Unified Communications Session Management Security Requirements Guide

  • Version/Release: V1R0.1
  • Published: 2023-07-28
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Requirement Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
The Unified Communications Session Manager must automatically disable user accounts after a 35-day period of account inactivity.
AC-2 - Medium - CCI-000017 - SRG-NET-000004-VVSM-00101 - SRG-NET-000004-VVSM-00101_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-000017
Version
SRG-NET-000004-VVSM-00101
Vuln IDs
  • SRG-NET-000004-VVSM-00101
Rule IDs
  • SRG-NET-000004-VVSM-00101_rule
Attackers that are able to exploit an inactive account can potentially obtain and maintain undetected access to an application. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Unified Communications Session Managers must track periods of user inactivity and disable accounts after 35 days of inactivity. Such a process greatly reduces the risk that accounts will be misused, hijacked, or data compromised. DOD has determined that 35 days is the appropriate time period of inactivity for Inactive accounts. Therefore, systems with a per user paradigm of management would apply.
Checks: C-SRG-NET-000004-VVSM-00101_chk

Verify the Unified Communications Session Manager automatically disables Voice Video Endpoint user access after a 35-day period of account inactivity. This requirement refers to users rather than endpoints. If the Unified Communications Session Manager does not automatically disable Voice Video Endpoint user access after a 35-day period of account inactivity, this is a finding.

Fix: F-SRG-NET-000004-VVSM-00101_fix

Configure the Unified Communications Session Manager to automatically disable Voice Video Endpoint user access after a 35-day period of account inactivity.

b
The Unified Communications Session Manager must display the Standard Mandatory DOD Notice and Consent Banner before granting access to management sessions.
AC-8 - Medium - CCI-000048 - SRG-NET-000041-VVSM-00101 - SRG-NET-000041-VVSM-00101_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000048
Version
SRG-NET-000041-VVSM-00101
Vuln IDs
  • SRG-NET-000041-VVSM-00101
Rule IDs
  • SRG-NET-000041-VVSM-00101_rule
Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to network elements that have the concept of a user account and have the logon function residing on the network element. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for network elements that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't."
Checks: C-SRG-NET-000041-VVSM-00101_chk

Verify the Unified Communications Session Manager displays the Standard Mandatory DOD Notice and Consent Banner before granting access to management sessions. If the Unified Communications Session Manager does not display the Standard Mandatory DOD Notice and Consent Banner before granting access to management sessions, this is a finding.

Fix: F-SRG-NET-000041-VVSM-00101_fix

Configure the Unified Communications Session Manager to display the Standard Mandatory DOD Notice and Consent Banner before granting access to management sessions.

b
The Unified Communications Session Manager must retain the Standard Mandatory DOD Notice and Consent Banner on the screen for management sessions until admins acknowledge the usage conditions and take explicit actions to log on for further access.
AC-8 - Medium - CCI-000050 - SRG-NET-000042-VVSM-00101 - SRG-NET-000042-VVSM-00101_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000050
Version
SRG-NET-000042-VVSM-00101
Vuln IDs
  • SRG-NET-000042-VVSM-00101
Rule IDs
  • SRG-NET-000042-VVSM-00101_rule
The banner must be acknowledged by the user prior to allowing the user access to the network. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DOD will not be in compliance with system use notifications required by law. To establish acceptance of the application usage policy, a click-through banner at application logon is required. The network element must prevent further activity until the user executes a positive action to manifest agreement by clicking on a box indicating "OK". This requirement applies to network elements that have the concept of a user account and have the logon function residing on the network element.
Checks: C-SRG-NET-000042-VVSM-00101_chk

Verify the Unified Communications Session Manager retains the Standard Mandatory DOD Notice and Consent Banner for management sessions until the admins acknowledge the conditions. If the Unified Communications Session Manager does not retain the Standard Mandatory DOD Notice and Consent Banner until the admins acknowledge the conditions, this is a finding.

Fix: F-SRG-NET-000042-VVSM-00101_fix

Configure the Unified Communications Session Manager to retain the Standard Mandatory DOD Notice and Consent Banner for management sessions until the admins acknowledge the conditions.

b
The Unified Communications Session Manager must limit the number of concurrent management sessions to three sessions.
AC-10 - Medium - CCI-000054 - SRG-NET-000053-VVSM-00101 - SRG-NET-000053-VVSM-00101_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
SRG-NET-000053-VVSM-00101
Vuln IDs
  • SRG-NET-000053-VVSM-00101
Rule IDs
  • SRG-NET-000053-VVSM-00101_rule
Network element management includes the ability to control the number of users and user sessions that use a network element. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system. This applies to network elements that have the concept of a user account and have the login function residing on the network element.
Checks: C-SRG-NET-000053-VVSM-00101_chk

Verify the Unified Communications Session Manager limits the number of concurrent management sessions. If the Unified Communications Session Manager does not limit the number of concurrent management sessions, this is a finding.

Fix: F-SRG-NET-000053-VVSM-00101_fix

Configure the Unified Communications Session Manager to limit the number of concurrent management sessions.

c
The Unified Communications Session Manager must use TLS 1.2 or greater to protect the confidentiality of remote access.
AC-17 - High - CCI-000068 - SRG-NET-000062-VVSM-00010 - SRG-NET-000062-VVSM-00010_rule
RMF Control
AC-17
Severity
High
CCI
CCI-000068
Version
SRG-NET-000062-VVSM-00010
Vuln IDs
  • SRG-NET-000062-VVSM-00010
Rule IDs
  • SRG-NET-000062-VVSM-00010_rule
Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. This requirement applies to TLS gateways (also known as SSL gateways). Application protocols such as HTTPS, SFTP, and others use TLS as the underlying security protocol and thus are in scope for this requirement. NIST SP 800-52 provides guidance for client negotiation on either DOD-only or public-facing servers.
Checks: C-SRG-NET-000062-VVSM-00010_chk

Verify the Unified Communications Session Manager uses TLS 1.2 or greater to protect the confidentiality of remote access. If the Unified Communications Session Manager does not use TLS 1.2 or greater, this is a finding.

Fix: F-SRG-NET-000062-VVSM-00010_fix

Configure the Unified Communications Session Manager to use TLS 1.2 or greater to protect the confidentiality of remote access.

b
The Unified Communications Session Manager must produce session (call) records containing the type of session connection.
AU-3 - Medium - CCI-000130 - SRG-NET-000074-VVSM-00101 - SRG-NET-000074-VVSM-00101_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SRG-NET-000074-VVSM-00101
Vuln IDs
  • SRG-NET-000074-VVSM-00101
Rule IDs
  • SRG-NET-000074-VVSM-00101_rule
Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are generated from several components within the Voice Video system (e.g., session manager, session border control, gateway, gatekeeper, or endpoints). Session record content that may be necessary to satisfy this requirement includes, for example, type of connection, connection origination, time stamps, outcome, user identities, and user identifiers. Additionally, an adversary must not be able to modify or delete session records.
Checks: C-SRG-NET-000074-VVSM-00101_chk

Verify the Unified Communications Session Manager produces session records containing the type of session connection. If the Unified Communications Session Manager does not produce session records containing the type of session connection, this is a finding.

Fix: F-SRG-NET-000074-VVSM-00101_fix

Configure the Unified Communications Session Manager to produce session records containing the type of session connection.

b
The Unified Communications Session Manager must produce session (call) records containing timestamps (date and time) for all session connections.
AU-3 - Medium - CCI-000131 - SRG-NET-000075-VVSM-00101 - SRG-NET-000075-VVSM-00101_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000131
Version
SRG-NET-000075-VVSM-00101
Vuln IDs
  • SRG-NET-000075-VVSM-00101
Rule IDs
  • SRG-NET-000075-VVSM-00101_rule
Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are generated from several components within the Voice Video system (e.g., session manager, session border control, gateway, gatekeeper, or endpoints). Session record content that may be necessary to satisfy this requirement includes, for example, type of connection, connection origination, time stamps, outcome, user identities, and user identifiers. Additionally, an adversary must not be able to modify or delete session records.
Checks: C-SRG-NET-000075-VVSM-00101_chk

Verify the Unified Communications Session Manager produces session records containing when (date and time) the connection was established and terminated. If the Unified Communications Session Manager does not produce session records containing timestamps (date and time) for all session connections, this is a finding.

Fix: F-SRG-NET-000075-VVSM-00101_fix

Configure the Unified Communications Session Manager to produce session records containing when (date and time) the connection was established and terminated.

b
The Unified Communications Session Manager must produce session (call) records containing where (location) the connection originated.
AU-3 - Medium - CCI-000132 - SRG-NET-000076-VVSM-00101 - SRG-NET-000076-VVSM-00101_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000132
Version
SRG-NET-000076-VVSM-00101
Vuln IDs
  • SRG-NET-000076-VVSM-00101
Rule IDs
  • SRG-NET-000076-VVSM-00101_rule
Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are generated from several components within the Voice Video system (e.g., session manager, session border control, gateway, gatekeeper, or endpoints). Session record content that may be necessary to satisfy this requirement includes, for example, type of connection, connection origination, time stamps, outcome, user identities, and user identifiers. Additionally, an adversary must not be able to modify or delete session records.
Checks: C-SRG-NET-000076-VVSM-00101_chk

Verify the Unified Communications Session Manager produces session records containing where (location) the connection originated. If the Unified Communications Session Manager does not produce session records containing where (location) the connection originated, this is a finding.

Fix: F-SRG-NET-000076-VVSM-00101_fix

Configure the Unified Communications Session Manager to produce session records containing where (location) the connection originated.

b
The Unified Communications Session Manager must produce session (call) records containing the identity of the initiator of the call.
AU-3 - Medium - CCI-000133 - SRG-NET-000077-VVSM-00101 - SRG-NET-000077-VVSM-00101_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000133
Version
SRG-NET-000077-VVSM-00101
Vuln IDs
  • SRG-NET-000077-VVSM-00101
Rule IDs
  • SRG-NET-000077-VVSM-00101_rule
Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are generated from several components within the Voice Video system (e.g., session manager, session border control, gateway, gatekeeper, or endpoints). Session record content that may be necessary to satisfy this requirement includes, for example, type of connection, connection origination, time stamps, outcome, user identities, and user identifiers. Additionally, an adversary must not be able to modify or delete session records.
Checks: C-SRG-NET-000077-VVSM-00101_chk

Verify the Unified Communications Session Manager produces session records containing the identity of the initiator of the call. The identity of the initiator of the call in this context would be the device ID or the address of the MAC or IP. For Unified Communications Session Managers that have the concept of a user rather than device, this requirement is not applicable. If the Unified Communications Session Manager does not produce session records containing the identity of the initiator of the call, this is a finding.

Fix: F-SRG-NET-000077-VVSM-00101_fix

Configure the Unified Communications Session Manager to produce session records containing the identity of the initiator of the call.

b
The Unified Communications Session Manager must produce session (call) records containing the outcome (status) of the connection.
AU-3 - Medium - CCI-000134 - SRG-NET-000078-VVSM-00101 - SRG-NET-000078-VVSM-00101_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000134
Version
SRG-NET-000078-VVSM-00101
Vuln IDs
  • SRG-NET-000078-VVSM-00101
Rule IDs
  • SRG-NET-000078-VVSM-00101_rule
Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are generated from several components within the Voice Video system (e.g., session manager, session border control, gateway, gatekeeper, or endpoints). Session record content that may be necessary to satisfy this requirement includes, for example, type of connection, connection origination, time stamps, outcome, user identities, and user identifiers. Additionally, an adversary must not be able to modify or delete session records.
Checks: C-SRG-NET-000078-VVSM-00101_chk

Verify the Unified Communications Session Manager produces session records containing the outcome (status) of the connection. The outcome or status of a call includes call completed normally, busy endpoint, busy network, preempted, or other pertinent description. If the Unified Communications Session Manager does not produce session records containing the outcome (status) of the connection, this is a finding.

Fix: F-SRG-NET-000078-VVSM-00101_fix

Configure the Unified Communications Session Manager to produce session records containing the outcome (status) of the connection.

b
The Unified Communications Session Manager must alert the information system security officer (ISSO) and system administrator(SA) (at a minimum) in the event of a session (call) record system failure.
AU-5 - Medium - CCI-000139 - SRG-NET-000088-VVSM-00101 - SRG-NET-000088-VVSM-00101_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-000139
Version
SRG-NET-000088-VVSM-00101
Vuln IDs
  • SRG-NET-000088-VVSM-00101
Rule IDs
  • SRG-NET-000088-VVSM-00101_rule
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process session records. Without this notification, the security personnel may be unaware of an impending failure of the session record capability. Session record processing failures include software/hardware errors, failures in the capturing mechanisms, and storage capacity being reached or exceeded. This requirement applies to each session record data storage repository (i.e., distinct information system component where session records are stored), the centralized session record storage capacity of organizations (i.e., all session record data storage repositories combined), or both.
Checks: C-SRG-NET-000088-VVSM-00101_chk

Verify the Unified Communications Session Manager alerts the ISSO and SA (at a minimum) in the event of a session record system failure. If the Unified Communications Session Manager does not alert the ISSO and SA (at a minimum) in the event of a session record system failure, this is a finding.

Fix: F-SRG-NET-000088-VVSM-00101_fix

Configure the Unified Communications Session Manager to alert the ISSO and SA (at a minimum) in the event of a session record system failure.

b
The Unified Communications Session Manager must protect session (call) records from unauthorized read access.
AU-9 - Medium - CCI-000162 - SRG-NET-000098-VVSM-00101 - SRG-NET-000098-VVSM-00101_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
SRG-NET-000098-VVSM-00101
Vuln IDs
  • SRG-NET-000098-VVSM-00101
Rule IDs
  • SRG-NET-000098-VVSM-00101_rule
Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. Thus, it is imperative that the collected log data from the various network elements, as well as the auditing tools, be secured and can only be accessed by authorized personnel.
Checks: C-SRG-NET-000098-VVSM-00101_chk

Verify the Unified Communications Session Manager protects session records from unauthorized read access. If the Unified Communications Session Manager does not protect session records from unauthorized read access, this is a finding.

Fix: F-SRG-NET-000098-VVSM-00101_fix

Configure the Unified Communications Session Manager to protect session records from unauthorized read access.

b
The Unified Communications Session Manager must protect session (call) records from unauthorized modification.
AU-9 - Medium - CCI-000163 - SRG-NET-000099-VVSM-00101 - SRG-NET-000099-VVSM-00101_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000163
Version
SRG-NET-000099-VVSM-00101
Vuln IDs
  • SRG-NET-000099-VVSM-00101
Rule IDs
  • SRG-NET-000099-VVSM-00101_rule
If session records were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of session records, the information system and/or the application must protect session information from unauthorized modification. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions and limiting log data locations.
Checks: C-SRG-NET-000099-VVSM-00101_chk

Verify the Unified Communications Session Manager protects session records from unauthorized modification. If the Unified Communications Session Manager does not protect session records from unauthorized modification, this is a finding.

Fix: F-SRG-NET-000099-VVSM-00101_fix

Configure the Unified Communications Session Manager to protect session records from unauthorized modification.

b
The Unified Communications Session Manager must protect session (call) records from unauthorized deletion.
AU-9 - Medium - CCI-000164 - SRG-NET-000100-VVSM-00101 - SRG-NET-000100-VVSM-00101_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000164
Version
SRG-NET-000100-VVSM-00101
Vuln IDs
  • SRG-NET-000100-VVSM-00101
Rule IDs
  • SRG-NET-000100-VVSM-00101_rule
If session records were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of session records, the information system and/or the application must protect session information from unauthorized modification. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions and limiting log data locations.
Checks: C-SRG-NET-000100-VVSM-00101_chk

Verify the Unified Communications Session Manager protects session records from unauthorized deletion. If the Unified Communications Session Manager does not protect session records from unauthorized deletion, this is a finding.

Fix: F-SRG-NET-000100-VVSM-00101_fix

Configure the Unified Communications Session Manager to protect session records from unauthorized deletion.

b
The Unified Communications Session Manager must produce session (call) records for events determined to be significant and relevant by local policy.
AU-12 - Medium - CCI-000169 - SRG-NET-000113-VVSM-00101 - SRG-NET-000113-VVSM-00101_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000169
Version
SRG-NET-000113-VVSM-00101
Vuln IDs
  • SRG-NET-000113-VVSM-00101
Rule IDs
  • SRG-NET-000113-VVSM-00101_rule
Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are generated from several components within the Voice Video system (e.g., session manager, session border control, gateway, gatekeeper, or endpoints). Session record content that may be necessary to satisfy this requirement includes, for example, type of connection, connection origination, time stamps, outcome, user identities, and user identifiers. Additionally, an adversary must not be able to modify or delete session records.
Checks: C-SRG-NET-000113-VVSM-00101_chk

Verify the Unified Communications Session Manager produces session records for events determined to be significant and relevant by local policy. If the Unified Communications Session Manager does not produce session records for events determined to be significant and relevant by local policy, this is a finding.

Fix: F-SRG-NET-000113-VVSM-00101_fix

Configure the Unified Communications Session Manager to produce session records for events determined to be significant and relevant by local policy.

b
The Unified Communications Session Manager must generate session (call) records when concurrent logons from multiple endpoints occur.
AU-12 - Medium - CCI-000172 - SRG-NET-000506-VVSM-00010 - SRG-NET-000506-VVSM-00010_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
SRG-NET-000506-VVSM-00010
Vuln IDs
  • SRG-NET-000506-VVSM-00010
Rule IDs
  • SRG-NET-000506-VVSM-00010_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). This requirement only applies to components where this is specific to the function of the device, such as application layer gateway (ALG), which provides these access control and auditing functions on behalf of an application. This does not apply to audit logs generated on behalf of the device itself (management).
Checks: C-SRG-NET-000506-VVSM-00010_chk

Verify the Unified Communications Session Manager is configured to generate session (call) records when concurrent logons from multiple endpoints occur. If the Unified Communications Session Manager is not configured to generate session (call) records when concurrent logons from multiple endpoints occur, this is a finding.

Fix: F-SRG-NET-000506-VVSM-00010_fix

Configure the Unified Communications Session Manager to generate session (call) records when concurrent logons from multiple endpoints occur.

b
When using locally stored user accounts, the Unified Communications Session Manager must generate audit records for all account creations, modifications, disabling, and termination events.
AU-12 - Medium - CCI-000172 - SRG-NET-000509-VVSM-00010 - SRG-NET-000509-VVSM-00010_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
SRG-NET-000509-VVSM-00010
Vuln IDs
  • SRG-NET-000509-VVSM-00010
Rule IDs
  • SRG-NET-000509-VVSM-00010_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). This requirement only applies to components where this is specific to the function of the device, such as application layer gateway (ALG), which provides these access control and auditing functions on behalf of an application. This does not apply to audit logs generated on behalf of the device itself (management).
Checks: C-SRG-NET-000509-VVSM-00010_chk

Verify the Unified Communications Session Manager, when using locally stored user accounts, is configured to generate audit records for all account creation, modification, disabling, and termination events. If the Unified Communications Session Manager is not configured to generate audit records for all account creation, modification, disabling, and termination events, this is a finding.

Fix: F-SRG-NET-000509-VVSM-00010_fix

When using locally stored user accounts, configure the Unified Communications Session Manager to generate audit records for all account creation, modification, disabling, and termination events.

b
When using PKI, the Unified Communications Session Manager must validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.
IA-5 - Medium - CCI-000185 - SRG-NET-000580-VVSM-00010 - SRG-NET-000580-VVSM-00010_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000185
Version
SRG-NET-000580-VVSM-00010
Vuln IDs
  • SRG-NET-000580-VVSM-00010
Rule IDs
  • SRG-NET-000580-VVSM-00010_rule
A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity, and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.
Checks: C-SRG-NET-000580-VVSM-00010_chk

Verify the Unified Communications Session Manager, when using PKI, is configured to validate certificates using RFC 5280 path validation. If the Unified Communications Session Manager is not configured to validate certificates using RFC 5280 path validation, this is a finding.

Fix: F-SRG-NET-000580-VVSM-00010_fix

Configure the Unified Communications Session Manager, when using PKI, to validate certificates using RFC 5280 path validation.

b
When using locally stored user accounts, the Unified Communications Session Manager must store only cryptographic representations of passwords.
IA-5 - Medium - CCI-000196 - SRG-NET-000522-VVSM-00010 - SRG-NET-000522-VVSM-00010_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000196
Version
SRG-NET-000522-VVSM-00010
Vuln IDs
  • SRG-NET-000522-VVSM-00010
Rule IDs
  • SRG-NET-000522-VVSM-00010_rule
If passwords and PSKs are not encrypted when stored, they may be read if the storage location is compromised. Note that DOD requires the use two-factor, CAC-enabled authentication and the use of passwords incurs a permanent finding. Passwords should be used only in limited situations. Examples of situations where a user ID and password might be used include: - When the user does not use a CAC and is not a current DOD employee, member of the military, or DOD contractor. - When a user has been officially designated as temporarily unable to present a CAC for some reason (lost, damaged, not yet issued, broken card reader) (i.e., Temporary Exception User) and to satisfy urgent organizational needs must be temporarily permitted to use user ID/password authentication until the problem with CAC use has been remedied. - When the application is publicly available and/or hosting publicly releasable data requiring some degree of need-to-know protection. If the password is already encrypted and not a plaintext password, this meets this requirement. Implementation of this requirement requires configuration of FIPS-approved cipher block algorithm and block cipher modes for encryption. This method uses a one-way hashing encryption algorithm with a salt value to validate a user's password without having to store the actual password. Performance and time required to access are factors that must be considered, and the one-way hash is the most feasible means of securing the password and providing an acceptable measure of password security. Verify the user knows a password is performed using a password verifier. In its simplest form, a password verifier is a computational function that is capable of creating a hash of a password and determining if the value provided by the user matches the hash. A more secure version of verifying a user knowing a password is to store the result of an iterating hash function and a large random salt value as follows: H0 = H(pwd, H(salt)) Hn = H(Hn-1,H(salt)) In the above, "n" is a cryptographically strong random [*3] number. "Hn" is stored along with the salt. When the application wishes to verify that the user knows a password, it simply repeats the process and compares "Hn" with the stored "Hn". A salt is essentially a fixed-length cryptographically strong random value. Another method is using a keyed hash message authentication code (HMAC). HMAC calculates a message authentication code via a cryptographic hash function used in conjunction with an encryption key. The key must be protected as with any private key. This requirement applies to all accounts including authentication server; Authentication, Authorization, and Accounting (AAA), and local accounts, including the root account, and the account of last resort.
Checks: C-SRG-NET-000522-VVSM-00010_chk

Verify the Unified Communications Session Manager, when using locally stored user accounts, is configured to only store cryptographic representations of passwords. If the Unified Communications Session Manager is not configured to only store cryptographic representations of passwords, this is a finding.

Fix: F-SRG-NET-000522-VVSM-00010_fix

Configure the Unified Communications Session Manager, when using locally stored user accounts, to only store cryptographic representations of passwords.

b
For accounts using password authentication, the Unified Communications Session Manager must be configured to use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.
IA-5 - Medium - CCI-000197 - SRG-NET-000400-VVSM-00101 - SRG-NET-000400-VVSM-00101_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000197
Version
SRG-NET-000400-VVSM-00101
Vuln IDs
  • SRG-NET-000400-VVSM-00101
Rule IDs
  • SRG-NET-000400-VVSM-00101_rule
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Use of passwords for authentication is intended only for limited situations and should not be used as a replacement for two-factor CAC-enabled authentication. Although allowed by SP800-131Ar2 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. Unless required for legacy use, DOD systems should not be configured to use SHA-2 for integrity of remote access sessions. The information system must specify the hash algorithm used for authenticating passwords. Implementation of this requirement requires configuration of FIPS-approved cipher block algorithm and block cipher modes for encryption. Pre-shared key cipher suites may only be used in networks where both the client and server belong to the same organization. Cipher suites using preshared keys must not be used with TLS 1.0 or 1.1 and must not be used with TLS 1.2 when a government client or server communicates with non-government systems. This requirement applies to all accounts, including authentication server, AAA, and local accounts such as the root account and the account of last resort. This requirement only applies to components where this is specific to the function of the device (e.g., Transport Layer Security [TLS] Virtual Private Network [VPN] or Application Layer Gateway [ALG]). This does not apply to authentication for the purpose of configuring the device itself (management).
Checks: C-SRG-NET-000400-VVSM-00101_chk

Verify the Unified Communications Session Manager, for accounts using password authentication, is configured to SHA-2 or greater to protect the integrity of the password authentication process. If the Unified Communications Session Manager is not configured to use SHA-2 or greater to protect the password authentication process, this is a finding.

Fix: F-SRG-NET-000400-VVSM-00101_fix

For accounts using password authentication, configure the Unified Communications Session Manager to use SHA-2 or greater to protect the integrity of the password authentication process.

c
The Unified Communications Session Manager must disable (prevent) auto-registration of Voice Video Endpoints.
AC-3 - High - CCI-000213 - SRG-NET-000015-VVSM-00101 - SRG-NET-000015-VVSM-00101_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
SRG-NET-000015-VVSM-00101
Vuln IDs
  • SRG-NET-000015-VVSM-00101
Rule IDs
  • SRG-NET-000015-VVSM-00101_rule
Authentication must not automatically give an entity access to an asset. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Registration authenticates and authorizes endpoints with the Unified Communications Session Manager. For most VoIP systems, registration is the process of centrally recording the user ID, endpoint MAC address, service/policy profile with 2 stage authentication prior to authorizing the establishment of the session and user service. The event of successful registration creates the session record immediately. VC systems register using a similar process with a gatekeeper. Auto-registration is an automatic means of detecting and registering a Voice Video Endpoint on the network with a session manager and then downloading its configuration to the instrument. Auto-registration allows unauthorized instruments to be added or moved without authorization, possibly allowing theft of services or other malicious attack. Configuring the firewall to deny registration (port 1719, etc.) is another layer of defense.
Checks: C-SRG-NET-000015-VVSM-00101_chk

Verify the Unified Communications Session Manager prevents auto-registration of Voice Video Endpoints. If the Unified Communications Session Manager does not disable auto-registration of Voice Video Endpoints outside of these conditions, this is a finding.

Fix: F-SRG-NET-000015-VVSM-00101_fix

Configure the Unified Communications Session Manager to disable auto-registration of Voice Video Endpoints.

b
The Unified Communications Session Manager must be configured to use the organization authoritative time source (NTP) to maintain system time.
CM-6 - Medium - CCI-000366 - SRG-NET-000512-VVSM-00101 - SRG-NET-000512-VVSM-00101_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SRG-NET-000512-VVSM-00101
Vuln IDs
  • SRG-NET-000512-VVSM-00101
Rule IDs
  • SRG-NET-000512-VVSM-00101_rule
Configuring the network element to implement organizationwide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DOD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations.
Checks: C-SRG-NET-000512-VVSM-00101_chk

Verify the Unified Communications Session Manager is configured to use the organization authoritative time source (NTP). If the Unified Communications Session Manager is not configured to use the organization authoritative time source, this is a finding.

Fix: F-SRG-NET-000512-VVSM-00101_fix

Configure the Unified Communications Session Manager to use the organization authoritative time source.

b
The Unified Communications Session Manager must be configured to disable non-essential capabilities.
CM-7 - Medium - CCI-000381 - SRG-NET-000131-VVSM-00101 - SRG-NET-000131-VVSM-00101_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
SRG-NET-000131-VVSM-00101
Vuln IDs
  • SRG-NET-000131-VVSM-00101
Rule IDs
  • SRG-NET-000131-VVSM-00101_rule
It is detrimental for Unified Communications Session Managers to provide, or enable by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Unified Communications Session Managers are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
Checks: C-SRG-NET-000131-VVSM-00101_chk

Verify the Unified Communications Session Manager is configured to disable non-essential capabilities. If the Unified Communications Session Manager is not configured to disable non-essential capabilities, this is a finding.

Fix: F-SRG-NET-000131-VVSM-00101_fix

Configure the Unified Communications Session Manager to be configured to disable non-essential capabilities.

c
The Unified Communications Session Manager must only use ports, protocols, and services allowed per the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and Vulnerability Assessments (VAs).
CM-7 - High - CCI-000382 - SRG-NET-000132-VVSM-00101 - SRG-NET-000132-VVSM-00101_rule
RMF Control
CM-7
Severity
High
CCI
CCI-000382
Version
SRG-NET-000132-VVSM-00101
Vuln IDs
  • SRG-NET-000132-VVSM-00101
Rule IDs
  • SRG-NET-000132-VVSM-00101_rule
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Network elements are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the network element must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.
Checks: C-SRG-NET-000132-VVSM-00101_chk

Verify the Unified Communications Session Manager only uses ports, protocols, and services allowed per the PPSM CAL and VAs. If the Verify the Unified Communications Session Manager uses ports, protocols, and services other than those permitted by the PPSM CAL and VAs, this is a finding.

Fix: F-SRG-NET-000132-VVSM-00101_fix

Configure the Unified Communications Session Manager to only use of ports, protocols, and services allowed per the PPSM CAL and VAs.

c
The Unified Communications Session Manager must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
IA-2 - High - CCI-000764 - SRG-NET-000138-VVSM-00101 - SRG-NET-000138-VVSM-00101_rule
RMF Control
IA-2
Severity
High
CCI
CCI-000764
Version
SRG-NET-000138-VVSM-00101
Vuln IDs
  • SRG-NET-000138-VVSM-00101
Rule IDs
  • SRG-NET-000138-VVSM-00101_rule
To assure accountability and prevent unauthenticated access, organizational users must be uniquely identified and authenticated to prevent potential misuse and compromise of the system. Sharing of accounts prevents accountability and non-repudiation. Organizational users must be uniquely identified and authenticated for all accesses.
Checks: C-SRG-NET-000138-VVSM-00101_chk

Verify the Unified Communications Session Manager uniquely identifies all users. If the Unified Communications Session Manager does not uniquely identify all users, then is a finding.

Fix: F-SRG-NET-000138-VVSM-00101_fix

Configure the Unified Communications Session Manager to uniquely identify all users.

c
The Unified Communications Session Manager must be configured to use an organizational-level user account management system.
IA-2 - High - CCI-000764 - SRG-NET-000138-VVSM-00102 - SRG-NET-000138-VVSM-00102_rule
RMF Control
IA-2
Severity
High
CCI
CCI-000764
Version
SRG-NET-000138-VVSM-00102
Vuln IDs
  • SRG-NET-000138-VVSM-00102
Rule IDs
  • SRG-NET-000138-VVSM-00102_rule
To effectively manage user accounts, organizational level systems such as Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) are used to create and manage user credentials that can be used across the organization. This reduces the need for separate user account databases across systems, that can create orphaned account issues, and the need to remember different credentials for each system. When user access is no longer authorized, an organizational level system can simultaneously revoke access to all systems.
Checks: C-SRG-NET-000138-VVSM-00102_chk

Verify the Unified Communications Session Manager is configured to use an organizational level user account management system. If the Unified Communications Session Manager is not configured to use an organizational level user account management system, then is a finding.

Fix: F-SRG-NET-000138-VVSM-00102_fix

Configure the Unified Communications Session Manager to use an organizational level user account management system.

b
The Unified Communications Session Manager must be configured to uniquely identify each Voice Video Endpoint device before registration.
IA-3 - Medium - CCI-000778 - SRG-NET-000148-VVSM-00101 - SRG-NET-000148-VVSM-00101_rule
RMF Control
IA-3
Severity
Medium
CCI
CCI-000778
Version
SRG-NET-000148-VVSM-00101
Vuln IDs
  • SRG-NET-000148-VVSM-00101
Rule IDs
  • SRG-NET-000148-VVSM-00101_rule
Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Typically, devices can be identified by MAC or IP address, but certificates provide a greater level of security. Identification of devices works with registration of devices as part of a defense in depth approach to Voice Video networks. Registration is the process of authorizing endpoints to communicate with the session manager. Registration occurs with the SIP server in VoIP systems and with a gatekeeper in H.323 systems. Without enforcing registration, an adversary could impersonate a legitimate device on the Voice Video network.
Checks: C-SRG-NET-000148-VVSM-00101_chk

Verify the Unified Communications Session Manager uniquely identifies all Voice Video Endpoint devices before registration. If the Unified Communications Session Manager does not uniquely identify all Voice Video Endpoint devices before registration, this is a finding.

Fix: F-SRG-NET-000148-VVSM-00101_fix

Configure the Unified Communications Session Manager to uniquely identify all Voice Video Endpoint devices before registering those devices.

b
The Unified Communications Session Manager must be configured to terminate all network connections associated with a communications session at the end of the session.
SC-10 - Medium - CCI-001133 - SRG-NET-000213-VVSM-00101 - SRG-NET-000213-VVSM-00101_rule
RMF Control
SC-10
Severity
Medium
CCI
CCI-001133
Version
SRG-NET-000213-VVSM-00101
Vuln IDs
  • SRG-NET-000213-VVSM-00101
Rule IDs
  • SRG-NET-000213-VVSM-00101_rule
Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, and de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system level network connection. Unified Communications Session Managers do not conduct media session; they conduct the session termination signaling. Endpoints and border elements conduct the media sessions and de-allocate those resources. However, sessions that do not receive a response from the far end may require the session manager to request termination of communication sessions.
Checks: C-SRG-NET-000213-VVSM-00101_chk

Verify the Unified Communications Session Manager terminates all network connections associated with a communications session at the end of the session. If the Unified Communications Session Manager does not terminate all network connections associated with a communications session at the end of the session, this is a finding.

Fix: F-SRG-NET-000213-VVSM-00101_fix

Configure the Unified Communications Session Manager to terminate all network connections associated with a communications session at the end of the session.

b
The Unified Communications Session Manager supporting Command and Control (C2) communications must associate multilevel precedence and preemption (MLPP) attributes when exchanged between unified capabilities (UC) systems.
SC-16 - Medium - CCI-001157 - SRG-NET-000225-VVSM-00101 - SRG-NET-000225-VVSM-00101_rule
RMF Control
SC-16
Severity
Medium
CCI
CCI-001157
Version
SRG-NET-000225-VVSM-00101
Vuln IDs
  • SRG-NET-000225-VVSM-00101
Rule IDs
  • SRG-NET-000225-VVSM-00101_rule
If MLPP attributes are not associated with the information being transmitted between systems, then access control policies and information flows which depend on these MLPP attributes will not function and unauthorized access may result. Without the implementation of safeguards which allocate network communication resources based on priority, network availability, and particularly high priority traffic, may be dropped or delayed. DOD relies on the implementation of MLPP to ensure that flag officers and senior staff are provided higher priority for communications than other users. For VoIP and videoconferencing systems, Unified Communications Session Managers must communicate using protocols and services that provide expedited packets to users and other systems.
Checks: C-SRG-NET-000225-VVSM-00101_chk

Verify the Unified Communications Session Manager supporting C2 communications associates MLPP attributes when exchanged between UC systems. If the Unified Communications Session Manager supporting C2 communications does not associate MLPP attributes when exchanged between UC systems, this is a finding.

Fix: F-SRG-NET-000225-VVSM-00101_fix

Configure the Unified Communications Session Manager supporting C2 communications to associate MLPP attributes when exchanged between UC systems.

b
The Unified Communications Session Manager supporting Command and Control (C2) communications must validate the integrity of transmitted multilevel precedence and preemption (MLPP) attributes.
SC-16 - Medium - CCI-001158 - SRG-NET-000226-VVSM-00101 - SRG-NET-000226-VVSM-00101_rule
RMF Control
SC-16
Severity
Medium
CCI
CCI-001158
Version
SRG-NET-000226-VVSM-00101
Vuln IDs
  • SRG-NET-000226-VVSM-00101
Rule IDs
  • SRG-NET-000226-VVSM-00101_rule
If MLPP attributes are not associated with the information being transmitted between components, then access control policies and information flows which depend on these MLPP attributes will not function and unauthorized access may result. When data is exchanged, the MLPP attributes associated with this data must be validated to ensure the data has not been changed. Without the implementation of safeguards which allocate network communication resources based on priority, network availability, and particularly high priority traffic, may be dropped or delayed. DOD relies on the implementation of MLPP to ensure that flag officers and senior staff are provided higher priority for communications than other users. For VoIP and videoconferencing systems, Unified Communications Session Managers must communicate using protocols and services that provide expedited packets to users and other systems.
Checks: C-SRG-NET-000226-VVSM-00101_chk

Verify the Unified Communications Session Manager supporting C2 communications validates the integrity of transmitted MLPP attributes. If the Unified Communications Session Manager supporting C2 communications does not validate the integrity of transmitted MLPP attributes, this is a finding.

Fix: F-SRG-NET-000226-VVSM-00101_fix

Configure the Unified Communications Session Manager supporting C2 communications to validate the integrity of transmitted MLPP attributes.

c
The Unified Communications Session Manager must be configured to use FIPS-validated SHA-2 or higher to protect the authenticity of communications sessions.
SC-23 - High - CCI-001184 - SRG-NET-000230-VVSM-00101 - SRG-NET-000230-VVSM-00101_rule
RMF Control
SC-23
Severity
High
CCI
CCI-001184
Version
SRG-NET-000230-VVSM-00101
Vuln IDs
  • SRG-NET-000230-VVSM-00101
Rule IDs
  • SRG-NET-000230-VVSM-00101_rule
Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. Although allowed by SP800-131Ar2 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. Unless required for legacy use, DOD systems should not be configured to use SHA-2 for integrity of remote access sessions. This requirement focuses on communications protection for the application session rather than for the network packet and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Depending on the required degree of confidentiality and integrity, web services/SOA will require the use of mutual authentication (two-way/bidirectional). This requirement applies only to network elements that act as an intermediary for individual sessions (e.g., proxy, ALG, or SSL VPN).
Checks: C-SRG-NET-000230-VVSM-00101_chk

Verify the Unified Communications Session Manager is configured to use FIPS-validated SHA-2 or higher to protect the authenticity of communications sessions. If the Unified Communications Session Manager is not configured to use FIPS-validated SHA-2 or higher, this is a finding.

Fix: F-SRG-NET-000230-VVSM-00101_fix

Configure the Unified Communications Session Manager to use FIPS-validated SHA-2 or higher to protect communications sessions.

b
The Unified Communications Session Manager must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.
SC-24 - Medium - CCI-001190 - SRG-NET-000235-VVSM-00101 - SRG-NET-000235-VVSM-00101_rule
RMF Control
SC-24
Severity
Medium
CCI
CCI-001190
Version
SRG-NET-000235-VVSM-00101
Vuln IDs
  • SRG-NET-000235-VVSM-00101
Rule IDs
  • SRG-NET-000235-VVSM-00101_rule
Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources. Network elements that fail suddenly and with no incorporated failure state planning may leave the hosting system available but with a reduced security protection capability. Preserving information system state information also facilitates system restart and return to the operational mode of the organization with less disruption to mission-essential processes. An example is a firewall that blocks all traffic rather than allowing all traffic when a firewall component fails (e.g., fail closed and do not forward traffic). This prevents an attacker from forcing a failure of the system in order to obtain access. This applies to the configuration of the functionality of the element (e.g., firewall, IDPS, or router). Abort refers to stopping a program or function before it has finished naturally. The term abort refers to both requested and unexpected terminations.
Checks: C-SRG-NET-000235-VVSM-00101_chk

Verify the Unified Communications Session Manager fails to a secure state when system initialization fails, shutdown fails, or aborts fail. If the Unified Communications Session Manager does not fail to a secure state if system initialization fails, shutdown fails, or aborts fail, this is a finding.

Fix: F-SRG-NET-000235-VVSM-00101_fix

Configure the Unified Communications Session Manager to fail to a secure state if system initialization fails, shutdown fails, or aborts fail.

b
The Unified Communications Session Manager must be configured to generate session (call) records that provide information necessary for corrective actions without revealing personally identifiable information or sensitive information.
SI-11 - Medium - CCI-001312 - SRG-NET-000273-VVSM-00101 - SRG-NET-000273-VVSM-00101_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001312
Version
SRG-NET-000273-VVSM-00101
Vuln IDs
  • SRG-NET-000273-VVSM-00101
Rule IDs
  • SRG-NET-000273-VVSM-00101_rule
Any Unified Communications Session Manager providing too much information in session records risks compromising the data and security of the application and system. The structure and content of session records must be carefully considered by the organization and development team.
Checks: C-SRG-NET-000273-VVSM-00101_chk

Verify the Unified Communications Session Manager generates session records that provide information necessary for corrective actions without revealing personally identifiable information or sensitive information. If the Unified Communications Session Manager does not generate session records that provide information necessary for corrective actions without revealing personally identifiable information or sensitive information, this is a finding.

Fix: F-SRG-NET-000273-VVSM-00101_fix

Configure the Unified Communications Session Manager to generate session records that provide information necessary for corrective actions without revealing personally identifiable information or sensitive information.

b
The Unified Communications Session Manager must be configured to only enable the extension mobility feature for endpoints on a per user basis.
AC-4 - Medium - CCI-001368 - SRG-NET-000018-VVSM-00101 - SRG-NET-000018-VVSM-00101_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-001368
Version
SRG-NET-000018-VVSM-00101
Vuln IDs
  • SRG-NET-000018-VVSM-00101
Rule IDs
  • SRG-NET-000018-VVSM-00101_rule
Extension mobility is a feature of a VVoIP system that permits a person to transfer their phone number extension and phone features (or configuration) to a phone that is not in their normal workspace. This is useful when a person is visiting a remote office away from their normal office and typically functions within an established enterprise wide VVoIP system where the system is designed as a contiguous system. In this case, the system is typically a single vendor solution. The system might be within one LAN/CAN may include multiple LAN/CANs at multiple interconnected sites. To activate this feature, the user approaches a phone that is not their regular phone and identifies themselves to the phone system via a username, password, pin, code, or some combination of these. Upon validation, the system configuration manager will configure the temporary phone to match the configuration of the user's regular phone. Minimally, the phone number is transferred and possibly some or all of the user's speed dial numbers and other personal preferences. This capability is dependent upon the capabilities of the temporary phone. Once activated the user's inbound calls are directed to the temporary location. The user's regular phone may or may not maintain its normal capabilities and also may also answer inbound calls. Extension mobility is similar to but not the same as forwarding calls. Forwarding is typically activated from the user's normal phone or their user preferences configuration settings. Forwarding is therefore preset to a known location. Extension mobility is typically activated from the remote location and is activated upon arrival at that location. Extension mobility should be available only to those individuals that need to use the feature.
Checks: C-SRG-NET-000018-VVSM-00101_chk

Verify the configuration for the extension mobility feature is only available when enabled per user. Confirm the following specific security features are configured: - The feature is enabled/disabled on a per user basis. - Feature activation requires user authentication minimally using a user unique PIN (preferably including a unique user ID) - Feature is not activated using a common activation code, or feature button on the phone. - The user (or system administrator) can manually disable the feature at their discretion. - The user may have the capability to set duration when activating the feature. (Optional) - The feature automatically deactivates based on a period of inactivity or the time of day. If the extension mobility feature is enabled and does not meet the above specific security features, this is a finding.

Fix: F-SRG-NET-000018-VVSM-00101_fix

Configure the extension mobility feature only when enabled per user. Confirm the following specific security features are configured: - The feature is enabled/disabled on a per user basis. - Feature activation requires user authentication minimally using a user unique PIN (preferably including a unique user ID) - Feature is not activated using a common activation code, or feature button on the phone. - The user (or system administrator) can manually disable the feature at their discretion. - The user may have the capability to set duration when activating the feature. (Optional) - The feature automatically deactivates based on a period of inactivity or the time of day.

b
The Unified Communications Session Manager must be configured to globally disable the extension mobility feature for endpoints.
AC-4 - Medium - CCI-001368 - SRG-NET-000018-VVSM-00102 - SRG-NET-000018-VVSM-00102_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-001368
Version
SRG-NET-000018-VVSM-00102
Vuln IDs
  • SRG-NET-000018-VVSM-00102
Rule IDs
  • SRG-NET-000018-VVSM-00102_rule
Extension mobility is a feature of a VVoIP system that permits a person to transfer their phone number extension and phone features (or configuration) to a phone that is not in their normal workspace. This is useful when a person is visiting a remote office away from their normal office and typically functions within an established enterprise wide VVoIP system where the system is designed as a contiguous system. In this case, the system is typically a single vendor solution. The system might be within one LAN/CAN may include multiple LAN/CANs at multiple interconnected sites. To activate this feature, the user approaches a phone that is not their regular phone and identifies themselves to the phone system via a username, password, pin, code, or some combination of these. Upon validation, the system configuration manager will configure the temporary phone to match the configuration of the user's regular phone. Minimally, the phone number is transferred and possibly some or all of the user's speed dial numbers and other personal preferences. This capability is dependent upon the capabilities of the temporary phone. Once activated the user's inbound calls are directed to the temporary location. The user's regular phone may or may not maintain its normal capabilities and also may also answer inbound calls. Extension mobility is similar to but not the same as forwarding calls. Forwarding is typically activated from the user's normal phone or their user preferences configuration settings. Forwarding is therefore preset to a known location. Extension mobility is typically activated from the remote location and is activated upon arrival at that location. Extension mobility should be available only to those individuals that need to use the feature.
Checks: C-SRG-NET-000018-VVSM-00102_chk

Verify the configuration for the extension mobility feature is globally disabled. If the extension mobility feature is not globally disabled, this is a finding.

Fix: F-SRG-NET-000018-VVSM-00102_fix

Configure the extension mobility feature to be globally disabled on the VVoIP system.

b
The Unified Communications Session Manager must be configured to use DNS servers assigned to support the VVoIP system.
AC-4 - Medium - CCI-001368 - SRG-NET-000018-VVSM-00103 - SRG-NET-000018-VVSM-00103_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-001368
Version
SRG-NET-000018-VVSM-00103
Vuln IDs
  • SRG-NET-000018-VVSM-00103
Rule IDs
  • SRG-NET-000018-VVSM-00103_rule
In some cases a VVoIP endpoint will be configured with one or more URLs pointing to the locations of various servers with which they are associated such as their call controller. These URLs are translated to IP addresses by a DNS server. The use of URLs in this manner permits an endpoint to find the server it is looking for in the event the server’s IP address is changed. This also permits the endpoint to locate its assigned or home call controller from a remote location on a network that is not their home network. While all of this adds flexibility to the system and the endpoint’s location, it also exposes the endpoint and the home system to DNS vulnerabilities. Additionally, the home VVoIP system must expose critical IP address and domain information to the DNS system. If the DNS system is exposed to the DNS servers that support the enterprise data network or the internet, this information and exposure of the system is, or may be, extended to the world. This provides information that can be used to attack or compromise the VVoIP system. When using DNS within a VVoIP system so that endpoints can find various servers in the network, the DNS server should be dedicated to the VVoIP system. Furthermore, this DNS server should have limited or no interaction with the DNS server used by the data portion of the LAN/CAN or a publicly accessible DNS server. This will protect the VVoIP system’s DNS server from some of the vulnerabilities inherent in DNS servers that serve data endpoints and that are connected to the wider enterprise networks or the internet. While the use of DNS adds IP addressing flexibility to a VVoIP system, it is not necessary to use it for systems within the local LAN. VVoIP servers and infrastructure devices are required to be statically addressed. Therefore, the endpoints can be configured with these known IP addresses rather than URLs. A remote endpoint is required to connect to the home enclave via a VPN. It receives an internal LAN address and therefore becomes a part of the LAN and can directly reach its servers using their IP address. A URL is not required. The only time a URL might be required is in the event the endpoint is required to find a server such as a directory server that is somewhere on the WAN. This is the case in the VoSIP system on SIPRNet. Not using DNS in a VVoIP system eliminates its exposure to DNS vulnerabilities and attacks effected using information obtained from the DNS. NOTE: In the event a DNS server is implemented within the VVoIP system, the DNS STIG must be applied to the server.
Checks: C-SRG-NET-000018-VVSM-00103_chk

Examine the configurations of the DNS server(s) serving the VVoIP system and those outside the system. Attempt to use a system specific URL that should not be published outside the system to see if an IP address is returned. This is a finding in the event restricted URLs are reachable from outside the restriction zone.

Fix: F-SRG-NET-000018-VVSM-00103_fix

Consider not using DNS for the VVoIP system unless it is required. In the event DNS is used in the VVoIP system, ensure the DNS server serving the VVoIP system is dedicated to the VVoIP system and that any DNS server interaction with other DNS servers is limited. Additionally ensure internal system URLs and information is not published to the enterprise WAN or the internet. NOTE: In the event a DNS server is implemented within the VVoIP system, the DNS STIG must be applied to the server.

c
The Unified Communications Session Manager must be configured to use only TLS 1.2 or greater for all TLS and SSL communications.
AC-17 - High - CCI-001453 - SRG-NET-000530-VVSM-00010 - SRG-NET-000530-VVSM-00010_rule
RMF Control
AC-17
Severity
High
CCI
CCI-001453
Version
SRG-NET-000530-VVSM-00010
Vuln IDs
  • SRG-NET-000530-VVSM-00010
Rule IDs
  • SRG-NET-000530-VVSM-00010_rule
Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. This requirement applies to TLS gateways (also known as SSL gateways), web servers, and web applications. Application protocols such as HTTPS and DNSSEC use TLS as the underlying security protocol and thus are in scope for this requirement. NIST SP 800-52 provides guidance for client negotiation on either DOD-only or public-facing servers.
Checks: C-SRG-NET-000530-VVSM-00010_chk

Verify the Unified Communications Session Manager is configured to only use TLS 1.2 or greater for all TLS and SSL communications. If the Voice Video Session is not configured to only use TLS 1.2 or greater for all TLS and SSL communications, this is a finding.

Fix: F-SRG-NET-000530-VVSM-00010_fix

Configure the Unified Communications Session Manager to only use TLS 1.2 or greater for all TLS and SSL communications.

b
The Unified Communications Session Manager must produce session (call) records containing the identity of the users and identifiers associated with the session.
AU-3 - Medium - CCI-001487 - SRG-NET-000079-VVSM-00101 - SRG-NET-000079-VVSM-00101_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-001487
Version
SRG-NET-000079-VVSM-00101
Vuln IDs
  • SRG-NET-000079-VVSM-00101
Rule IDs
  • SRG-NET-000079-VVSM-00101_rule
Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are generated from several components within the Voice Video system (e.g., session manager, session border control, gateway, gatekeeper, or endpoints). Session record content that may be necessary to satisfy this requirement includes, for example, type of connection, connection origination, time stamps, outcome, user identities, and user identifiers. Additionally, an adversary must not be able to modify or delete session records.
Checks: C-SRG-NET-000079-VVSM-00101_chk

Verify the Unified Communications Session Manager produces session records containing the identity of the users and identifiers associated with the session. The identity of the users and identifiers of the call in this context would be the user ID or user name. For Unified Communications Session Managers that have the concept of a device rather than users and identifiers, this requirement is not applicable. If the Unified Communications Session Manager does not produce session records containing the identity of the users and identifiers associated with the session, this is a finding.

Fix: F-SRG-NET-000079-VVSM-00101_fix

Configure the Unified Communications Session Manager to produce session records containing the identity of the users and identifiers associated with the session.

b
In the event of a system failure, Unified Communications Session Managers must be configured to preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.
SC-24 - Medium - CCI-001665 - SRG-NET-000236-VVSM-00101 - SRG-NET-000236-VVSM-00101_rule
RMF Control
SC-24
Severity
Medium
CCI
CCI-001665
Version
SRG-NET-000236-VVSM-00101
Vuln IDs
  • SRG-NET-000236-VVSM-00101
Rule IDs
  • SRG-NET-000236-VVSM-00101_rule
Failure in a known state can address safety or security in accordance with the mission needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. Preserving network element state information helps to facilitate network element restart and return to the operational mode of the organization with less disruption to mission-essential processes.
Checks: C-SRG-NET-000236-VVSM-00101_chk

Verify that in the event of a system failure, the Unified Communications Session Managers preserves any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes. If the Unified Communications Session Managers does not preserve all information necessary to determine cause of failure, this is a finding. If the Unified Communications Session Managers does not preserve all information necessary to return to operations with least disruption to mission processes, this is a finding.

Fix: F-SRG-NET-000236-VVSM-00101_fix

Configure the Unified Communications Session Manager, in the event of a system failure, to preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.

b
The Unified Communications Session Manager must be configured to provide centralized management of session (call) records.
AU-3 - Medium - CCI-001844 - SRG-NET-000333-VVSM-00101 - SRG-NET-000333-VVSM-00101_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-001844
Version
SRG-NET-000333-VVSM-00101
Vuln IDs
  • SRG-NET-000333-VVSM-00101
Rule IDs
  • SRG-NET-000333-VVSM-00101_rule
Without the ability to centrally manage the content captured in the audit records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an ongoing attack. The content captured in audit records must be managed from a central location (necessitating automation). Centralized management of audit records and logs provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. Network components requiring centralized audit log management must have the capability to support centralized management. Session records for Voice Video systems are generally handled in a similar fashion to audit records for other systems and are used for billing, usage analysis, and record support for actions taken. These detailed records are typically produced by the session manager.
Checks: C-SRG-NET-000333-VVSM-00101_chk

Verify the Unified Communications Session Manager provides centralized management of session records. Centralized management of session records may be a function of the Unified Communications Session Manager or offloaded to an ancillary device. When records are offloaded, the Unified Communications Session Manager must provide configuration settings to connect to the ancillary device. If the Unified Communications Session Manager does not provide centralized management of session records, this is a finding.

Fix: F-SRG-NET-000333-VVSM-00101_fix

Configure the Unified Communications Session Manager to provide centralized management of session records.

c
The Unified Communications Session Manager must be configured to offload session (call) records to a central log server.
AU-4 - High - CCI-001851 - SRG-NET-000334-VVSM-00101 - SRG-NET-000334-VVSM-00101_rule
RMF Control
AU-4
Severity
High
CCI
CCI-001851
Version
SRG-NET-000334-VVSM-00101
Vuln IDs
  • SRG-NET-000334-VVSM-00101
Rule IDs
  • SRG-NET-000334-VVSM-00101_rule
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. This requirement only applies to components where this is specific to the function of the device (e.g., IDPS sensor logs, firewall logs). This does not apply to audit logs generated on behalf of the device itself (management).
Checks: C-SRG-NET-000334-VVSM-00101_chk

Verify the Unified Communications Session Manager offloads session records to a central log server. If the Unified Communications Session Manager does not offload session records to a central log server, this is a finding.

Fix: F-SRG-NET-000334-VVSM-00101_fix

Configure the Unified Communications Session Manager to offload session records to a central log server.

b
The Unified Communications Session Manager must be configured to offload session (call) records to a central log server.
AU-4 - Medium - CCI-001851 - SRG-NET-000511-VVSM-00101 - SRG-NET-000511-VVSM-00101_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
SRG-NET-000511-VVSM-00101
Vuln IDs
  • SRG-NET-000511-VVSM-00101
Rule IDs
  • SRG-NET-000511-VVSM-00101_rule
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. This requirement only applies to components where this is specific to the function of the device (e.g., IDPS sensor logs, firewall logs). This does not apply to audit logs generated on behalf of the device itself (management).
Checks: C-SRG-NET-000511-VVSM-00101_chk

Verify the Unified Communications Session Manager offloads session records to a central log server. If the Unified Communications Session Manager does not offload session records to a central log server, this is a finding.

Fix: F-SRG-NET-000511-VVSM-00101_fix

Configure the Unified Communications Session Manager to offload session records to a central log server.

b
The Unified Communications Session Manager must be configured to implement attack-resistant mechanisms for Voice Video Endpoint registration.
IA-2 - Medium - CCI-001942 - SRG-NET-000147-VVSM-00101 - SRG-NET-000147-VVSM-00101_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-001942
Version
SRG-NET-000147-VVSM-00101
Vuln IDs
  • SRG-NET-000147-VVSM-00101
Rule IDs
  • SRG-NET-000147-VVSM-00101_rule
Attacks against a Unified Communications Session Manager may include DoS, replay attacks, or cross site scripting. A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators. A cross site scripting vulnerability was demonstrated on a SIP based IP phone by adding scripting code to the "From" field in the SIP invite. Upon receiving the invite, the embedded code was executed by the IP phone embedded web server to download additional malicious code.
Checks: C-SRG-NET-000147-VVSM-00101_chk

Verify the Unified Communications Session Manager implements attack-resistant mechanisms for Voice Video Endpoint registration. If the Unified Communications Session Manager does not implement attack-resistant mechanisms for Voice Video Endpoint registration, this is a finding.

Fix: F-SRG-NET-000147-VVSM-00101_fix

Configure the Unified Communications Session Manager to implement attack-resistant mechanisms for Voice Video Endpoint registration.

b
The Unified Communications Session Manager must be configured to authenticate each Voice Video Endpoint device before registration.
IA-3 - Medium - CCI-001958 - SRG-NET-000343-VVSM-00101 - SRG-NET-000343-VVSM-00101_rule
RMF Control
IA-3
Severity
Medium
CCI
CCI-001958
Version
SRG-NET-000343-VVSM-00101
Vuln IDs
  • SRG-NET-000343-VVSM-00101
Rule IDs
  • SRG-NET-000343-VVSM-00101_rule
Device registration is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific preauthorized devices and trunks can access the system. Registration is the process of authorizing endpoints and trunks to communicate with the session manager. Registration occurs with the SIP server in VoIP systems and with a gatekeeper in H.323 systems. Without enforcing registration, an adversary could impersonate a legitimate device or peer on the Voice Video network.
Checks: C-SRG-NET-000343-VVSM-00101_chk

Verify the Unified Communications Session Manager authenticates all Voice Video Endpoint devices before establishing any connection. If the Unified Communications Session Manager does not authenticate all Voice Video Endpoint devices before establishing any connection, this is a finding.

Fix: F-SRG-NET-000343-VVSM-00101_fix

Configure the Unified Communications Session Manager to authenticate all Voice Video Endpoint devices before registering those devices.

b
The Unified Communications Session Manager must be configured to authenticate each Voice Video peer (trunk) before registration.
IA-3 - Medium - CCI-001958 - SRG-NET-000343-VVSM-00102 - SRG-NET-000343-VVSM-00102_rule
RMF Control
IA-3
Severity
Medium
CCI
CCI-001958
Version
SRG-NET-000343-VVSM-00102
Vuln IDs
  • SRG-NET-000343-VVSM-00102
Rule IDs
  • SRG-NET-000343-VVSM-00102_rule
Device registration is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific preauthorized devices and trunks can access the system. Registration is the process of authorizing endpoints and trunks to communicate with the session manager. Registration occurs with the SIP server in VoIP systems and with a gatekeeper in H.323 systems. Without enforcing registration, an adversary could impersonate a legitimate device or peer on the Voice Video network.
Checks: C-SRG-NET-000343-VVSM-00102_chk

Verify the Unified Communications Session Manager authenticates all Voice Video peers (trunks) before establishing any connection. If the Unified Communications Session Manager does not authenticate all Voice Video peers (trunks) before establishing any connection, this is a finding.

Fix: F-SRG-NET-000343-VVSM-00102_fix

Configure the Unified Communications Session Manager to authenticate all Voice Video peers (trunks) before registration.

b
The Unified Communications Session Manager must be configured to require Voice Video Endpoints to re-register at least every three hours.
IA-11 - Medium - CCI-002039 - SRG-NET-000338-VVSM-00101 - SRG-NET-000338-VVSM-00101_rule
RMF Control
IA-11
Severity
Medium
CCI
CCI-002039
Version
SRG-NET-000338-VVSM-00101
Vuln IDs
  • SRG-NET-000338-VVSM-00101
Rule IDs
  • SRG-NET-000338-VVSM-00101_rule
Device registration is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific preauthorized devices can access the system. Registration is the process of authorizing endpoints to communicate with the session manager. Registration occurs with the SIP server in VoIP systems and with a gatekeeper in H.323 systems. Without enforcing registration, an adversary could impersonate a legitimate device on the Voice Video network.
Checks: C-SRG-NET-000338-VVSM-00101_chk

Verify the Unified Communications Session Manager requires Voice Video Endpoints to re-register at least every three hours. If the Unified Communications Session Manager does not require Voice Video Endpoints to re-register or does not enforce re-registration at least every three hours, this is a finding.

Fix: F-SRG-NET-000338-VVSM-00101_fix

Configure the Unified Communications Session Manager to re-register Voice Video Endpoints at least every three hours.

b
The Unified Communications Session Manager must be configured to require Voice Video peers to re-register (re-authenticate) at least every hour.
IA-11 - Medium - CCI-002039 - SRG-NET-000338-VVSM-00102 - SRG-NET-000338-VVSM-00102_rule
RMF Control
IA-11
Severity
Medium
CCI
CCI-002039
Version
SRG-NET-000338-VVSM-00102
Vuln IDs
  • SRG-NET-000338-VVSM-00102
Rule IDs
  • SRG-NET-000338-VVSM-00102_rule
Device registration is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific preauthorized devices can access the system. Registration is the process of authorizing endpoints to communicate with the session manager. Registration occurs with the SIP server in VoIP systems and with a gatekeeper in H.323 systems. Without enforcing registration, an adversary could impersonate a legitimate device on the Voice Video network.
Checks: C-SRG-NET-000338-VVSM-00102_chk

Verify the Unified Communications Session Manager requires Voice Video peers to re-register (reauthenticate) at least every hour. If the Unified Communications Session Manager does not require Voice Video peers to re-register (reauthenticate) at least every hour, this is a finding.

Fix: F-SRG-NET-000338-VVSM-00102_fix

Configure the Unified Communications Session Manager to re-register (reauthenticate) Voice Video peers at least every hour.

b
The Unified Communications Session Manager must be configured to restrict Unified Communications Session Manager access outside of operational hours.
AC-2 - Medium - CCI-002145 - SRG-NET-000315-VVSM-00101 - SRG-NET-000315-VVSM-00101_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-002145
Version
SRG-NET-000315-VVSM-00101
Vuln IDs
  • SRG-NET-000315-VVSM-00101
Rule IDs
  • SRG-NET-000315-VVSM-00101_rule
Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during operational hours can indicate hostile activity if it occurs during off hours. Depending on mission needs and conditions, usage restrictions based on conditions and circumstances may be critical to limit access to resources and data to comply with operational or mission access control requirements. Thus, the network element must be configured to enforce the specific conditions or circumstances under which application accounts can be used (e.g., by restricting usage to certain days of the week, time of day, or specific durations of time). Limiting access to the voice/video network by work hours and work week mitigates the risk of unauthorized access to the system outside of duty hours, reducing misuse or abuse of the system and its resources. Areas requiring service during other times may be identified. However, it is essential that endpoints be allowed access to emergency services at all times.
Checks: C-SRG-NET-000315-VVSM-00101_chk

Verify the Unified Communications Session Manager provides the capability to restrict Unified Communications Session Manager access outside of operational hours to allow only essential connection capability. Areas requiring extended service times may be identified as exceptions. If the Unified Communications Session Manager does not restrict Unified Communications Session Manager access outside of operational hours allowing for exceptions, this is a finding.

Fix: F-SRG-NET-000315-VVSM-00101_fix

Configure the Unified Communications Session Manager to restrict Unified Communications Session Manager access outside of operational hours to only essential connections.

b
The Unified Communications Session Manager must be configured to enforce changes to privileges of Voice Video Endpoint user access.
AC-3 - Medium - CCI-002178 - SRG-NET-000321-VVSM-00101 - SRG-NET-000321-VVSM-00101_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-002178
Version
SRG-NET-000321-VVSM-00101
Vuln IDs
  • SRG-NET-000321-VVSM-00101
Rule IDs
  • SRG-NET-000321-VVSM-00101_rule
Without the enforcement of immediate change to privilege levels, users and devices may not provide the correct level of service. Privileges include access to outside connections, precedence, and preemption capabilities. A user with higher precedence and preemption capability may supplant users authorized higher levels of access. Endpoint users must be limited to the privileges needed to conduct business and changes to privileges must be enforced immediately. Access authorizations should be dynamic to reflect changing conditions; if a revocation is not enforced in a timely manner, users may have inappropriate access. Revocation of access rules may differ based on the types of access revoked. For example, if a subject (i.e., user or process) is removed from a group, access may not be revoked until the next time the object (e.g., file) is opened or until the next time the subject attempts a new access to the object. Revocation based on changes to security labels may take effect immediately. It may be necessary to immediately revoke access in certain circumstances (i.e., a compromised account is being used). This may be mitigated by implementing SRG-NET-000321-VVSM-00008.
Checks: C-SRG-NET-000321-VVSM-00101_chk

Verify the Unified Communications Session Manager enforces change to privileges of Voice Video Endpoint user access. Privileges include access to outside connections, precedence, and preemption capabilities. If the Unified Communications Session Manager does not enforce changes to privileges of Voice Video Endpoint user access, this is a finding.

Fix: F-SRG-NET-000321-VVSM-00101_fix

Configure the Unified Communications Session Manager to enforce changes to privileges of Voice Video Endpoint user access.

b
The Unified Communications Session Manager must be configured to enforce changes to privileges of Voice Video Endpoint device access.
AC-3 - Medium - CCI-002179 - SRG-NET-000322-VVSM-00101 - SRG-NET-000322-VVSM-00101_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-002179
Version
SRG-NET-000322-VVSM-00101
Vuln IDs
  • SRG-NET-000322-VVSM-00101
Rule IDs
  • SRG-NET-000322-VVSM-00101_rule
Without the enforcement of immediate change to privilege levels, users and devices may not provide the correct level of service. Privileges include access to outside connections, precedence, and preemption capabilities. A user with higher precedence and preemption capability may supplant users authorized higher levels of access. Endpoints must be limited to the privileges needed to conduct business and changes to privileges must be enforced immediately. Access authorizations should be dynamic to reflect changing conditions; if a revocation is not enforced in a timely manner, users may have inappropriate access. Revocation of access rules may differ based on the types of access revoked. For example, if a subject (i.e., user or process) is removed from a group, access may not be revoked until the next time the object (e.g., file) is opened or until the next time the subject attempts a new access to the object. Revocation based on changes to security labels may take effect immediately. It may be necessary to immediately revoke access in certain circumstances (i.e., a compromised account is being used). This may be mitigated by implementing SRG-NET-000321-VVSM-00007.
Checks: C-SRG-NET-000322-VVSM-00101_chk

Verify the Unified Communications Session Manager enforces change to privileges of Voice Video Endpoint device access. Privileges include access to outside connections, precedence, and preemption capabilities. If the Unified Communications Session Manager does not enforce changes to privileges of Voice Video Endpoint device access, this is a finding.

Fix: F-SRG-NET-000322-VVSM-00101_fix

Configure the Unified Communications Session Manager to enforce changes to privileges of Voice Video Endpoint device access.

b
The Unified Communications Session Manager, when using locally stored user accounts, must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.
AC-7 - Medium - CCI-002238 - SRG-NET-000395-VVSM-00010 - SRG-NET-000395-VVSM-00010_rule
RMF Control
AC-7
Severity
Medium
CCI
CCI-002238
Version
SRG-NET-000395-VVSM-00010
Vuln IDs
  • SRG-NET-000395-VVSM-00010
Rule IDs
  • SRG-NET-000395-VVSM-00010_rule
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. This applies to network elements that have the concept of a user account (e.g., VPN, ALG, and proxy) as well as devices that can control traffic flow based on access authorizations (firewalls, IDPS).
Checks: C-SRG-NET-000395-VVSM-00010_chk

Verify the Unified Communications Session Manager, when using locally stored user accounts, automatically locks the account until released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded. If the Unified Communications Session Manager, when using locally stored user accounts, does not automatically lock the account until released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded, this is a finding.

Fix: F-SRG-NET-000395-VVSM-00010_fix

Configure the Unified Communications Session Manager, when using locally stored user accounts, to automatically lock the account until released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.

b
The Unified Communications Session Manager must be configured to apply 802.1Q VLAN tags to signaling and media traffic.
AC-16 - Medium - CCI-002272 - SRG-NET-000520-VVSM-00101 - SRG-NET-000520-VVSM-00101_rule
RMF Control
AC-16
Severity
Medium
CCI
CCI-002272
Version
SRG-NET-000520-VVSM-00101
Vuln IDs
  • SRG-NET-000520-VVSM-00101
Rule IDs
  • SRG-NET-000520-VVSM-00101_rule
When network elements do not dynamically reconfigure the data security attributes as data is created and combined, the possibility exists that security attributes will not correctly reflect the data with which they are associated. For the Unified Communications Session Manager, the use of 802.1q tags on media and signaling, and the use of VLANs provides this layer of security. VLANs facilitate access and traffic control for voice video system components and enhanced QoS. Virtualized networking is used to separate voice video traffic from other types of traffic, such as data, management, and other special types. VLANs provide segmentation at layer 2. Virtual Routing and Forwarding (VRF) provides segmentation at layer 3 and works with Multiprotocol Label Switching (MPLS) for enterprise and WAN environments. When VRF is used without MPLS, it is referred to as VRF lite. For Voice Video systems, subnets, VLANs, and VRFs are used to separate media and signaling streams from all other traffic.
Checks: C-SRG-NET-000520-VVSM-00101_chk

Verify the Unified Communications Session Manager applies 802.1Q VLAN tags to signaling and media traffic. If the Unified Communications Session Manager does not apply 802.1Q VLAN tags to signaling and media traffic, this is a finding.

Fix: F-SRG-NET-000520-VVSM-00101_fix

Configure the Unified Communications Session Manager to apply 802.1Q VLAN tags to signaling and media traffic or be in a private subnet.

b
The Unified Communications Session Manager must be configured to use a voice or video VLAN, separate from all other VLANs.
AC-16 - Medium - CCI-002272 - SRG-NET-000520-VVSM-00102 - SRG-NET-000520-VVSM-00102_rule
RMF Control
AC-16
Severity
Medium
CCI
CCI-002272
Version
SRG-NET-000520-VVSM-00102
Vuln IDs
  • SRG-NET-000520-VVSM-00102
Rule IDs
  • SRG-NET-000520-VVSM-00102_rule
When network elements do not dynamically reconfigure the data security attributes as data is created and combined, the possibility exist that security attributes will not correctly reflect the data with which they are associated. For the Unified Communications Session Manager, the use of 802.1q tags on media and signaling, and the use of VLANs provides this layer of security. VLANs facilitate access and traffic control for voice video system components and enhanced QoS. Virtualized networking is used to separate voice video traffic from other types of traffic, such as data, management, and other special types. VLANs provide segmentation at layer 2. Virtual Routing and Forwarding (VRF) provides segmentation at layer 3 and works with Multiprotocol Label Switching (MPLS) for enterprise and WAN environments. When VRF is used without MPLS, it is referred to as VRF lite. For Voice Video systems, subnets, VLANs, and VRFs are used to separate media and signaling streams from all other traffic.
Checks: C-SRG-NET-000520-VVSM-00102_chk

Verify the Unified Communications Session Manager uses a voice or video VLAN separate from all other VLANs. If the Unified Communications Session Manager uses a voice or video VLAN that is not separate from all other VLANs, this is a finding.

Fix: F-SRG-NET-000520-VVSM-00102_fix

Configure the Unified Communications Session Manager to use a voice or video VLAN, separate from all other VLANs.

b
The Unified Communications Session Manager requiring user access authentication must provide a logout capability for user-initiated communications sessions.
AC-12 - Medium - CCI-002363 - SRG-NET-000518-VVSM-00101 - SRG-NET-000518-VVSM-00101_rule
RMF Control
AC-12
Severity
Medium
CCI
CCI-002363
Version
SRG-NET-000518-VVSM-00101
Vuln IDs
  • SRG-NET-000518-VVSM-00101
Rule IDs
  • SRG-NET-000518-VVSM-00101_rule
If a user cannot explicitly end a session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. However, for some types of interactive sessions including, for example, remote login, information systems typically send logout messages as final messages prior to terminating sessions. This applies to network elements that have the concept of a user account and have the login function residing on the network element.
Checks: C-SRG-NET-000518-VVSM-00101_chk

Verify the Unified Communications Session Manager requiring user access authentication provides a logout capability for user-initiated communications sessions. If the Unified Communications Session Manager requiring user access authentication does not provide a logout capability for user-initiated communications sessions, this is a finding.

Fix: F-SRG-NET-000518-VVSM-00101_fix

Configure the Unified Communications Session Manager requiring user access authentication to provide a logout capability for user-initiated communications sessions.

b
The Unified Communications Session Manager must be configured to protect against or limit the effects of all types of denial-of-service (DoS) attacks by employing organizationally defined security safeguards.
SC-5 - Medium - CCI-002385 - SRG-NET-000362-VVSM-00101 - SRG-NET-000362-VVSM-00101_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
SRG-NET-000362-VVSM-00101
Vuln IDs
  • SRG-NET-000362-VVSM-00101
Rule IDs
  • SRG-NET-000362-VVSM-00101_rule
A network element experiencing a DoS attack will not be able to handle the traffic load. The high CPU utilization caused by a DoS attack will also have impact control keep-alives and timers used for neighbor peering, resulting in route flapping and eventually black hole traffic. The network element must be configured to prevent or mitigate the impact on network availability and traffic flow of DoS attacks that have occurred or are ongoing. A variety of technologies and functionality can be leveraged to limit or, in some cases, eliminate the effects of DoS attacks (e.g., load balancing and access control lists). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. This requirement applies to the network traffic functionality of the network element as it pertains to handling network traffic. Some types of attacks may be specialized to certain network technology, functions, or services. For each technology, known and potential DoS attacks must be identified and solutions for each type implemented.
Checks: C-SRG-NET-000362-VVSM-00101_chk

Verify the Unified Communications Session Manager is configured to protect against or limit all types of DoS attacks. If the Unified Communications Session Manager is not configured to protect against or limit all types of denial-of-service (DoS) attacks, this is a finding.

Fix: F-SRG-NET-000362-VVSM-00101_fix

Configure the Unified Communications Session Manager to protect against or limit all types of DoS attacks.

b
The Unified Communications Session Manager must be configured to limit and reserve bandwidth based on priority of the traffic type.
SC-6 - Medium - CCI-002394 - SRG-NET-000363-VVSM-00019 - SRG-NET-000363-VVSM-00019_rule
RMF Control
SC-6
Severity
Medium
CCI
CCI-002394
Version
SRG-NET-000363-VVSM-00019
Vuln IDs
  • SRG-NET-000363-VVSM-00019
Rule IDs
  • SRG-NET-000363-VVSM-00019_rule
Without the implementation of safeguards which allocate network communication resources based on priority, network availability, and particularly high priority traffic, may be dropped or delayed. DOD supporting C2 communications relies on the implementation of MLPP to ensure that flag officers and senior staff are provided higher priority for communications than other users. For VoIP and videoconferencing systems, Unified Communications Session Managers must communicate using protocols and services that provide expedited packets to users and other systems. Additionally, Quality of Service (QoS) is an effective security safeguard used to ensure network communications availability based on priority. Different applications and other network traffic have unique requirements and toleration levels for delay, jitter, bandwidth, packet loss, and availability. To manage the multitude of applications and services, a network requires a QoS framework to differentiate traffic and provide a method to avoid and manage network congestion. When network congestion occurs, all traffic has an equal chance of being dropped. A QoS implementation categorizes network traffic into classes and provides priority treatment based on the classification.
Checks: C-SRG-NET-000363-VVSM-00019_chk

Verify the Unified Communications Session Manager limits and reserves bandwidth based on priority of the traffic type. If the Unified Communications Session Manager does not limit and reserve bandwidth based on priority of the traffic type, this is a finding.

Fix: F-SRG-NET-000363-VVSM-00019_fix

Configure the Unified Communications Session Manager to limit and reserve bandwidth based on priority of the traffic type.

c
The Unified Communications Session Manager must be configured to protect the confidentiality and integrity of transmitted configuration files, signaling, and media streams.
SC-8 - High - CCI-002418 - SRG-NET-000371-VVSM-00101 - SRG-NET-000371-VVSM-00101_rule
RMF Control
SC-8
Severity
High
CCI
CCI-002418
Version
SRG-NET-000371-VVSM-00101
Vuln IDs
  • SRG-NET-000371-VVSM-00101
Rule IDs
  • SRG-NET-000371-VVSM-00101_rule
Without protection of the transmitted information, confidentiality and integrity may be compromised as unprotected communications can be intercepted and either read or altered. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Voice Video protocol suites include SIP, SCCP, and H.323. Each of these protocol suites uses different methodologies for securing transmitted signaling. The H.323 protocol suite relies on the H.235 series, which describes security within H.323, including security for both signaling and media. For SIP protocol, the DOD has created the AS-SIP protocol, which provides for implementing Transport Layer Security (TLS), Multi-Level Precedence and Preemption (MLPP), reliance on Secure Real-Time Transport Protocol (SRTP) for media streams, and Differentiated Services Code Point (DSCP) for traffic management through priority packet routing. To secure SCCP, TLS must be implemented with the protocol. Note: It is expected that this requirement be used to address each protocol individually. A separate STIG requirement for each protocol used identifying the methods to protect the confidentiality and integrity of transmitted control information (including registration files) and media streams must be produced.
Checks: C-SRG-NET-000371-VVSM-00101_chk

Verify the Unified Communications Session Manager protects the confidentiality and integrity of transmitted configuration files, signaling, and media streams. If the Unified Communications Session Manager does not protect the confidentiality and integrity of transmitted configuration files, signaling, and media streams, this is a finding.

Fix: F-SRG-NET-000371-VVSM-00101_fix

Configure the Unified Communications Session Manager to protect the confidentiality and integrity of transmitted configuration files, signaling, and media streams.

c
The Unified Communications Session Manager must implement NIST FIPS-validated cryptography for communications sessions.
SC-13 - High - CCI-002450 - SRG-NET-000510-VVSM-00101 - SRG-NET-000510-VVSM-00101_rule
RMF Control
SC-13
Severity
High
CCI
CCI-002450
Version
SRG-NET-000510-VVSM-00101
Vuln IDs
  • SRG-NET-000510-VVSM-00101
Rule IDs
  • SRG-NET-000510-VVSM-00101_rule
All signaling and media traffic from a Unified Communications Session Manager must be encrypted. Network elements using encryption are required to use FIPS compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DOD requirements. Unapproved mechanisms used for authentication to the cryptographic module are not verified, and therefore cannot be relied on to provide confidentiality or integrity and DOD data may be compromised. Voice Video protocol suites include SIP, SCCP, and H.323. Each of these protocol suites uses different methodologies for securing transmitted signaling. The H.323 protocol suite relies on the H.235 series, which describes security within H.323, including security for both signaling and media. For SIP protocol, the DOD has created the AS-SIP protocol, which provides for implementing Transport Layer Security (TLS), Multi-Level Precedence and Preemption (MLPP), reliance on Secure Real-Time Transport Protocol (SRTP) for media streams, and Differentiated Services Code Point (DSCP) for traffic management through priority packet routing. To secure SCCP, TLS must be implemented with the protocol.
Checks: C-SRG-NET-000510-VVSM-00101_chk

Verify the Unified Communications Session Manager implements NIST FIPS-validated cryptography for communications sessions. If the Unified Communications Session Manager does not implements NIST FIPS-validated cryptography for communications sessions, this is a finding.

Fix: F-SRG-NET-000510-VVSM-00101_fix

Configure the Unified Communications Session Manager to implement NIST FIPS-validated cryptography for communications sessions.

b
The Unified Communications Session Manager must be configured to provide an indication of current participants in all calls, meetings, and conferences.
SC-15 - Medium - CCI-002453 - SRG-NET-000353-VVSM-00101 - SRG-NET-000353-VVSM-00101_rule
RMF Control
SC-15
Severity
Medium
CCI
CCI-002453
Version
SRG-NET-000353-VVSM-00101
Vuln IDs
  • SRG-NET-000353-VVSM-00101
Rule IDs
  • SRG-NET-000353-VVSM-00101_rule
Providing an explicit indication of current participants in videoconferences helps to prevent unauthorized individuals from participating in collaborative videoconference sessions without the explicit knowledge of other participants. videoconferences allow groups of users to collaborate and exchange information. Without knowing who is in attendance, information could be compromised. For videoconferences with large numbers of people present, the identified participant may be listed as the room rather than by each individual attending. Unified Communications Session Managers that provide a videoconference capability must provide a clear indication of who is attending the meeting, thus providing all attendees with the capability to clearly identify users who are in attendance.
Checks: C-SRG-NET-000353-VVSM-00101_chk

Verify the Unified Communications Session Manager provides an indication of current participants in all calls, meetings, and conferences. If the Unified Communications Session Manager does not provide an indication of current participants in all calls, meetings and conferences, this is a finding.

Fix: F-SRG-NET-000353-VVSM-00101_fix

Configure the Unified Communications Session Manager to provide an indication of current participants in all calls, meetings, and conferences.

b
The Unified Communications Session Manager supporting Command and Control (C2) communications must associate multilevel precedence and preemption (MLPP) attributes when exchanged between unified capabilities (UC) system components.
SC-16 - Medium - CCI-002455 - SRG-NET-000354-VVSM-00101 - SRG-NET-000354-VVSM-00101_rule
RMF Control
SC-16
Severity
Medium
CCI
CCI-002455
Version
SRG-NET-000354-VVSM-00101
Vuln IDs
  • SRG-NET-000354-VVSM-00101
Rule IDs
  • SRG-NET-000354-VVSM-00101_rule
If MLPP attributes are not associated with the information being transmitted between systems, then access control policies and information flows which depend on these MLPP attributes will not function and unauthorized access may result. Without the implementation of safeguards which allocate network communication resources based on priority, network availability, and particularly high priority traffic, may be dropped or delayed. DOD relies on the implementation of MLPP to ensure that flag officers and senior staff are provided higher priority for communications than other users. For VoIP and videoconferencing systems, Unified Communications Session Managers must communicate using protocols and services that provide expedited packets to users and other systems.
Checks: C-SRG-NET-000354-VVSM-00101_chk

Verify the Unified Communications Session Manager supporting C2 communications associates MLPP attributes when exchanged between UC system components. If the Unified Communications Session Manager supporting C2 communications does not associate MLPP attributes when exchanged between UC system components, this is a finding.

Fix: F-SRG-NET-000354-VVSM-00101_fix

Configure the Unified Communications Session Manager supporting C2 communications to associate MLPP attributes when exchanged between UC system components.

b
The Unified Communications Session Manager must only allow the use of DOD-approved PKI certificate authorities when using PKI.
SC-23 - Medium - CCI-002470 - SRG-NET-000355-VVSM-00010 - SRG-NET-000355-VVSM-00010_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-002470
Version
SRG-NET-000355-VVSM-00010
Vuln IDs
  • SRG-NET-000355-VVSM-00010
Rule IDs
  • SRG-NET-000355-VVSM-00010_rule
Untrusted certificate authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established. The DOD will only accept PKI certificates obtained from a DOD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of TLS certificates. This requirement focuses on communications protection for the application session rather than for the network packet. This requirement applies to any network element that is an intermediary of individual sessions (e.g., proxy, ALG, or TLS VPN). Network elements that perform these functions must be able to identify which session identifiers were generated when the sessions were established.
Checks: C-SRG-NET-000355-VVSM-00010_chk

Verify the Unified Communications Session Manager, when using PKI, only uses DOD approved certificate authorities. If the Unified Communications Session Manager, when using PKI, does not use DOD approved certificate authorities, this is a finding.

Fix: F-SRG-NET-000355-VVSM-00010_fix

Configure the Unified Communications Session Manager to only use DOD approved certificate authorities when using PKI.