The confidentiality of endpoint configuration files downloaded by hardware based or PC based VVoIP endpoints during registration is not protected.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19493	VVoIP 1936 (GENERAL)	SV-21552r1_rule	DCBP-1 ECSC-1	Low

Description
During VVoIP endpoint registration with the LSC, a file is downloaded by the endpoint from the LSC that contains specific configuration parameters needed by the endpoint to operate as needed to support its assigned user. This file contains the phone number assigned to the endpoint; the IP addresses (or URLs) of the LSC(s) with which the endpoint is associated; the software menus specific to the system; the user’s personal preferences and speed dial numbers; as well as other information critical to the operation of the endpoint. NOTE: Hardware based VVoIP endpoints are like diskless computers on the LAN which need to download an operating system and configurations before they can operate. The code necessary to download this OS is stored in ROM or Flash Memory and is called firmware. To varying degrees some, most, or all of the endpoint’s OS can be stored on the device as firmware. The more of the OS that is stored the device, the quicker it initializes. In any case, no matter how much of the OS is stored as firmware, each endpoint requires a customized configuration settings file to be downloaded that individualizes the endpoint to meet the needs of the user to which it is assigned. These configuration settings can be updated occasionally or regularly by resetting and re-registering the endpoint, which causes an updated configuration file to be downloaded. Many PC based communications applications are fully configured locally on the platform, however, in some cases they rely on a configuration file downloaded from the system with which they are associated. The confidentiality of these files is critical to preventing compromise of the PC application, hardware endpoint, and the system itself. Many vendors use configuration files of this sort that are a compact binary format that is only interpretable by the endpoint’s firmware or PD application. However, there is the potential that such files may be human readable as is XML code and most VVoIP signaling protocols. If the file is human readable, intelligence can be gathered by capturing the file while it is in transit. Additionally, the file is easier to understand and therefore makes it easier to modify it and then forward it to its destination. This facilitates man-in-the-middle attacks. The best method for maintaining the confidentiality of human readable files is to require that they be directly encrypted or downloaded over an encrypted channel. This can prevent man-in-the-middle attacks. Encryption of this file is also required if the file contains the password used to access the endpoint’s configuration information and settings menus. While encryption will also protect binary files, the threat is less due to the inability to easily read the information in the file without a program designed to interpret the binary code. As noted earlier, digital signatures and the file integrity must also be validated before the configuration file is used. NOTE: To satisfy the encryption requirement here, the file can be encrypted directly (preferred) or downloaded over an encrypted channel. (This is applicable to PC applications only) NOTE: Many of these configuration files are transferred using protocols such as BootP or TFTP which are designated “local management” per the DoD PPSM VAs for these protocols. These protocols are generally considered to be vulnerable due to their simplicity and lack of any security features. Per the DoD PPSM guidelines, a designation of “local management” means that PPSM recognizes the use of the protocol may be necessary within the LAN/enclave but it must remain within the LAN/enclave. This means that these protocols and therefore the configuration files transported by them must not traverse the WAN or enclave boundary unless protected by an encrypted VPN. As such, VVoIP endpoints that register with a LSC located in another LAN/enclave must do so via an encrypted site-to-site VPN between the enclaves or via an encrypted client-to-site VPN.

Description

During VVoIP endpoint registration with the LSC, a file is downloaded by the endpoint from the LSC that contains specific configuration parameters needed by the endpoint to operate as needed to support its assigned user. This file contains the phone number assigned to the endpoint; the IP addresses (or URLs) of the LSC(s) with which the endpoint is associated; the software menus specific to the system; the user’s personal preferences and speed dial numbers; as well as other information critical to the operation of the endpoint. NOTE: Hardware based VVoIP endpoints are like diskless computers on the LAN which need to download an operating system and configurations before they can operate. The code necessary to download this OS is stored in ROM or Flash Memory and is called firmware. To varying degrees some, most, or all of the endpoint’s OS can be stored on the device as firmware. The more of the OS that is stored the device, the quicker it initializes. In any case, no matter how much of the OS is stored as firmware, each endpoint requires a customized configuration settings file to be downloaded that individualizes the endpoint to meet the needs of the user to which it is assigned. These configuration settings can be updated occasionally or regularly by resetting and re-registering the endpoint, which causes an updated configuration file to be downloaded. Many PC based communications applications are fully configured locally on the platform, however, in some cases they rely on a configuration file downloaded from the system with which they are associated. The confidentiality of these files is critical to preventing compromise of the PC application, hardware endpoint, and the system itself. Many vendors use configuration files of this sort that are a compact binary format that is only interpretable by the endpoint’s firmware or PD application. However, there is the potential that such files may be human readable as is XML code and most VVoIP signaling protocols. If the file is human readable, intelligence can be gathered by capturing the file while it is in transit. Additionally, the file is easier to understand and therefore makes it easier to modify it and then forward it to its destination. This facilitates man-in-the-middle attacks. The best method for maintaining the confidentiality of human readable files is to require that they be directly encrypted or downloaded over an encrypted channel. This can prevent man-in-the-middle attacks. Encryption of this file is also required if the file contains the password used to access the endpoint’s configuration information and settings menus. While encryption will also protect binary files, the threat is less due to the inability to easily read the information in the file without a program designed to interpret the binary code. As noted earlier, digital signatures and the file integrity must also be validated before the configuration file is used. NOTE: To satisfy the encryption requirement here, the file can be encrypted directly (preferred) or downloaded over an encrypted channel. (This is applicable to PC applications only) NOTE: Many of these configuration files are transferred using protocols such as BootP or TFTP which are designated “local management” per the DoD PPSM VAs for these protocols. These protocols are generally considered to be vulnerable due to their simplicity and lack of any security features. Per the DoD PPSM guidelines, a designation of “local management” means that PPSM recognizes the use of the protocol may be necessary within the LAN/enclave but it must remain within the LAN/enclave. This means that these protocols and therefore the configuration files transported by them must not traverse the WAN or enclave boundary unless protected by an encrypted VPN. As such, VVoIP endpoints that register with a LSC located in another LAN/enclave must do so via an encrypted site-to-site VPN between the enclaves or via an encrypted client-to-site VPN.

STIG	Date
Voice/Video Services Policy STIG	2014-04-07

Details

Check Text ( C-23776r1_chk )
Interview the IAO to confirm compliance with the following requirement: Ensure configuration files for hardware based and/or PC application based voice, video, UC, or collaboration communications endpoints downloaded during registration, are in a vendor specific binary format only interpretable by the vendor’s endpoints; or, if human readable; are encrypted; or, if downloaded across a WAN, are downloaded over an encrypted tunnel (VPN). Determine if the downloaded configuration files are binary or human readable. If they are human readable, verify that the files are directly encrypted. If not, and the endpoint in question is a PC communications application, determine if the file is downloaded over an encrypted channel such as a VPN. NOTE: Many of these configuration files are transferred using simple protocols such as BootP or TFTP which are designated “local management” per the PPSM VAs for these protocols. This means that these protocols and therefore the configuration files transported by them must not traverse the WAN or enclave boundary unless protected by an encrypted VPN. As such, VVoIP endpoints that register with a LSC located in another LAN/enclave, must do so via an encrypted site-to-site VPN between the enclaves or via an encrypted client-to-site VPN. NOTE: the segregation of VVoIP and data on the LAN provides some protection for these downloaded configuration files providing the transfer occurs within the LAN and not across a WAN. This becomes an issue for endpoints that register with an LSC in a remote enclave. This is a finding in the event of the following: > The downloaded configuration file is not in a vendor specific binary format only interpretable by the vendor’s endpoints OR the file is human readable and not natively encrypted. OR > The downloaded configuration file is transferred across a WAN but not transferred within an encrypted tunnel (VPN), (encrypted human readable or binary). This is not a finding in the event the following mitigations are employed: > Disable automatic configuration file download on endpoint registration. > Pre-install the configuration file before the endpoint is deployed to its user using a dedicated and segregated “Provisioning” LAN or VLAN that is local to the LSC having restricted access to or from VLANs other than the LSC VLAN.

Check Text ( C-23776r1_chk )

Interview the IAO to confirm compliance with the following requirement:

Ensure configuration files for hardware based and/or PC application based voice, video, UC, or collaboration communications endpoints downloaded during registration, are in a vendor specific binary format only interpretable by the vendor’s endpoints; or, if human readable; are encrypted; or, if downloaded across a WAN, are downloaded over an encrypted tunnel (VPN).

Determine if the downloaded configuration files are binary or human readable. If they are human readable, verify that the files are directly encrypted. If not, and the endpoint in question is a PC communications application, determine if the file is downloaded over an encrypted channel such as a VPN.

NOTE: Many of these configuration files are transferred using simple protocols such as BootP or TFTP which are designated “local management” per the PPSM VAs for these protocols. This means that these protocols and therefore the configuration files transported by them must not traverse the WAN or enclave boundary unless protected by an encrypted VPN. As such, VVoIP endpoints that register with a LSC located in another LAN/enclave, must do so via an encrypted site-to-site VPN between the enclaves or via an encrypted client-to-site VPN.

NOTE: the segregation of VVoIP and data on the LAN provides some protection for these downloaded configuration files providing the transfer occurs within the LAN and not across a WAN. This becomes an issue for endpoints that register with an LSC in a remote enclave.

This is a finding in the event of the following:
> The downloaded configuration file is not in a vendor specific binary format only interpretable by the vendor’s endpoints OR the file is human readable and not natively encrypted.
OR
> The downloaded configuration file is transferred across a WAN but not transferred within an encrypted tunnel (VPN), (encrypted human readable or binary).

This is not a finding in the event the following mitigations are employed:
> Disable automatic configuration file download on endpoint registration.
> Pre-install the configuration file before the endpoint is deployed to its user using a dedicated and segregated “Provisioning” LAN or VLAN that is local to the LSC having restricted access to or from VLANs other than the LSC VLAN.

Fix Text (F-20214r1_fix)
Ensure configuration files for hardware based and/or PC application based voice, video, UC, or collaboration communications endpoints downloaded during registration, are in a vendor specific binary format only interpretable by the vendor’s endpoints; or, if human readable; are encrypted; or, if downloaded across a WAN, are downloaded over an encrypted tunnel (VPN). In the event the system does not use a vendor specific binary format only interpretable by the vendor’s endpoints, configure the system to natively encrypt the endpoint configuration file. OR In the event the endpoint registers with a LSC in another enclave across a WAN, establish an encrypted tunnel between the enclave containing the LSC and the enclave containing the endpoint (site-to-site) or the endpoint itself (client-to-site). OR Employ the following mitigations: > Disable automatic configuration file download on endpoint registration > Pre-install the configuration file before the endpoint is deployed to its user using a dedicated and segregated “Provisioning” LAN or VLAN that is local to the LSC having restricted access to or from VLANs other than the LSC VLAN.

Fix Text (F-20214r1_fix)

Ensure configuration files for hardware based and/or PC application based voice, video, UC, or collaboration communications endpoints downloaded during registration, are in a vendor specific binary format only interpretable by the vendor’s endpoints; or, if human readable; are encrypted; or, if downloaded across a WAN, are downloaded over an encrypted tunnel (VPN).

In the event the system does not use a vendor specific binary format only interpretable by the vendor’s endpoints, configure the system to natively encrypt the endpoint configuration file.
OR
In the event the endpoint registers with a LSC in another enclave across a WAN, establish an encrypted tunnel between the enclave containing the LSC and the enclave containing the endpoint (site-to-site) or the endpoint itself (client-to-site).
OR
Employ the following mitigations:
> Disable automatic configuration file download on endpoint registration
> Pre-install the configuration file before the endpoint is deployed to its user using a dedicated and segregated “Provisioning” LAN or VLAN that is local to the LSC having restricted access to or from VLANs other than the LSC VLAN.