Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-19633 | VVoIP 5525 (LAN) | SV-21774r2_rule | ECSC-1 | Medium |
Description |
---|
VLAN and IP address segmentation enables access and traffic control for the VVoIP system components. Only the required protocols are to reach a given VVoIP device thereby protecting it from non-essential protocols. This protection is afforded on the LAN by implementing ACLs based on VLAN/subnet, protocol and in some instances specific IP addresses. While a firewall placed between the core equipment and endpoint VLANs might provide better protection for the core equipment as a whole, a router is best suited to control the varying traffic patterns between the various devices. |
STIG | Date |
---|---|
Voice/Video over Internet Protocol (VVoIP) STIG | 2015-07-01 |
Check Text ( C-23959r2_chk ) |
---|
Inspect the configurations of the LAN devices supporting VVoIP hardware endpoints or their traffic to determine compliance with the following requirement: In the event the device supports VVoIP endpoints directly or indirectly, ensure the following VLANs are established and configured on this device. For hardware endpoints, confirm multiple VLANs generally in parallel with data LAN VLANs the number of which is dependent on the size of the LAN and as required for the reduction of broadcast domains per good LAN design. For small networks there will be a minimum of one. If VVoIP VLANs are not implemented on VVoIP hardware endpoints, this is a finding. |
Fix Text (F-20337r2_fix) |
---|
In the event the device supports VVoIP hardware endpoints directly or indirectly, ensure the following VLANs are established and configured on this device. For hardware endpoints, configure multiple VLANs generally in parallel with data LAN VLANs the number of which is dependent on the size of the LAN and as required for the reduction of broadcast domains per good LAN design. For small networks there will be a minimum of one. |