The organizations 802.1x implementation must use MAC Address Bypass (MAB) for Voice Video endpoints not supporting 802.1x.

From Voice Video Policy Security Technical Implementation Guide

Part of SRG-POL-300611

Associated with: CCI-003072

VVSP-01-000151_rule The organizations 802.1x implementation must use MAC Address Bypass (MAB) for Voice Video endpoints not supporting 802.1x.

Vulnerability discussion

The information security architecture at the individual information system level must be consistent with and complement the more global, organization-wide information security architecture that is integral to and developed as part of the enterprise architecture. The information security architecture includes an architectural description, the placement/allocation of security functionality (including security controls), security-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface.In addition, the security architecture can include other important security-related information, for example, user roles and access privileges assigned to each role, unique security requirements, the types of information processed, stored, and transmitted by the information system, restoration priorities of information and information system services, and any other specific protection needs.IEEE 802.1x is a protocol used to control access to LAN services via a network access switchport or wireless access point that requires a device or user to authenticate to the network element and become authorized by the authentication server before accessing the network. This standard is used to activate the network access switchport limiting traffic to a specific VLAN or install traffic filters. Implementing 802.1x port security on each access switchport denies all other MAC users, which eliminates the security risk of additional users attaching to a switch to bypass authentication. The hardware Voice Video endpoint must be an 802.1x supplicant and integrate into the 802.1x access control system. When 802.1x is used, all devices connecting to the LAN are required to use 802.1x.A Voice Video endpoint with a PC port may break 802.1x LAN access control mechanisms when the network access switchport is authorized during the Voice Video endpoint authentication to the network. This condition may permit devices connected to the PC port to access the LAN. Daisy chaining devices on a single LAN drop protected by 802.1x must be prohibited unless the PC port is an 802.1x authenticator and configured to work with an approved authentication server. Disabling the PC port requires the network access switchports to be configured with the appropriate VLAN for the VoIP or video conferencing traffic and placing the disabled PC port traffic on the unused VLAN. MAB is a mitigation for this vulnerability that uses the MAC address as the username and password for the device to authenticate with the 802.1x authentication server.

Check content

Review each Voice Video system security plan (SSP). Confirm the organization documents the 802.1x implementation, using MAB for Voice Video endpoints not supporting 802.1x. Sticky-MAC is no longer permitted for use on DoD network infrastructure. If Sticky-MAC is used by the network infrastructure, this is a finding. If the 802.1x implementation does not use MAB for Voice Video endpoints not supporting 802.1x, this is a finding.

Fix text

Document in each Voice Video SSP the organizations 802.1x implementation that uses MAB for Voice Video endpoints not supporting 802.1x.

Pro Tips

Powered by sagemincer