Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-19655 | VVoIP 5315 | SV-21796r2_rule | ECSC-1 | Medium |
Description |
---|
A VVoIP or VTC endpoint that provides a PC port typically breaks 802.1x LAN access control mechanisms. The cause is the network access switch port is enabled or authorized (and configured) when the VVoIP or VTC endpoint authenticates to the network and is authorized to operate. This may permit whatever is connected to the PC port to have access to the LAN even if it is not authorized or uses 802.1x. Therefore, the practice of daisy chaining devices on a single LAN drop protected by 802.1x must be prohibited unless certain mitigating circumstances exist, or are configured. In the event a PC port is provided, the mitigation is to disable the port. However, the 802.1x implementation must install the configuration on the network access switch port required to support a VVoIP or VTC endpoint with a disabled PC port. This means the required configuration for the network access switch ports is to configure the appropriate VLAN for the VVoIP or VTC traffic and configuring the unused VLAN for the disabled PC port. |
STIG | Date |
---|---|
Voice/Video over Internet Protocol (VVoIP) STIG | 2015-12-29 |
Check Text ( C-24008r2_chk ) |
---|
If the VVoIP or VTC endpoints do not contain a PC port, this is not applicable. Review site documentation to confirm that when 802.1x is implemented on the LAN and the VVoIP or VTC endpoints provide a PC port, the PC port is an 802.1x authenticator, or be disabled. If when 802.1x is implemented on the LAN and the VVoIP or VTC endpoints provide a PC port and the PC port is an 802.1x authenticator, this is not a finding. If the PC port is disabled, this is not a finding. If the VVoIP or VTC endpoint PC port and the network access switch port in combination act as an 802.1x authenticator and the 802.1x system provides control over the LAN access gained through the endpoint’s PC port, this is not a finding. Otherwise, this is a finding. |
Fix Text (F-20359r2_fix) |
---|
Implement and document that when 802.1x is implemented and VVoIP or VTC endpoints provide a PC port, one of the following options must be in place: - The PC port is configured as an 802.1x authenticator - The PC port and the network access switch port in combination act as an 802.1x authenticator - The PC port is disabled |