The VVoIP endpoint’s configuration and/or configuration-display PIN/passwords DO NOT authenticate remotely to the Local session Controller (LSC) or minimally are not centrally controlled by the LSC.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19657	VVoIP 1605 (GENERAL)	SV-21798r1_rule		Medium

Description
Many VVoIP endpoints have the capability of setting and/or displaying configuration settings in the instrument itself. While this makes it convenient to configure and troubleshoot at the desktop, it presents a vulnerability whereby, a user (or anybody in the area) can obtain information such as the IP addresses and URLs of system components that could in turn be used to facilitate an attack on the system by hackers or attackers. Therefore these devices should be considered a target to be defended against such individuals that would collect voice network information for illicit purposes. To help prevent against information gathering by the unscrupulous, measures must be taken to protect this information. Programming IP Phones to not display network information (i.e. IP address, subnet mask, gateway, LCC addresses or URLs, etc.), without entering a password or PIN code, should be considered as another layer of security in protecting the VoIP environment. Additionally, such a PIN/password should not be a well know or default “magic key sequence.” Such a PIN/password should only be available at initial setup of the instrument. While this PIN/password will most likely be group PIN/password (not meeting DoD password/auditing policy under IAGA-1) they should not be permanently stored on the instrument. Instead, they should be centrally managed. The instrument should query the Local Session Controller (LSC) to validate the PIN/Password, or minimally, should be changeable from the LSC as a function of the endpoint configuration. Instrument configuration PIN/passwords should be managed in accordance with normal DoD password policy. For example, the PIN/password needs to be changed on a regular basis.

Description

Many VVoIP endpoints have the capability of setting and/or displaying configuration settings in the instrument itself. While this makes it convenient to configure and troubleshoot at the desktop, it presents a vulnerability whereby, a user (or anybody in the area) can obtain information such as the IP addresses and URLs of system components that could in turn be used to facilitate an attack on the system by hackers or attackers. Therefore these devices should be considered a target to be defended against such individuals that would collect voice network information for illicit purposes. To help prevent against information gathering by the unscrupulous, measures must be taken to protect this information. Programming IP Phones to not display network information (i.e. IP address, subnet mask, gateway, LCC addresses or URLs, etc.), without entering a password or PIN code, should be considered as another layer of security in protecting the VoIP environment. Additionally, such a PIN/password should not be a well know or default “magic key sequence.” Such a PIN/password should only be available at initial setup of the instrument. While this PIN/password will most likely be group PIN/password (not meeting DoD password/auditing policy under IAGA-1) they should not be permanently stored on the instrument. Instead, they should be centrally managed. The instrument should query the Local Session Controller (LSC) to validate the PIN/Password, or minimally, should be changeable from the LSC as a function of the endpoint configuration. Instrument configuration PIN/passwords should be managed in accordance with normal DoD password policy. For example, the PIN/password needs to be changed on a regular basis.

STIG	Date
Voice/Video over Internet Protocol (VVoIP) STIG	2017-01-04

Details

Check Text ( C-24013r1_chk )
Interview the IAO to validate compliance with the following requirement: Ensure that the VVoIP endpoint’s configuration/configuration-display/configuration PIN/passwords authenticate remotely to, or are centrally manageable and changeable from, the system controller (Local Session Controller (LSC)). Determine if the VVoIP endpoint’s configuration/configuration-display/configuration PIN/passwords can be centrally managed and changed from the LSC

Check Text ( C-24013r1_chk )

Interview the IAO to validate compliance with the following requirement: Ensure that the VVoIP endpoint’s configuration/configuration-display/configuration PIN/passwords authenticate remotely to, or are centrally manageable and changeable from, the system controller (Local Session Controller (LSC)).

Determine if the VVoIP endpoint’s configuration/configuration-display/configuration PIN/passwords can be centrally managed and changed from the LSC

Fix Text (F-20361r1_fix)
Ensure that the VVoIP endpoint’s configuration/configuration-display/configuration PIN/passwords authenticate remotely to, or are centrally manageable and changeable from, the system controller (Local Session Controller (LSC)). Configure the system to remotely authenticate VVoIP endpoint’s configuration and configuration-display PIN/passwords or minimally centrally manage these PIN/passwords from the LSC.

Fix Text (F-20361r1_fix)

Ensure that the VVoIP endpoint’s configuration/configuration-display/configuration PIN/passwords authenticate remotely to, or are centrally manageable and changeable from, the system controller (Local Session Controller (LSC)).

Configure the system to remotely authenticate VVoIP endpoint’s configuration and configuration-display PIN/passwords or minimally centrally manage these PIN/passwords from the LSC.