A VVoIP or VTC hardware endpoint possessing a “PC Port” is not configured to block access to the endpoint configuration and communications traffic from the attached PC

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19658	VVoIP 5705 (LAN)	SV-21799r1_rule	ECSC-1	Medium

Description
VVoIP or VTC hardware endpoint possessing a “PC Port” can provide an easy avenue to access and compromise the endpoint configuration and communications traffic. Through such unauthorized access an attacker could also compromise the core of the VVoIP or VTC system or gain information for an attack from another vector. As such, VVoIP or VTC hardware endpoint must block access to its configuration and communications traffic from the PC port.

Description

VVoIP or VTC hardware endpoint possessing a “PC Port” can provide an easy avenue to access and compromise the endpoint configuration and communications traffic. Through such unauthorized access an attacker could also compromise the core of the VVoIP or VTC system or gain information for an attack from another vector. As such, VVoIP or VTC hardware endpoint must block access to its configuration and communications traffic from the PC port.

STIG	Date
Voice/Video over Internet Protocol (VVoIP) STIG	2015-12-29

Details

Check Text ( C-24015r1_chk )
Potential active tests: Open a browser on an attached test PC (the normal PC may not be capable of performing the tests). Attempt to connect to the IP address of the phone. Attempt to ping the endpoint IP address. Open a sniffer program and attempt to capture traffic to/from the phone. None of these should attempts be successful. Perform a network scan of the VoIP address space from the PC port. The VVoIP endpoints should not show up in the results.

Check Text ( C-24015r1_chk )

Potential active tests:
Open a browser on an attached test PC (the normal PC may not be capable of performing the tests). Attempt to connect to the IP address of the phone. Attempt to ping the endpoint IP address. Open a sniffer program and attempt to capture traffic to/from the phone. None of these should attempts be successful. Perform a network scan of the VoIP address space from the PC port. The VVoIP endpoints should not show up in the results.

Fix Text (F-20362r1_fix)
In the event a VVoIP or VTC hardware endpoint provides a “PC Port” Ensure all VVoIP or VTC hardware endpoints possessing a “PC Port” is configured to block access to the endpoint configuration and communications traffic from the attached PC or other device. Alternately ensure, if the endpoint cannot maintain this separation, the “PC Port” is disabled. In the event the endpoint contains an Ethernet hub, the PC port may need to be physically disabled (blocked) if it cannot be electronically disabled. NOTE: the switch or endpoint will typically utilize 802.1Q trunking (VLAN tagging) but may use some other means to separate voice and data traffic. Typically when 802.1Q VLAN tagging is used, the phone firmware tags the VoIP packets while the embedded switch passes all packets without modification. This permits devices connected to the PC port to tag their packets and assign the proper VLAN to their traffic type. 802.1Q VLAN tagging enables the LAN to better maintain separation of the traffic and is therefore the preferred method. Generally, do not implement VVoIP or VTC hardware endpoints that have an embedded Ethernet hub instead of a switch since a hub cannot support VLAN separation and drastic measures may be needed to disable the PC port.

Fix Text (F-20362r1_fix)

In the event a VVoIP or VTC hardware endpoint provides a “PC Port” Ensure all VVoIP or VTC hardware endpoints possessing a “PC Port” is configured to block access to the endpoint configuration and communications traffic from the attached PC or other device.

Alternately ensure, if the endpoint cannot maintain this separation, the “PC Port” is disabled. In the event the endpoint contains an Ethernet hub, the PC port may need to be physically disabled (blocked) if it cannot be electronically disabled.

NOTE: the switch or endpoint will typically utilize 802.1Q trunking (VLAN tagging) but may use some other means to separate voice and data traffic. Typically when 802.1Q VLAN tagging is used, the phone firmware tags the VoIP packets while the embedded switch passes all packets without modification. This permits devices connected to the PC port to tag their packets and assign the proper VLAN to their traffic type. 802.1Q VLAN tagging enables the LAN to better maintain separation of the traffic and is therefore the preferred method.

Generally, do not implement VVoIP or VTC hardware endpoints that have an embedded Ethernet hub instead of a switch since a hub cannot support VLAN separation and drastic measures may be needed to disable the PC port.