Check: VVoIP 5300
Voice Video Services Policy STIG:
VVoIP 5300
(in versions v3 r18 through v3 r15)
Title
The access switch must only allow a maximum of one registered MAC address per access port, except when the Voice Video Endpoint has an enabled PC port. (Cat II impact)
Discussion
Limiting the number of registered MAC addresses on a switch access port can help prevent a CAM table overflow attack. This type of attack lets an attacker exploit the hardware and memory limitations of a switch. If there are enough entries stored in a CAM table before the expiration of other entries, no new entries can be accepted into the CAM table. An attacker will be able to flood the switch with mostly invalid MAC addresses until the CAM table’s resources have been depleted. When there are no more resources, the switch has no choice but to flood all ports within the VLAN with all incoming traffic. This happens because the switch cannot find the switch port number for a corresponding MAC address within the CAM table, allowing the switch to become a hub and traffic to be monitored. Many Voice Video Endpoints provide an extra Ethernet port called a PC port that permits the endpoint and another device to share the same LAN drop. A Voice Video Endpoint can be added to a LAN without having to run additional cable or activate additional LAN drops; allowing a single LAN drop to support both the PC and the Voice Video Endpoint. Another initiative where a single LAN drop is shared is hot desking, where several people are assigned to work at the same desk at different times, each with their own laptop computer. In this case, a different MAC address needs to be permitted for each laptop that is supposed to connect to the LAN drop in the workspace. Additionally, this workspace could contain a single phone used by all assignees and the PC port on it might be the connection for their laptop.
Check Content
Review the site documentation to confirm the access switch only allows a maximum of one registered MAC address per access port, except when the Voice Video Endpoint has an enabled PC port. Verify that each access switch port supporting Voice Video Endpoints is configured supporting 802.1x. The 802.1x configuration may be set to be single-host (the default), multi-domain (for Voice Video Endpoints with a PC port), or multi-auth (each PC connected to a hub must authenticate). However, host mode as multi-host, which allows only one has to authenticate while other PCs connected to the same hub can piggyback is not permitted. If the 802.1x access port is configured host mode as multi-host, this is a finding. If the 802.1x access port is configured single-host (the default), multi-domain (for Voice Video Endpoints with a PC port), or multi-auth (each PC connected to a hub must authenticate), this is not a finding. If the static access port is connected to a Voice Video Endpoint with an enabled PC port, this is a finding. If the static access port is connected to a Voice Video Endpoint with more than one registered MAC address, this is a finding.
Fix Text
Implement and document the access switch only allows a maximum of one registered MAC address per access port, except when the Voice Video Endpoint has an enabled PC port. When 802.1x is implemented on the access switch port, the configuration may be set to be single-host (the default), multi-domain (for Voice Video Endpoints with a PC port), or multi-auth (each PC connected to a hub must authenticate). However, host mode as multi-host, which allows only one, has to authenticate while other PCs connected to the same hub can piggyback is not permitted. When static MAC addresses are used, configure the attached Voice Video Endpoint with the PC port disabled. See the Voice Video Endpoint SRG for additional information.
Additional Identifiers
Rule ID: SV-21793r4_rule
Vulnerability ID: V-19652
Group Title: VVoIP 5300
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |