Title

The hardware Voice Video Endpoint must apply 802.1Q VLAN tags to signaling and media traffic. (Cat II impact)

Discussion

When Voice Video Endpoints do not dynamically assign 802.1Q VLAN tags as data is created and combined, it is possible the VLAN tags will not correctly reflect the data type with which they are associated. VLAN tags are used as security attributes. These attributes are typically associated with signaling and media streams within the application and are used to enable the implementation of access control and flow control policies. Security labels for packets may include traffic flow information (e.g., source, destination, protocol combination), traffic classification based on QoS markings for preferred treatment, and VLAN identification. Virtualized networking is used to separate voice video traffic from other types of traffic, such as data, management, and other special types. VLANs provide segmentation at layer 2. Virtual Routing and Forwarding (VRF) provides segmentation at layer 3, and works with Multiprotocol Label Switching (MPLS) for enterprise and WAN environments. When VRF is used without MPLS, it is referred to as VRF lite. For Voice Video systems, subnets, VLANs, and VRFs are used to separate media and signaling streams from all other traffic.

Check Content

If the Voice Video Endpoint is not a hardware endpoint, this check procedure is Not Applicable. Verify the hardware Voice Video Endpoint applies 802.1Q VLAN tags to signaling and media traffic. If the hardware Voice Video Endpoint does not apply 802.1Q VLAN tags to signaling and media traffic, this is a finding.

Fix Text

Configure the hardware Voice Video Endpoint to apply 802.1Q VLAN tags to signaling and media traffic.

Additional Identifiers

Rule ID: SV-206807r604140_rule

Vulnerability ID: V-206807

Group Title: SRG-NET-000520

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.