SV-18874r2_rule
V-17700
RTS-VTC 2840.00 [IP][ISDN]
RTS-VTC 2840.00
CAT II
10
[IP][ISDN]; Perform the following tasks:
Purchase and implement VTC CODECs and AV control panels that support the encryption and authentication of API messages from the AV control panel.
AND
Configure VTC CODEC to only accept authenticated and encrypted API messages from the AV control panel.
AND
Configure the AV control panel to encrypt its control messages and to include authentication information for each message such that the CODEC can authenticate the source of the message before acting upon it.
[IP][ISDN]; Validate compliance with the following requirement:
Ensure control command communications between a CODEC and an audio visual control panel (touch panel), implemented using a wired or wireless networking technology, or is via a wired network (i.e., LAN), is encrypted and the CODEC authenticates the source of the commands.
Note: This finding can be reduced to a CAT III (as opposed to not-a finding) for direct connections using the Ethernet connection on the CODEC. This is because, in this case, direct connection is only a partial mitigation since there is the potential that the VTU could still be connected to a LAN
Note: This is not a finding for direct connections using the EIA-232 serial connection on the CODEC.
Determine if the API connection between a CODEC and its AV control panel is via wired or wireless networking technology or a LAN. This is a finding if the control panel does not encrypt its commands and the CODEC does not authenticate the source of the commands. Have the SA demonstrate or Inspect the CODEC’s configuration settings regarding the encryption and authentication methods for the API communications with the AV control panel.
V-17700
False
RTS-VTC 2840.00
RTS-VTC 2840.00
[IP][ISDN]; Validate compliance with the following requirement:
Ensure control command communications between a CODEC and an audio visual control panel (touch panel), implemented using a wired or wireless networking technology, or is via a wired network (i.e., LAN), is encrypted and the CODEC authenticates the source of the commands.
Note: This finding can be reduced to a CAT III (as opposed to not-a finding) for direct connections using the Ethernet connection on the CODEC. This is because, in this case, direct connection is only a partial mitigation since there is the potential that the VTU could still be connected to a LAN
Note: This is not a finding for direct connections using the EIA-232 serial connection on the CODEC.
Determine if the API connection between a CODEC and its AV control panel is via wired or wireless networking technology or a LAN. This is a finding if the control panel does not encrypt its commands and the CODEC does not authenticate the source of the commands. Have the SA demonstrate or Inspect the CODEC’s configuration settings regarding the encryption and authentication methods for the API communications with the AV control panel.
I
Unencrypted and unauthorized access to the CODEC via API Ethernet or wireless connection by unauthorized individuals, could possibly lead to the disclosure of sensitive or classified information to individuals that may not have an appropriate need-to-know or proper security clearance.
Use the direct connect method using the EIA-232 serial connection between the CODEC and the AV control panel
Information Assurance Officer
1418