Title

The IP-based VTC system must use H.235-based signaling encryption. (Cat II impact)

Discussion

An IP/H.323-based VTC system as a whole (including CODECs, MCUs, Gatekeepers, Gateways, firewall traversal border elements, etc.) must implement H.235-based signaling encryption. H.235 has been developed to help secure the signaling protocols used in the H.323 suite of protocols. H.235 uses the Advanced Encryption Standard (AES) for encryption and the Diffie-Hellman key exchange protocol for key exchange. AES is supported under H.235 version 3. Technical details of H.235 are set forth in the ITU-T Recommendation H.235.6 (2005), H.323 security: Voice encryption profile with native H.235/H.245 key management.

Check Content

Review the documentation to determine that the VTC equipment supports H.235-based signaling encryption and review configuration of the equipment to verify that it is being implemented. If the equipment does not support H.235-based signaling encryption or it has not been implemented, this is a finding.

Fix Text

Obtain equipment that supports H.235-based signaling encryption and configure the equipment to implement encryption.

Additional Identifiers

Rule ID: SV-55764r1_rule

Vulnerability ID: V-43035

Group Title: RTS-VTC 1240 [IP]

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.