STIGQter: STIG Summary: Video Services Policy STIG Version: 1 Release: 11 Benchmark Date: 24 Apr 2020: STIGQter: STIG Summary: Video Services Policy STIG Version: 1 Release: 11 Benchmark Date: 24 Apr 2020:SV-18887r3_rule
V-17713
RTS-VTC 4120
RTS-VTC 4120.00
CAT II
10
Implement VTC systems to be logically or physically segregated on the LAN from data systems, voice (VoIP) systems, and by VTC system type. Design dedicated LAN infrastructure and IP address space for the VTC endpoints or implement a pruned and closed VLAN that is separate from the VLAN assigned to data systems and voice (VoIP) systems.
Implement a separate IP address subnet for the VTC systems separate from the IP address subnet assigned to data systems and other non-integrated voice communications (VoIP) systems.
Configure ACLs on each routing device in the LAN to limit traffic that needs to cross between the VTC VLANs and the data or management VLAN to authorized traffic based on the service or authorized IP address.
Review site documentation to confirm VTC systems are logically or physically segregated on the LAN from data systems, voice (VoIP) systems, and by VTC system type as follows:
- Verify that there is a dedicated LAN infrastructure and IP address space for the VTC endpoints.
OR
- Verify that there is a pruned and closed VLAN/IP subnet structure and dedicated IP address space on the LAN for the VTC system(s) that is (are) separate from the VLAN and IP address space/IP subnet structure(s) assigned to data systems and other non-integrated voice communications (VoIP) systems.
- Verify that VTC systems are segregated on the LAN from themselves and other LAN services as follows:
- Primary conference room systems
- Hardware-based desktop and office VTUs
Exception 1: If integrated with the VoIP phone system, these devices may connect to the VoIP system VLAN structure.
Exception 2: If part of an overall managed VTC network within the enclave or hardware-based desktop and office VTUs must communicate with the conference room systems within the enclave, these devices may connect to the conference room VLAN structure.
- Local MCUs and VTU configuration management/control servers must reside in the VTC VLAN and IP subnet with the devices they manage or conference.
- If WAN access is required, the VLAN(s) or dedicated infrastructure can be extended to the enclave boundary.
If any of these criteria apply and are not implemented, this is a finding.
V-17713
False
RTS-VTC 4120.00
Review site documentation to confirm VTC systems are logically or physically segregated on the LAN from data systems, voice (VoIP) systems, and by VTC system type as follows:
- Verify that there is a dedicated LAN infrastructure and IP address space for the VTC endpoints.
OR
- Verify that there is a pruned and closed VLAN/IP subnet structure and dedicated IP address space on the LAN for the VTC system(s) that is (are) separate from the VLAN and IP address space/IP subnet structure(s) assigned to data systems and other non-integrated voice communications (VoIP) systems.
- Verify that VTC systems are segregated on the LAN from themselves and other LAN services as follows:
- Primary conference room systems
- Hardware-based desktop and office VTUs
Exception 1: If integrated with the VoIP phone system, these devices may connect to the VoIP system VLAN structure.
Exception 2: If part of an overall managed VTC network within the enclave or hardware-based desktop and office VTUs must communicate with the conference room systems within the enclave, these devices may connect to the conference room VLAN structure.
- Local MCUs and VTU configuration management/control servers must reside in the VTC VLAN and IP subnet with the devices they manage or conference.
- If WAN access is required, the VLAN(s) or dedicated infrastructure can be extended to the enclave boundary.
If any of these criteria apply and are not implemented, this is a finding.
M
Information Assurance Officer
1418