When the organization does not implement 802.1x network access control system, the appropriate number of preauthorized MAC addresses must be statically assigned for the preauthorized Voice Video endpoints, to include daisy-chained devices.

From Voice Video Policy Security Technical Implementation Guide

Part of SRG-POL-300611

Associated with: CCI-003072

VVSP-01-000152_rule When the organization does not implement 802.1x network access control system, the appropriate number of preauthorized MAC addresses must be statically assigned for the preauthorized Voice Video endpoints, to include daisy-chained devices.

Vulnerability discussion

The information security architecture at the individual information system level must be consistent with and complement the more global, organization-wide information security architecture that is integral to and developed as part of the enterprise architecture. The information security architecture includes an architectural description, the placement/allocation of security functionality (including security controls), security-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface.In addition, the security architecture can include other important security-related information, for example, user roles and access privileges assigned to each role; unique security requirements; the types of information processed, stored, and transmitted by the information system; restoration priorities of information and information system services; and any other specific protection needs.When 802.1x is not implemented, MAC-based port security may be implemented by limiting the number of devices that can connect from an endpoint to a network access switch port. Allowing too many MAC addresses on a switch port could allow a hub or switch to be inserted into the voice VLAN port or PC port on a Voice Video endpoint, which allows additional unauthorized devices or workstations to be connected.Voice video endpoints in the workspace where installed are provisioned with enough LAN drops to support the number of devices to be used in the workspace. This also requires that each LAN drop that is to be used must be connected to a network access switch port. The best practice is to limit the devices permitted to connect to any given LAN drop/switch port combination to one. The two methods to do this are static mapping and MAC-based port security. Static mapping the MAC address of a preauthorized device into the configuration of the network access switch port requires manual configuration.

Check content

If the organization implements an 802.1x network access control system, this is not applicable. Review each Voice Video system security plan (SSP). Confirm the appropriate number of preauthorized MAC addresses are statically assigned for the preauthorized Voice Video endpoints, to include daisy-chained devices using the PC port. Verify that when static mapping of MAC addresses is used for port security, configuration settings are as follows: - A LAN switch port supporting a single authorized Voice Video endpoint is configured with one MAC address. The PC port must be disabled, if present. - A LAN switch port supporting an authorized Voice Video endpoint providing a PC port connecting a computer is configured with two MAC addresses. - When a hardware Voice Video endpoint, video conference endpoint, and computer are daisy chained on one LAN drop and switch port, the switch port is configured with the three corresponding MAC addresses. If the appropriate numbers of preauthorized MAC addresses are not statically assigned for the preauthorized Voice Video endpoints, to include daisy-chained devices, this is a finding.

Fix text

Document in each Voice Video SSP the appropriate number of preauthorized MAC addresses are statically assigned for the preauthorized Voice Video endpoints, to include daisy-chained devices using the PC port. When static mapping of MAC addresses is used for port security, configuration settings must be as follows: - A LAN switch port supporting a single authorized Voice Video endpoint is configured with one MAC address. The PC port must be disabled, if present. - A LAN switch port supporting an authorized Voice Video endpoint providing a PC port connecting a computer is configured with two MAC addresses. - When a hardware Voice Video endpoint, video conference endpoint, and computer are daisy chained on one LAN drop and switch port, the switch port is configured with the three corresponding MAC addresses.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer