Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-19445 | VVoIP 1510 (GENERAL) | SV-21496r1_rule | DCBP-1 ECSC-1 | Medium |
Description |
---|
Traditional telephone systems require physical wiring and/or switch configuration changes to add an instrument to the system. This makes it difficult for someone to add an unauthorized digital instrument to the system. This, however, could be done easier with older analog systems by tapping an existing analog line. With VoIP, this is no longer the case. Some VoIP systems employ an automatic means of detecting and registering a new instrument on the network with the local session controller (LSC) and then downloading its configuration to the instrument. This feature is called ‘auto-registration’ and can be used to initially connect and test un-configured instruments. This presents a vulnerability whereby unauthorized instruments could be added to the system, or instruments could be moved without authorization. Such activity can happen anywhere there is an active network port or outlet. This is not only a configuration management problem but it could also allow theft of services or some other malicious attack. It is recognized however, that auto-registration is necessary during large deployments of VoIP instruments, as well as a short time thereafter, to facilitate additions and troubleshooting. This applies to initial system setup and to any subsequent large redeployments or additions. Normal, day to day, moves, additions, and changes will require manual registration. Since, it may be possible for an unauthorized VoIP instrument to easily be added to the system during auto-registration, the registration logs must be compared to the authorized terminal inventory. Alternately the system could have a method of automatically registering only pre-authorized terminals. This feature would support VoIP instruments that are DAA approved for connection from multiple local or remote locations. The Auto-registration feature provided in some VoIP systems creates various issues. In general, this feature allows any end instrument to function using a default configuration, as soon as it is plugged into the network without prior authorization and configuration by an SA. In general, this feature should never be used even in the limited situations mentioned in the requirement, since the SA loses control of the system. In this situation the SA may not know what phones are on the system, or where they are, and since phone numbers are usually assigned out of a pool, there is no SA control over the phone number assignments. Additionally, since end instruments can work as soon as they are plugged in, they could be used to abuse the phone system. |
STIG | Date |
---|---|
Voice/Video over Internet Protocol (VVoIP) STIG | 2015-12-29 |
Check Text ( C-23714r1_chk ) |
---|
Interview the IAO to validate compliance with the following requirement: In the event the LSC provides an auto-registration feature whereby endpoints that have not been previously configured or authorized in the LSC are automatically registered and made functional, ensure that the feature is disabled. Alternately, In the event an instrument that has not been pre-configured in the LSC can register with the LSC, the LSC will only provide the phone with limited capabilities such as the ability to only call the local system operator’s console or another designated number, such as the security office. Calls to emergency services are permitted (and potentially required) in this case. NOTE: It may be desirable to use the alternate approach. NOTE: This does not apply to endpoints that are preconfigured in the LSC and/or in the instrument such that the endpoint is preauthorized. This means that pre-configuration or manual registration of VoIP terminals is used for normal day-to-day operations, troubleshooting and repairs, moves, additions, and changes. NOTE: While it is best practice to not use auto-registration at any time, there may be situations when its use is beneficial during initial system installation and checkout, or during any subsequent large redeployments and additions. In the event the feature is used in these situations, it must be disabled as soon as possible, not to exceed 5 days, and before the system is placed into service. |
Fix Text (F-20190r1_fix) |
---|
In the event whereby the LSC provides an auto-registration feature whereby endpoints that have not been previously configured or authorized in the LSC are automatically registered and made functional, ensure that the feature is disabled. Alternately, in the event an instrument that has not been pre-configured in the LSC can register with the LSC, the LSC will only provide the phone with limited capabilities such as the ability to only call the local system operator’s console, or other designated number such as the security office. Calls to emergency services are permitted (and potentially required) in this case. NOTE: It may be desirable to use the alternate approach. NOTE: This does not apply to endpoints that are preconfigured in the LSC and/or in the instrument such that the endpoint is preauthorized. This means that pre-configuration or manual registration of VoIP terminals is used for normal day-to-day operations, troubleshooting and repairs, moves, additions, and changes. NOTE: While it is best practice to not use auto-registration at any time, there may be situations when its use is beneficial during initial system installation and checkout or during any subsequent large redeployments or additions. In the event the feature is used in these situations, it must be disabled as soon as possible, not to exceed 5 days and before the system is placed into service. Disable the auto-registration feature on the LSC except as required for initial system deployment and checkout. In the event auto-registration is used initially, the log or report of authorized instruments from the LSC must be compared to the separate inventory of authorized instruments to detect any unauthorized or rogue instruments that may be connected to the network so that they can be found and removed. |