The organizations 802.1x implementation must place Voice Video traffic in the correct VLAN when authorizing LAN access for Voice Video endpoints.

From Voice Video Policy Security Technical Implementation Guide

Part of SRG-POL-300611

Associated with: CCI-003072

VVSP-01-000149_rule The organizations 802.1x implementation must place Voice Video traffic in the correct VLAN when authorizing LAN access for Voice Video endpoints.

Vulnerability discussion

The information security architecture at the individual information system level must be consistent with and complement the more global, organization-wide information security architecture that is integral to and developed as part of the enterprise architecture. The information security architecture includes an architectural description, the placement/allocation of security functionality (including security controls), security-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface.In addition, the security architecture can include other important security-related information, for example, user roles and access privileges assigned to each role; unique security requirements; the types of information processed, stored, and transmitted by the information system; restoration priorities of information and information system services; and any other specific protection needs.IEEE 802.1x is a protocol used to control access to LAN services via a network access switchport or wireless access point that requires a device or user to authenticate to the network element and become authorized by the authentication server before accessing the network. This standard is used to activate the network access switchport limiting traffic to a specific VLAN or install traffic filters. Implementing 802.1x port security on each access switchport denies all other MAC users, which eliminates the security risk of additional users attaching to a switch to bypass authentication. The hardware Voice Video endpoint must be an 802.1x supplicant and integrate into the 802.1x access control system. When 802.1x is used, all devices connecting to the LAN are required to use 802.1x.A Voice Video endpoint with a PC port may break 802.1x LAN access control mechanisms when the network access switchport is authorized during the Voice Video endpoint authentication to the network. This condition may permit devices connected to the PC port to access the LAN. Daisy chaining devices on a single LAN drop protected by 802.1x must be prohibited unless the PC port is an 802.1x authenticator and configured to work with an approved authentication server. Disabling the PC port requires the network access switchports to be configured with the appropriate VLAN for the VoIP or video conferencing traffic and placing the disabled PC port traffic on the unused VLAN. MAC Address Bypass (MAB) is a mitigation for this vulnerability.

Check content

Review each Voice Video system security plan (SSP). Confirm the organization documents the 802.1x implementation, placing Voice Video traffic in the correct VLAN when authorizing LAN access for Voice Video endpoints. Verify the 802.1x authentication server places traffic from the Voice Video endpoint as follows: - The PC port must be disabled or 802.1x multi-domain authentication must be enabled. - VoIP traffic must be placed in the voice VLAN. - Video conferencing (VC) traffic must be placed in the video VLAN. - Soft clients are not authenticated by the 802.1x implementation; the Voice Video traffic is placed on the correct VLAN at the first access switch. If the 802.1x implementation does not place Voice Video traffic in the correct VLAN when authorizing LAN access for Voice Video endpoints, this is a finding.

Fix text

Document in each Voice Video SSP the organizations 802.1x implementation that places Voice Video traffic in the correct VLAN when authorizing LAN access for Voice Video endpoints. Ensure the 802.1x authentication server places traffic from the Voice Video endpoint as follows: - The PC Port must be disabled or 802.1x multi-domain authentication must be enabled. - VoIP traffic must be placed in the voice VLAN. - Video conferencing (VC) traffic must be placed in the video VLAN. - Soft clients are not authenticated by the 802.1x implementation; the Voice Video traffic is placed on the correct VLAN at the first access switch.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer