From Voice Video Policy Security Technical Implementation Guide
Part of SRG-POL-300447
Associated with: CCI-001973
Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, device-unique identifiers, and phone numbers. Preventing reuse of identifiers implies preventing the assignment of previously used identifiers to different devices. For Voice Video systems, the importance of preventing reuse must also consider fire and emergency services (FES) requirements for life safety and Command and Control (C2) requirements mandating communications among top-level officials.
Review each Voice Video system security plan (SSP) for DHCP service. Ensure the organization implements a dedicated DHCP server to the Voice Video system within the LAN. In the event the DHCP server is not dedicated to Voice Video, ensure it does not provide data addresses and configuration information to the Voice Video endpoints and conversely does not provide Voice Video addresses and configuration information to the data endpoints (hosts or workstations). If the Voice Video system core components are assigned IP addresses by a DHCP server and the IP address is not reserved (static) for each interface on these core components, this is a finding. If the Voice Video endpoints are assigned IP addresses by a Voice Video DHCP server scope that is not dedicated to the IP address block for the Voice Video system, this is a finding. If network devices outside the Voice Video system are assigned IP addresses by a Voice Video DHCP server scope, this is a finding.
Document in each Voice Video SSP the organizations implementation of a dedicated DHCP server scope to the Voice Video system within the LAN. The Voice Video system design must use DHCP for initial endpoint address assignment/configuration. Best practice is to use a separate DHCP server from any data components/hosts and reside in the respective Voice Video or data address space and VLAN. Unified Capability (UC) soft clients or applications residing on a PC/workstations will, by default, derive IP information obtained by the workstation from the data DHCP server. When the workstation is capable of multiple VLANs, the UC soft client must be assigned to the Voice Video VLAN, receiving IP information from the Voice Video DHCP server for use by UC soft clients or applications. Best practice is for the Voice Video DHCP server be implemented in the following order of preference: as a dedicated device, part of the Voice Video session manager, part of another Voice Video related server, or on an infrastructure router (not perimeter) inside the enclave supporting the Voice Video system or VLANs. Using a single DHCP server, separated through VLANs, to serve both voice and data endpoints is allowed as long as the voice and data endpoints are restricted by ACLs from communicating with each other.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer