Title

The IP-based VTC system must authenticate to an H.323 Gatekeeper or VVoIP session/call controller. (Cat II impact)

Discussion

An IP-based VTC system must authenticate itself to an H.323 Gatekeeper or VVoIP session/call controller for the purposes of access control, authorization, and WAN access bandwidth management. An H.323 Gatekeeper or VVoIP session/call controller is a dedicated device or application that controls the manner in which phone calls are initiated, conducted, and terminated and is often one of the main components in H.323 systems. It serves the purpose of Call Admission Control and translation services from E.164 IDs (commonly a phone number) to IP addresses in an H.323 telephony network. It also provides bandwidth control. In general, all VTC system management applications and application suites, including endpoint and MCU managers, gateways, gatekeepers, controllers, and scheduling systems must be operated on secure or hardened platforms and comply with all applicable DoD STIGs with specific emphasis on user accounts, roles/permissions, access control, and auditing.

Check Content

Review the system documentation and verify that an H.323 Gatekeeper and/or VVoIP session/call controller is in place and is configured to require authentication of endpoints. If there is no H.323 Gatekeeper or VVoIP session/call controller present; or it is not configured to require authentication of endpoints; or endpoints are not configured to authenticate with either, this is a finding.

Fix Text

Configure the endpoints and H.323 Gatekeeper or VVoIP session/call controller to authenticate endpoints.

Additional Identifiers

Rule ID: SV-55759r1_rule

Vulnerability ID: V-43030

Group Title: RTS-VTC 5040 [IP]

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.