VVoIP endpoints or instruments permit the display of network IP configuration information and/or permit adjustment of network settings without the use of a non-default PIN/password.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19656	VVoIP 1600 (GENERAL)	SV-21797r1_rule	ECSC-1	Low

Description
Many VVoIP endpoints have the capability of setting and/or displaying configuration settings in the instrument itself. While this makes it convenient to configure and troubleshoot at the desktop, it presents a vulnerability whereby, a user or anybody in the area can obtain information such as the IP addresses and URLs of system components. This obtained information could be used to facilitate an attack on the system by would be hackers or attackers. Therefore these devices should be considered a target to be defended against such individuals that would collect voice network information for illicit purposes. To help prevent against information gathering by the unscrupulous, measures must be taken to protect this information. Programming IP Phones not to display network information (i.e. IP address, subnet mask, gateway, LCC addresses or URLs, etc.), without entering a password or PIN code, should be considered as another layer of security in protecting the VoIP environment. Additionally, such a PIN/password should not be a well know or default “magic key sequence.” Such a PIN/password should only be available at initial setup of the instrument. While this PIN/password will most likely be a group PIN/password (not meeting DoD password/auditing policy under IAGA-1) they should not be permanently stored on the instrument, they should instead be centrally managed. The instrument should query the Local Session Controller (LSC) to validate the PIN/Password (or minimally) should be changeable from the LSC as a function of the endpoint configuration. Instrument configuration PIN/passwords should be managed in accordance with normal DoD password policy such as being changed on a regular basis and when compromised or when an SA leaves the organization.

Description

Many VVoIP endpoints have the capability of setting and/or displaying configuration settings in the instrument itself. While this makes it convenient to configure and troubleshoot at the desktop, it presents a vulnerability whereby, a user or anybody in the area can obtain information such as the IP addresses and URLs of system components. This obtained information could be used to facilitate an attack on the system by would be hackers or attackers. Therefore these devices should be considered a target to be defended against such individuals that would collect voice network information for illicit purposes. To help prevent against information gathering by the unscrupulous, measures must be taken to protect this information. Programming IP Phones not to display network information (i.e. IP address, subnet mask, gateway, LCC addresses or URLs, etc.), without entering a password or PIN code, should be considered as another layer of security in protecting the VoIP environment. Additionally, such a PIN/password should not be a well know or default “magic key sequence.” Such a PIN/password should only be available at initial setup of the instrument. While this PIN/password will most likely be a group PIN/password (not meeting DoD password/auditing policy under IAGA-1) they should not be permanently stored on the instrument, they should instead be centrally managed. The instrument should query the Local Session Controller (LSC) to validate the PIN/Password (or minimally) should be changeable from the LSC as a function of the endpoint configuration. Instrument configuration PIN/passwords should be managed in accordance with normal DoD password policy such as being changed on a regular basis and when compromised or when an SA leaves the organization.

STIG	Date
Voice/Video over Internet Protocol (VVoIP) STIG	2015-07-01

Details

Check Text ( C-24011r1_chk )
Interview the IAO to validate compliance with the following requirement: Ensure VVoIP endpoints or instruments cannot be configured at the terminal and do not display network/terminal configuration information on their display without the use of a PIN/password.

Fix Text (F-20360r1_fix)
Ensure VVoIP endpoints or instruments cannot be configured at the terminal and do not display network/terminal configuration information on their display without the use of a PIN/password. Configure VVoIP endpoints or instruments to NOT display voice network information without the entry of a password or a PIN code.