VTC data in transit must be encrypted.

From Video Services Policy STIG

Part of RTS-VTC 1220

Associated with IA controls: ECCT-1, ECNK-1, ECSC-1

SV-18857r2_rule VTC data in transit must be encrypted.

Vulnerability discussion

Early VTC CODECs did not support confidentiality of the media or signaling streams directly. As security and conference confidentiality have become an IA concern, VTU vendors have standardized on DES and AES encryption standards for VTC media streams. H.235 has been developed to help to secure the signaling protocols used in the H.323 suite of protocols. Most VTC media traffic is considered to be sensitive information requiring protection. Minimally all endpoints and MCUs must employ FIPS-validated or NSA-approved cryptography for data in transit, including both media and signaling.Much of the legacy VTC gear used today either supports DES or has no encryption. Newer CODECs support FIPS 140-2 encryption for media and signaling and typically have three encryption options on, off or automatic/negotiate. The preferred setting is ON and used when the other VTUs that a VTU needs to communicate with support encryption. Auto/negotiate is the preferred setting when this is not known.

Check content

If a VTU under review is connected to classified IP networks and the conference information owners provide is written confirmation that encryption is not required within the classified enclave, this requirement is not applicable. If the VTC systems, endpoints, and MCUs under review are on a physically separate network from the enclave’s LAN and use dedicated point-to-point circuits outside the enclave to interconnect to MCUs and other endpoints, this requirement is not applicable. If the VTC systems, endpoints, and MCUs under review are on a logically separate network on the enclave’s LAN using a dedicated and closed VTC VLAN, and protected on the WAN using an encrypted VPN between endpoints and the MCU, this requirement is not applicable. Review the VTC system architecture and ensure the VTC data in transit is encrypted. If the VTC data in transit is not encrypted, this is a finding. Ensure the strongest encryption algorithm is used for VTC media streams as supported by all communicating VTUs and associated MCUs.

Fix text

Configure the VTC system architecture to require all data in transit be encrypted, with a preference for FIPS-validated or NSA-approved cryptography over legacy encryption.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer