Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-19630 | VVoIP 5235 (LAN) | SV-21771r2_rule | ECSC-1 | Medium |
Description |
---|
When using Dynamic Host Configuration Protocol (DHCP) for address assignment and host configuration, different DHCP scopes (different address space, subnets, and VLANs) must be used for voice components and data components. Optimally, the design would place a DHCP server dedicated to providing IP address and configuration information to the VVoIP endpoints separate from the IP address and configuration information to data hosts (workstations etc.). The DHCP server providing VVoIP devices should be in the V_VUC domain having the same address space and VLAN to prevent DHCP requests routed onto the data environment that degrade the separation of the VVoIP environment and the data environment. With centralized management of DHCP (and other services, such as DNS) this separation is obviously eliminated. DHCP requests and responses for voice must reside on a segregated VLAN. The best practice is to manually assign addresses when authorizing the instrument by generating its configuration file. In the event a dedicated DHCP server for VVoIP endpoints is not implemented, the network (i.e., the router controlling access to and from the VVoIP endpoint VLANs) must route VVoIP endpoint DHCP requests directly to the DHCP server in such a manner that prevents traffic to flow between the VVoIP and data VLANs. Additionally the DHCP server must prevent such traffic flows while providing the VVoIP endpoints with proper VVoIP addresses and other information within the VVoIP address/subnet range (scope). |
STIG | Date |
---|---|
Voice/Video over Internet Protocol (VVoIP) STIG | 2015-07-01 |
Check Text ( C-23954r2_chk ) |
---|
Interview the IAO to confirm compliance with the following requirement: For VVoIP system designed to use DHCP for VVoIP initial endpoint address assignment/configuration, Ensure the following: - The DHCP server provides addresses from the segregated VVoIP address space and associated configuration information to VVoIP endpoints exclusively. - In the event the DHCP server is not dedicated to VVoIP, ensure it does not provide data addresses and configuration information to the VVoIP endpoints and conversely does not provide VVoIP addresses and configuration information to the data endpoints (hosts or workstations). - In the event the DHCP server is not dedicated to VVoIP, ensure the DHCP server and associated network routing prevents traffic to flow between the VVoIP VLANs and data VLANs. Review VVoIP network design to determine the IP address the of VVoIP DHCP server. Alternately, determine the VLAN tag the VVoIP DHCP server uses or responds to or inspect the Ethernet port configuration of the LAN network equipment connected to the DHCP server to determine the VLAN assigned to the port. If the DHCP server’s IP address is not within the designated VVoIP VLAN structure or IP address range, this is a finding. Inspect the configuration of all DHCP servers within the enclave to determine their address scope(s), and placement within the network for the VVoIP, data, or other VLANs. If the DHCP server providing address and network configuration information to data components or hosts and also provides this information to VVoIP endpoints or other system components, this is a finding. Conversely, if a DHCP server providing address and network configuration information to VVoIP endpoints also provides VVoIP addresses and information to data components, hosts, or other non-VVoIP system components, this is a finding. NOTE: dedicated hardware IP-VTC endpoints that are integrated with the VVoIP system, (i.e., they establish calls/sessions by signaling with the VVoIP LSC) may utilize the services of the VVoIP DHCP server because they may reside in the VVoIP system of VLANs. Dedicated hardware IP-VTC endpoints that are not associated with the LSC are required to reside in their own system of VLANs and therefore should have their own DHCP server or, better yet, be statically addressed. |
Fix Text (F-20334r2_fix) |
---|
Configure the DHCP server supporting VVoIP endpoints to have different DHCP scopes used for VVoIP components, data components, and independent IP-VTC endpoints. Ensure these servers reside in their respective voice, VTC, or data address space and VLANs and the VVoIP endpoints (or independent IP-VTC endpoints) only receive address/configuration information from the DHCP server dedicated to them. Alternately, if a dedicated DHCP server is not implemented, ensure the DHCP server provides addresses from the segregated VVoIP address space and associated configuration information to VVoIP endpoints exclusively; ensure it does not provide data addresses and configuration information to the VVoIP endpoints and conversely does not provide VVoIP addresses and configuration information to the data endpoints (hosts or workstations); and ensure the DHCP server and associated network routing prevents traffic to flow between the VVoIP VLANs and data VLANs. NOTE: Dedicated hardware IP-VTC endpoints that are integrated with the VVoIP system, (i.e., they establish calls/sessions by signaling with the VVoIP LSC) may utilize the services of the VVoIP DHCP server because they may reside in the VVoIP system of VLANs. Dedicated hardware IP-VTC endpoints that are not associated with the LSC are required to reside in their own system of VLANs and therefore should have their own DHCP server or, better yet, be statically addressed. |