switch ports for MAC based port security and configuring it to only accept connections from the specific MAN address of the connected approved endpoint