The appropriate number of pre-authorized MAC addresses must be statically assigned for the pre-authorized VVoIP and VTC endpoints to include daisy chained devices or the maximum number of MAC addresses dynamically learned on each access switch port must be limited to the minimum number of supported devices authorized to connect.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19652	VVoIP 5300	SV-21793r2_rule		Medium

Description
Use of port security is required on network access switch ports. One method is MAC-based port security limiting the number of devices that can connect from an endpoint to a network access switch port. Allowing too many MAC addresses on a switch port could allow a hub or switch to be inserted into the voice VLAN port or PC/data port on a VVoIP or VTC endpoint, which allows additional unauthorized devices or workstations to be connected. VVoIP and VTC endpoints in the workspace where installed are provisioned with enough LAN drops to support the number of devices to be used in the workspace. This also requires that each LAN drop that is to be used must be connected to a network access switch port. The best practice is to limit the devices permitted to connect to any given LAN drop/switch port combination to one. The two methods do this are static mapping and MAC based port security. Static mapping the MAC address of a pre-authorized device into the configuration of the network access switch port requires manual configuration. The MAC based port security, also known as sticky-MAC, in which the MAC address of the first device to connect to the switch port is learned and added to the configuration. This becomes the authorized device. Sticky-MAC requires care be exercised regarding what device is connected to a port for the first time. In both cases an alarm will be generated if an unauthorized device is connected. Many VVoIP or VTC endpoints provide an extra Ethernet port called a PC port that permits the endpoint and another device to share the same LAN drop. This has several advantages. First, a VVoIP or VTC endpoint can be added to a LAN without having to run additional cable or activate additional LAN drops. It is possible to share a single LAN drop with a VVoIP endpoint, a desktop VTC endpoint, and computer. Another initiative where a single LAN drop is shared is hot desking, where several people are assigned to work at the same desk at different times, each with their own laptop computer. In this case, a different MAC address needs to be permitted for each laptop that is supposed to connect to the LAN drop in the workspace. Additionally, this workspace could contain a single phone used by all assignees and the PC port on it might be the connection for their laptop.

Description

Use of port security is required on network access switch ports. One method is MAC-based port security limiting the number of devices that can connect from an endpoint to a network access switch port. Allowing too many MAC addresses on a switch port could allow a hub or switch to be inserted into the voice VLAN port or PC/data port on a VVoIP or VTC endpoint, which allows additional unauthorized devices or workstations to be connected. VVoIP and VTC endpoints in the workspace where installed are provisioned with enough LAN drops to support the number of devices to be used in the workspace. This also requires that each LAN drop that is to be used must be connected to a network access switch port. The best practice is to limit the devices permitted to connect to any given LAN drop/switch port combination to one. The two methods do this are static mapping and MAC based port security. Static mapping the MAC address of a pre-authorized device into the configuration of the network access switch port requires manual configuration. The MAC based port security, also known as sticky-MAC, in which the MAC address of the first device to connect to the switch port is learned and added to the configuration. This becomes the authorized device. Sticky-MAC requires care be exercised regarding what device is connected to a port for the first time. In both cases an alarm will be generated if an unauthorized device is connected. Many VVoIP or VTC endpoints provide an extra Ethernet port called a PC port that permits the endpoint and another device to share the same LAN drop. This has several advantages. First, a VVoIP or VTC endpoint can be added to a LAN without having to run additional cable or activate additional LAN drops. It is possible to share a single LAN drop with a VVoIP endpoint, a desktop VTC endpoint, and computer. Another initiative where a single LAN drop is shared is hot desking, where several people are assigned to work at the same desk at different times, each with their own laptop computer. In this case, a different MAC address needs to be permitted for each laptop that is supposed to connect to the LAN drop in the workspace. Additionally, this workspace could contain a single phone used by all assignees and the PC port on it might be the connection for their laptop.

STIG	Date
Voice/Video over Internet Protocol (VVoIP) STIG	2016-06-28

Details

Check Text ( C-24003r2_chk )
Review site documentation to confirm the appropriate number of pre-authorized MAC addresses must be statically assigned for the pre-authorized VVoIP and VTC endpoints to include daisy chained devices. If static assignment is not implemented, the maximum number of MAC addresses dynamically learned on each access switch port must be limited to the minimum number of supported devices authorized to connect. If static assignment is not implemented and dynamic learning is not limited, this is a finding. The dynamic MAC based port security used for port security where MAC addresses are learned configuration settings must be as follows: - A LAN switch port supporting a single authorized VVoIP or VTC endpoint is configured for a learned maximum of one. The PC port must be disabled, if present. - A LAN switch port supporting an authorized VVoIP or VTC endpoint providing a PC port connecting a computer is configured for a learned maximum of three dynamically learned addresses. While there are two authorized devices permitted to connect, the endpoint address may be learned twice in association with the data VLAN and the VVoIP or VTC VLAN. - When a VVoIP endpoint, VTC endpoint, and a computer are daisy chained on one LAN drop and switch port, the switch port is configured for a learned maximum of five dynamically learned addresses. This is because both the VVoIP and VTC endpoints will typically be assigned to the VVoIP VLAN due to switch port mode configuration limitations and both endpoints may be learned twice in association with the data VLAN and the VVoIP or VTC VLAN. If the switch port supports a third VLAN in access mode, additional MAC addresses may be learned by the multiple VLANs thereby requiring the maximum to be set higher but only if absolutely necessary. When dynamic MAC assignment is implemented, if the maximum number of MAC addresses dynamically learned on each access switch port is not limited to the minimum number of supported devices authorized to connect, this is a finding. The static mapping of MAC addresses used for port security configuration settings must be as follows: - A LAN switch port supporting a single authorized VVoIP or VTC endpoint is configured with one MAC address. The PC port must be disabled, if present. - A LAN switch port supporting an authorized VVoIP or VTC endpoint providing a PC port connecting a computer is configured with two MAC addresses. - When a VVoIP endpoint, VTC endpoint, and computer are daisy chained on one LAN drop and switch port, the switch port is configured with the three corresponding MAC addresses. When static MAC assignment is implemented, if the appropriate numbers of pre-authorized MAC addresses are not statically assigned for the pre-authorized VVoIP and VTC endpoints to include daisy chained devices, this is a finding. If static assignment is not implemented and dynamic learning is not limited as directed, this is a finding.

Check Text ( C-24003r2_chk )

Review site documentation to confirm the appropriate number of pre-authorized MAC addresses must be statically assigned for the pre-authorized VVoIP and VTC endpoints to include daisy chained devices. If static assignment is not implemented, the maximum number of MAC addresses dynamically learned on each access switch port must be limited to the minimum number of supported devices authorized to connect. If static assignment is not implemented and dynamic learning is not limited, this is a finding.

The dynamic MAC based port security used for port security where MAC addresses are learned configuration settings must be as follows:
- A LAN switch port supporting a single authorized VVoIP or VTC endpoint is configured for a learned maximum of one. The PC port must be disabled, if present.
- A LAN switch port supporting an authorized VVoIP or VTC endpoint providing a PC port connecting a computer is configured for a learned maximum of three dynamically learned addresses. While there are two authorized devices permitted to connect, the endpoint address may be learned twice in association with the data VLAN and the VVoIP or VTC VLAN.
- When a VVoIP endpoint, VTC endpoint, and a computer are daisy chained on one LAN drop and switch port, the switch port is configured for a learned maximum of five dynamically learned addresses. This is because both the VVoIP and VTC endpoints will typically be assigned to the VVoIP VLAN due to switch port mode configuration limitations and both endpoints may be learned twice in association with the data VLAN and the VVoIP or VTC VLAN. If the switch port supports a third VLAN in access mode, additional MAC addresses may be learned by the multiple VLANs thereby requiring the maximum to be set higher but only if absolutely necessary.
When dynamic MAC assignment is implemented, if the maximum number of MAC addresses dynamically learned on each access switch port is not limited to the minimum number of supported devices authorized to connect, this is a finding.

The static mapping of MAC addresses used for port security configuration settings must be as follows:
- A LAN switch port supporting a single authorized VVoIP or VTC endpoint is configured with one MAC address. The PC port must be disabled, if present.
- A LAN switch port supporting an authorized VVoIP or VTC endpoint providing a PC port connecting a computer is configured with two MAC addresses.
- When a VVoIP endpoint, VTC endpoint, and computer are daisy chained on one LAN drop and switch port, the switch port is configured with the three corresponding MAC addresses.
When static MAC assignment is implemented, if the appropriate numbers of pre-authorized MAC addresses are not statically assigned for the pre-authorized VVoIP and VTC endpoints to include daisy chained devices, this is a finding.

If static assignment is not implemented and dynamic learning is not limited as directed, this is a finding.

Fix Text (F-20356r2_fix)
Implement and document the appropriate number of pre-authorized MAC addresses are statically assigned for the pre-authorized VVoIP and VTC endpoints to include daisy chained devices or the maximum number of MAC addresses dynamically learned on each access switch port are limited to the minimum number of supported devices authorized to connect. When dynamic MAC based port security are used for port security where MAC addresses are learned configuration settings must be as follows: - A LAN switch port supporting a single authorized VVoIP or VTC endpoint is configured for a learned maximum of one. The PC port must be disabled, if present. - A LAN switch port supporting an authorized VVoIP or VTC endpoint providing a PC port connecting a computer is configured for a learned maximum of three dynamically learned addresses. - When a VVoIP endpoint, VTC endpoint, and a computer are daisy chained on one LAN drop and switch port, the switch port is configured for a learned maximum of five dynamically learned addresses. When static mapping of MAC addresses are used for port security configuration settings must be as follows: - A LAN switch port supporting a single authorized VVoIP or VTC endpoint is configured with one MAC address. The PC port must be disabled, if present. - A LAN switch port supporting an authorized VVoIP or VTC endpoint providing a PC port connecting a computer is configured with two MAC addresses. - When a VVoIP endpoint, VTC endpoint, and computer are daisy chained on one LAN drop and switch port, the switch port is configured with the three corresponding MAC addresses.

Fix Text (F-20356r2_fix)

Implement and document the appropriate number of pre-authorized MAC addresses are statically assigned for the pre-authorized VVoIP and VTC endpoints to include daisy chained devices or the maximum number of MAC addresses dynamically learned on each access switch port are limited to the minimum number of supported devices authorized to connect.

When dynamic MAC based port security are used for port security where MAC addresses are learned configuration settings must be as follows:
- A LAN switch port supporting a single authorized VVoIP or VTC endpoint is configured for a learned maximum of one. The PC port must be disabled, if present.
- A LAN switch port supporting an authorized VVoIP or VTC endpoint providing a PC port connecting a computer is configured for a learned maximum of three dynamically learned addresses.
- When a VVoIP endpoint, VTC endpoint, and a computer are daisy chained on one LAN drop and switch port, the switch port is configured for a learned maximum of five dynamically learned addresses.

When static mapping of MAC addresses are used for port security configuration settings must be as follows:
- A LAN switch port supporting a single authorized VVoIP or VTC endpoint is configured with one MAC address. The PC port must be disabled, if present.
- A LAN switch port supporting an authorized VVoIP or VTC endpoint providing a PC port connecting a computer is configured with two MAC addresses.
- When a VVoIP endpoint, VTC endpoint, and computer are daisy chained on one LAN drop and switch port, the switch port is configured with the three corresponding MAC addresses.