Voice/Video Services Policy STIG

When VVoIP connections are established across a publicly accessible WAN, all communications confidentiality and integrity can be lost. Information gleaned from signaling messages can be used to attack the system or for other nefarious reasons. If VVoIP traffic is passed in the clear it is open to sniffing attacks. This vulnerability exists whether the traffic is on a LAN/CAN or a MAN/WAN. Native end-to-end encryption of the signaling and media mitigates this vulnerability. As a secondary solution, mitigation can be accomplished at the link-level through the incorporation of encrypted VPN tunneling technology. Both solutions are applicable when the communicating endpoints are operated by the same organization or they reside in enclaves operated by the same organization and the endpoints and supporting systems are interoperable. As such, encryption of some approved form is required to protect DoD-to-DoD communications across a public network such as the Internet or a publicly accessible network such as the NIPRNet. While end-to-end application or protocol level encryption is preferred, tunneling unencrypted VVOIP signaling and media traffic using approved commercial grade (Type 3) site-to-site or client-to-site (remote access) VPN technologies mitigates the risk. The inherent type 1 site-to-site encryption employed afforded classified networks, such as the SIPRNet, also meets this requirement, although such networks are not public or publicly accessible as a rule. DoD-to-DoD voice communications are generally considered to contain sensitive information. Local DoD enclaves connect to a DISN SDN via an access circuit. Unless the site is a host to a SDN, or close enough to it to be served by DoD owned facilities, some portion of the access circuit will utilize leased commercial facilities. Additionally, the DISN core network itself may traverse commercial services and facilities. Therefore, DoD voice and data traffic crossing the unclassified DISN must be encrypted. Information Assurance OfficerEBRU-1, ECCT-1, ECSC-1

VVoIP has the potential to significantly degrade the enclave boundary protection afforded by the required boundary firewall unless the firewall is designed to properly handle VVoIP traffic. The typical firewall used to protect an enclave that supports normal data traffic is not capable of properly handling or supporting real time communications (VVoIP). The following paragraphs will demonstrate this. VVoIP uses a signaling protocol and a media transfer protocol that require both inbound and outbound permissions be set for these protocols in order to provide the capability to place and receive calls to/from endpoints outside the enclave. More specifically, the signaling protocol typically uses one or more static TCP ports that must be open inbound at all times to receive calls. The media protocol; Real-time Transfer Protocol (RTP) and its companion protocol Real-time Transfer Control Protocol (RTCP) utilize randomly assigned UDP ports in the potential range of 1025-65535 with four IP ports required for every bi-directional voice session/call. The number of ports is expanded if video is added. The typical method of supporting VoIP through a standard data firewall is to open (or permit inbound) the signaling IP port(s) and a wide range of UDP ports for the RTP/RTCP media streams. While a typical data firewall can provide some protection from a VoIP implementation if the inbound permit statements are limited to specific limited address ranges (applicable in some situations), this is not possible if calls are to be permitted from any IP address on the Internet or NIPRNet that could be located anywhere in the world. Address segregation for VVoIP is generally not possible since the NIPRNet address space is disjointed (chopped up) and is spread across the overall public Internet (IPv4) address space. To support a worldwide IP enabled DSN, a typical data firewall would need to permit VVoIP signaling and media inbound from the entire registered IPv4 address space. One reason why this is the case is that an ACL developed to limit inbound enclave access to permit only NIPRNet addresses would require many permit statements such that the ACL itself could degrade firewall or router performance. As such, permitting VVoIP traffic across a standard data firewall opens gaping holes in the enclave’s perimeter protection. This is of particular concern when the WAN is the Internet or a DISN service that provides connection to the INTERNET such as the NIPRNet. On the other hand, a standard data firewall poses problems for VVoIP call/session completion if external public addressing is used with internal private (RFC 1918) addressing which requires the firewall to do NAT/NAPT. This is because the VVoIP endpoints need to know the IP address of the other endpoint and they signal their address within the signaling messages. The firewall changes the IP address of the packet during the NAT but does not change it in the signaling message causing a mismatch. The effect is that the call/session cannot be completed. NOTE: If the WAN is a “closed” system where the entire address space of the WAN and connected enclaves is managed by a “single system manager” (as is the case with DISN classified networks) a specific limited and segregated address space can be assigned for all VVoIP devices for use across the entire network. In this case, the risk to the enclave can be limited (although not eliminated) if a standard firewall is used with inbound permit statements that are based on the segregated IP address range. This protection can be further enhanced by limiting the UDP port range. An allowance has been made for such a situation; however, this may change in the future. Based on the above, If VVoIP is to traverse the enclave boundary; the firewall must be VVoIP aware or capable. A VVoIP aware/capable firewall provides the following minimal functions. > Interprets and understands the signaling protocol to determine the UDP ports that are negotiated for the RTP/RTCP media streams. > Dynamically opens the required UDP ports to permit the flow of the media (audio and video). > Performs stateful inspection on the UDP media packets to ensure the packets are part of the active call/session, while dropping all non session packets. > Closes the UDP ports when the end of the call/session is signaled OR after a period of session inactivity. In the event NAT is used across the enclave boundary, the VVoIP aware/capable firewall provides the following NAT functions: > Interprets and understands the signaling protocol to determine the IP addresses that are negotiated between the endpoints and adjusts the signaling messages in accordance with the local NAT/NAPT internal and external addresses. > Performs the NAT/NAPT address changes on the RTP/RTCP media packets as they traverse the boundary. In the event, the VVoIP enclave boundary provides access to and interoperability with a DISN IP based assured service voice service (such as the IP-DSN on NIPRNet), VVoIP aware/capable firewall must provide the following additional functions (Note: these are defined in the UCR): > Provides encryption services for the signaling protocol (AS-SIP uses TLS) > Provides authentication of the source of the signaling protocol packets and drops all unauthenticated packets. > Provides integrity validation of the signaling protocol packets and drops all invalid or modified packets. > Terminates the AS-SIP signaling session and checks the validity of the AS-SIP messages based on content and establishes a new signaling session for the next hop, thus performing an application level inspection of the signaling messages. > Communicates with Call controllers (LSCs and MFSSs) using AS-SIP/TLS > Interprets and understands the AS-SIP signaling protocol to provide the minimal and NAT functions noted above > Supports encrypted RTP/RTSP media streams. That is SRTP/SRTCP > Provides the capability to decrypt the media streams for inspection and recording. This supports monitoring/recording for CALEA and COMSEC monitoring purposes for calls that traverse the enclave boundary. > Performs intrusion and DoS detection with alarm capability for both the signaling and media. > Blocks all non VVoIP traffic whether destined for the VVoIP or data sub-enclaves. NOTE: While RTCP messages could be validated for content and format, the contents of RTP packets cannot due to the random nature of the audio and video data being transmitted. Delaying the RTCP packets for inspection or the SRTCP messages for decryption and inspection while passing the RTP/SRTP packets would cause disruption in the media flow and thereby negatively affect its quality. Additionally, the delay of the SRTP packets for decryption and inspection would have similar effects. Thus intrusion detection based on the media streams is almost impossible since attack profiles are generally unavailable. Based on this and to improve worldwide voice quality, the DSN/RTS PMO and the RTS WG has determined that the SRTP/SRTCP streams will be passed by the VVoIP firewall without inspecting the encrypted contents of the packets. NOTE: The VVoIP aware/capable firewall discussed here defines a set of functions that are unique to a VVoIP which are different from the set of functions required for data firewalls. The functions for data firewalls are defined in the Network Infrastructure STIG. While typically a single firewall will not be capable of supporting both sets of functions (which means a separate VVoIP firewall is needed in parallel to the data firewall) this requirement does not mean that a dedicated VVoIP firewall must be implemented in the event a single firewall is capable of implementing both sets of functions simultaneously. The primary task of the data firewall function is to protect the entire enclave. In doing so, it must perform its normal function of protecting the data sub-enclave while also blocking all VVoIP traffic destined for it via the data firewall. An exception could be made for this on a case by case basis if permissions are limited in scope as would be the case for VTC. All data traffic/protocols destined for the VVoIP sub-enclave must also be blocked unless specifically authorized to meet a mission need. Such a mission need might be for remote management of the VVoIP system from a NOC or user-to-site VPN, however, this traffic must would be routed to the VVoIP management VLAN(s) and not the VVoIP production VLANs. An additional consideration for passing VoIP across an enclave boundary is when there are different vendor’s VoIP systems deployed within the different enclaves connected to the WAN, and the various vendor’s systems are not interoperable or do not provide assured service outside the enclave, or the WAN cannot support QoS and assured service. In this case, interoperability and assured service must be preserved across the DSN or DISN voice network, whether traditional TDM or VoIP. Therefore, the VoIP system must connect to other enclaves via a traditional TDM based long haul network. Such a connection is made using a media gateway. Therefore, if the enclave VoIP system is not compatible with the IP enabled DSN as defined in the UCR thereby providing interoperability and assured service end-to-end across the DISN voice network, the system must employ a media gateway and connect to a traditional DSN switch. Additionally, unless specific requirements (discussed later) are met, all connections to the PSTN must be via a media gateway and an appropriate trunk (PRI or CAS). NONEThe enclave boundary protection is bypassed or degraded permitting unauthorized access to the LAN / Enclave.Information Assurance OfficerEBBD-1, EBBD-2, EBBD-3, ECSC-1

Users of conference room or office based VTC systems and PC based communications applications that employ a camera must not inadvertently display information of a sensitive or classified nature that is not part of the communications session while the camera is active. This can happen if information in the form of charts, pictures, or maps are displayed on a wall within the viewing, or capture range of a camera. Any Pan, Tilt, and Zoom (PTZ) capabilities of the camera must be considered. One may consider visual information out of range, but it may be in range considering camera capabilities such as high definition, PTZ, and video enhancement possibilities for captured frames. Inadvertent display of classified information could also happen if the information is laying on a desk or table unprotected. NOTE: Vulnerability awareness and operational training will be provided to users of VTC and video/collaboration communications related camera(s) regarding these requirements. NOTE: This requirement is relevant no matter what the classification level of the session. In an IP environment the classification of VTC or PC communications is dependent upon the classification of the network to which the VTU or PC is attached and the classification of the facility in which it is located. While classified communications can occur at the same level of classification as the network and facility, communications having a lower classification or no classification (e.g., unclassified or FOUO) may also occur in the same environment. As such, sensitive or classified information that is not part of the communications session might be improperly disclosed without proper controls in place.NONEInformation Assurance OfficerInformation Assurance ManagerDCBP-1, ECND-1, ECSC-1