Deficient testing of, or lack of approval for, soft-phone accessories.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-16085	VVoIP 1745 (GENERAL)	SV-17073r1_rule	DCBP-1 DCCT-1 DCHW-1 EBCR-1 ECSC-1	Low

Description
While a headset, microphone, webcam, combination headset/microphone, or a combination webcam/microphone can be considered to be soft-phone accessories, these are also accessories for other collaboration and communications applications. These have been discussed previously and are not included in this section. Our discussion here relates to, soft-phone specific accessories, which consist of USB phones, USB ATAs, and PPGs. A USB phone is a physical USB connected telephone instrument that associates itself with the soft-phone application running on the PC. It minimally provides a handset which includes both the mouthpiece and receiver and may provide a dial pad, a speakerphone function, or other functions. In general, these devices do not pose a security threat other than those discussed previously under audio pickup/broadcast section above. They should be operated accordingly. A USB ATA is a USB connected device that associates itself with the soft-phone application and provides the ability to utilize a standard analog telephone or speakerphone. Some USB ATAs also provide a port to which an analog phone line can be connected. This allows a single analog phone to be used with the soft-phone while also answering and placing calls via the analog phone line. This line could be connected to a local PBX or to the PSTN. Some USB phones contain a port to which an analog phone line can be connected so the USB phone can be used with it to place and receive calls. There is little risk in the operation of this kind of USB ATA or USB phone providing it operates only as described and there is no direct bridging of networks as described next. A PPG (USB connected or internal card) is a type of ATA that is a gateway intended to bridge the soft-phone application and supporting VoIP network to an analog phone line from a local PBX or the PSTN. PPGs pose legal and fraud threats to a DoD network due to this bridging of networks. PPGs can be used for toll fraud, toll avoidance, or placing or receiving unauthorized calls. Some USB Phones contain a PPG. While these devices might be used to meet a specific mission requirement, their use may be illegal in certain countries and instances when connected between a DoD IP voice and data network and a public dial-up voice network. The use of any soft-phone accessory that provides a network bridging function poses both a legal and an IA threat to the DoD voice communications network. PPGs must not be used except to fulfill a validated and approved mission requirement.

Description

While a headset, microphone, webcam, combination headset/microphone, or a combination webcam/microphone can be considered to be soft-phone accessories, these are also accessories for other collaboration and communications applications. These have been discussed previously and are not included in this section. Our discussion here relates to, soft-phone specific accessories, which consist of USB phones, USB ATAs, and PPGs. A USB phone is a physical USB connected telephone instrument that associates itself with the soft-phone application running on the PC. It minimally provides a handset which includes both the mouthpiece and receiver and may provide a dial pad, a speakerphone function, or other functions. In general, these devices do not pose a security threat other than those discussed previously under audio pickup/broadcast section above. They should be operated accordingly. A USB ATA is a USB connected device that associates itself with the soft-phone application and provides the ability to utilize a standard analog telephone or speakerphone. Some USB ATAs also provide a port to which an analog phone line can be connected. This allows a single analog phone to be used with the soft-phone while also answering and placing calls via the analog phone line. This line could be connected to a local PBX or to the PSTN. Some USB phones contain a port to which an analog phone line can be connected so the USB phone can be used with it to place and receive calls. There is little risk in the operation of this kind of USB ATA or USB phone providing it operates only as described and there is no direct bridging of networks as described next. A PPG (USB connected or internal card) is a type of ATA that is a gateway intended to bridge the soft-phone application and supporting VoIP network to an analog phone line from a local PBX or the PSTN. PPGs pose legal and fraud threats to a DoD network due to this bridging of networks. PPGs can be used for toll fraud, toll avoidance, or placing or receiving unauthorized calls. Some USB Phones contain a PPG. While these devices might be used to meet a specific mission requirement, their use may be illegal in certain countries and instances when connected between a DoD IP voice and data network and a public dial-up voice network. The use of any soft-phone accessory that provides a network bridging function poses both a legal and an IA threat to the DoD voice communications network. PPGs must not be used except to fulfill a validated and approved mission requirement.

STIG	Date
Voice/Video Services Policy STIG	2014-04-07

Details

Check Text ( C-17128r1_chk )
Interview the IAO to validate compliance with the following requirement: Ensure soft-phone accessories (i.e., PPGs, ATAs, and/or USB phones) capabilities are reviewed and their functionality tested or validated prior to approval, providing them to users, or implementing them. Ask IAO or IAM if the use of USB phones, USB ATAs, and PPGs is permitted and if they are provided to users. If so, determine if the devices have been reviewed and tested as necessary with regard to their network bridging capabilities. This is a finding if these devices are provided to users and they have not been properly reviewed and/or tested.

Check Text ( C-17128r1_chk )

Interview the IAO to validate compliance with the following requirement:

Ensure soft-phone accessories (i.e., PPGs, ATAs, and/or USB phones) capabilities are reviewed and their functionality tested or validated prior to approval, providing them to users, or implementing them.

Ask IAO or IAM if the use of USB phones, USB ATAs, and PPGs is permitted and if they are provided to users. If so, determine if the devices have been reviewed and tested as necessary with regard to their network bridging capabilities. This is a finding if these devices are provided to users and they have not been properly reviewed and/or tested.

Fix Text (F-16190r1_fix)
Ensure soft-phone accessories (i.e., PPGs, ATAs, and/or USB phones) capabilities are reviewed and their functionality tested or validated prior to approval, providing them to users, or implementing them. Review and/or test of USB phones, USB ATAs, and PPGs for their network bridging capabilities. Do not use such devices if the capability exists except to fulfill a validated mission requirement.