The VVoIP system DHCP server is not dedicated to the VVoIP system within the LAN.

From Voice Video Services Policy STIG

Part of Deficient design: VVoIP system addressing re: DHCP

SV-8789r1_rule The VVoIP system DHCP server is not dedicated to the VVoIP system within the LAN.

Vulnerability discussion

When using Dynamic Host Configuration Protocol (DHCP) for address assignment and host configuration, different DHCP scopes (different address space, subnets, and VLANs) must be used for voice components and data components. This is most easily and safely accomplished by providing a DHCP server that is dedicated to the VVoIP system endpoints. That is to say that a DHCP server serving VVoIP devices needs to be in the VVoIP domain i.e., same address space and VLAN(s). This alleviates the need to route DHCP requests into the data environment on the LAN which would degrade the separation of the VVoIP environment and the Data environment. NOTE: In the event a dedicated DHCP server for VVoIP endpoints is not implemented, the network (i.e., the router controlling access to and from the VVoIP endpoint VLANs) must route VVoIP endpoint DHCP requests directly to the DHCP server in such a manner that prevents traffic to flow between the VVoIP and data VLANs. Additionally the DHCP server must prevent such traffic flows while providing the VVoIP endpoints with proper VVoIP addresses and other information within the VVoIP address/subnet range (scope).NOTE: The best practice for endpoint address assignment is to manually assign addresses when authorizing the instrument by generating its configuration file.

Check content

Interview the IAO to confirm compliance with the following requirement: In the event the VVoIP system is designed to use DHCP for initial VVoIP endpoint address assignment/configuration, ensure the design incorporates a different DHCP server than any that might be used for data components/hosts. Additionally ensure these servers reside in their respective voice or data address space and VLAN. NOTE: Soft-phones or VVoIP/UC applications residing on PC/workstations will, by default, utilize the IP information obtained by the workstation from the data DHCP server unless the workstation and soft-phone is capable of multiple VLANs and the soft-phone is assigned to the VVoIP VLAN. In case of the latter, the workstation or the soft-phone itself may obtain its IP information from the VVoIP DHCP server for use by the soft-phone or VVoIP application. Determine if, in the VVoIP system design, DHCP is used for VVoIP endpoint address assignment/configuration. If so, determine the location of the DHCP server and whether it is dedicated to the VVoIP system (separate from the data host DHCP server) and is deployed in the core VVoIP VLAN with an appropriate IP address within the dedicated VVoIP address space. This is a finding in the event DHCP is used for VVoIP endpoint address assignment/configuration and these conditions are not met. NOTE: It is recommended that the VVoIP DHCP server used as discussed in this requirement be implemented in the following order of preference: a dedicated device, part of the VVoIP call controller (LSC/MFSS) or other VVoIP related server; on an infrastructure router inside the enclave that is directly involved in the control of the VVoIP system or VLANs. NOTE: The Network Infrastructure STIG precludes the implementation of a DHCP server on a perimeter router.

Fix text

If the VVoIP system design uses DHCP for VVoIP initial endpoint address assignment/configuration, ensure the design incorporates a different DHCP server than any that might be used for data components/hosts. Additionally ensure these servers reside in their respective voice or data address space and VLAN. NOTE: Soft-phones or VVoIP/UC applications residing on PC/workstations will, by default, utilize the IP information obtained by the workstation from the data DHCP server unless the workstation and soft-phone is capable of multiple VLANs and the soft-phone is assigned to the VVoIP VLAN. In case of the latter, the workstation or the soft-phone itself may obtain its IP information from the VVoIP DHCP server for use by the soft-phone or VVoIP application. NOTE: It is recommended that the VVoIP DHCP server used as discussed in this requirement be implemented in the following order of preference: a dedicated device, part of the VVoIP call controller (LSC/MFSS) or other VVoIP related server; on an infrastructure router inside the enclave that is directly involved in the control of the VVoIP system or VLANs. NOTE: The Network Infrastructure STIG precludes the implementation of a DHCP server on a perimeter router.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer