VoiceVideo over Internet Protocol (VVoIP) STIG V3R13

b

Unified messaging and email text-to-speech features must be disabled because there is no PKI authentication and no access control to email.

Medium - V-19444 - SV-21495r3_rule

RMF Control

Severity

M

CCI

Version

VVoIP 1755

Vuln IDs

V-19444

Rule IDs

SV-21495r3_rule

Unified messaging and email systems provide the capability to receive voicemails via email and in some cases, have emails read to the user via a text-to-speech feature when accessing the system from a telephone (dial-in). For DoD, this presents two issues or vulnerabilities. Access to voicemail from a telephone only requires the user’s telephone number and a PIN. The telephone number is the account or mailbox number on the voicemail system while the PIN is the user password for accessing the account. This is a rather weak authentication method. The first issue for DoD, is that DoD policy states that access to email requires PKI based authentication of the user before they are granted access to their email account. PKI certificates are required to decrypt encrypted email. PKI authentication is not available when using a standard telephone. While some organizations might implement PKI authenticated access to the site’s phone system, such a facility is not available via most DoD phone systems and certainly not via the PSTN. Additionally, while a non-PKI enabled text-to-speech feature would not be able to read encrypted email (which would be considered the most sensitive) the unencrypted email is still considered sensitive DoD information. The argument could be made that normal voicemail messages and regular telephone conversations can also contain sensitive information. However, there is typically more sensitive information in email. This does not apply to DoD issued PDA/PED devices that provide CAC authenticated access to email. Access to unified mail voicemail would be via PKI authenticated email service through which the user could listen to the voicemail. Text-to-speech conversion would be permitted in this case even though caution should be used when listening to any voicemail, particularly in a public place. The use of a wired earphone is highly recommended. The use of Bluetooth, DECT/DECT 6.0, and other RF wireless technologies for accessories must be approved.

Checks: C-23713r2_chk

Interview the ISSO to validate compliance with the following requirement: In the event an email text-to-speech feature is employed or enabled in a unified messaging and email system, and accessed via the dial-in voicemail access method, ensure DoD PKI authentication is used to access the feature as is required for normal email access control. Otherwise, disable the text-to-speech feature as well as any other dial-up method that does not provide for PKI authentication for accessing email. Determine if the site has implemented a unified mail system where voicemail is delivered via the user’s email mailbox. This will normally imply that email could be available via normal voicemail access from a standard telephone and that the email is read to the user via a text-to-speech conversion feature. Inspect the configuration of the unified messaging and email server to determine if the text-to-speech feature is disabled. Alternately have the ISSO or SA demonstrate compliance with the requirement. If email is accessible via voicemail without PKI authentication, this is a finding. NOTE: Access to the email service must already be in compliance with DoD email access policy using PKI. Therefore, this requirement does not apply to accessing and listening to voicemail via the email service.

Fix: F-20189r2_fix

In the event an email text-to-speech feature is employed or enabled in a unified messaging system, and accessed via the dial-in voicemail access method, ensure PKI based authentication is used to access the feature as is required for normal email access control. Otherwise, disable the text-to-speech feature as well as any other dial-up method that does not provide for PKI authentication for accessing email. Disable the text-to-speech feature of a unified mail service.

b

PC presentation or application sharing capabilities are not properly limited.

Medium - V-19625 - SV-21766r2_rule

RMF Control

Severity

M

CCI

Version

VVoIP 1725

Vuln IDs

V-19625

Rule IDs

SV-21766r2_rule

Visual collaboration often requires the sharing or display of presentations, open documents, and white board information to one or more communicating endpoints. While the technology for doing this is different between hardware based endpoints and PC based application endpoints, the vulnerability it creates is the same. In both cases, the displayed information typically resides on a PC. While in presentation/sharing mode, care must be exercised so that the PC user does not inadvertently display and transmit information on their workstation that is not part of the communications session and not intended to be viewed by the other communicating parties. Users must be aware that anything they display on their PC monitor while presenting to a communications session may be displayed on the other communicating endpoints. This is particularly true when the PC video output is connected to a VTC CODEC since the information will be displayed on all of the conference monitors. This presentation/sharing feature could result in the disclosure of sensitive or classified information to individuals that do not have a validated need-to-know or have the proper clearance to view the information. Thus, the presentation/sharing feature presents a vulnerability to other information displayed on the PC, if the feature is misused. This is a problem when sharing (displaying) a PC desktop via any collaboration tool using any connection method. There is little that can be done to mitigate this vulnerability other than to develop policy and procedures to present to collaborative communications sessions. All users that perform this function must have awareness of the issues and be trained in the proper operational procedures. Such procedures may require that there be no non-session related documents or windows open or minimized on the PC while presenting or sharing. An additional requirement may be that the user may not permit others in a session to remotely control their PC. A similar issue is that some PC based collaboration applications can permit a user to allow other session participants to remotely control their PC. Depending upon how this feature is implemented and limited, it could lead to undesired activities on the part of the person in control and possible compromise of information that is external to the collaboration session. This would be the case if such sharing or remote control provided access to the local hard drive and non session related applications or network drives accessible from the controlled PC.

Checks: C-23918r1_chk

Interview the IAO to validate compliance with the following requirement: Ensure PC based collaboration application sharing and remote control features or capabilities do not provide unrestricted access to other (i.e., non-shared) applications, the local hard drive(s), or other drives accessible through the network. In other words, the collaboration application will not provide, or will be configured to not provide, full remote control of the host (i.e., shared) PC. Sharing capabilities will be limited to the collaboration application and other applications or documents (e.g., document based applications and documents launched by the host PC user) specifically shared by the host PC user. Inspect or have a SA demonstrate the configuration and capabilities of the collaboration tool with respect to its sharing capabilities. This is a finding if the following is not met: > PC based collaboration application sharing and remote control features or capabilities will not provide unrestricted access to other (i.e., non shared) applications, the local hard drive(s), or other drives accessible through the network. For example, the collaboration application will not provide, or will be configured to not provide, full remote control of the host (i.e., shared) PC. > Sharing capabilities will be limited to the collaboration application, and other applications or documents specifically shared by the host PC user. (e.g., document based applications and documents launched by the host PC user)

Fix: F-20329r1_fix

Ensure PC based collaboration application sharing and remote control features or capabilities do not provide unrestricted access to other (i.e., non-shared) applications, the local hard drive(s), or other drives accessible through the network. In other words, the collaboration application will not provide, or will be configured to not provide, full remote control of the host (i.e., shared) PC. Sharing capabilities will be limited to the collaboration application and other applications or documents (e.g., document based applications and documents launched by the host PC user) specifically shared by the host PC user. Configure PC collaboration applications of all forms to not provide full remote control access to the host PC. Limit access to the applications relevant to the collaboration session or the video display. Train users in proper operation of the sharing capabilities. If necessary, limit or deny access to collaboration applications that do not or cannot be configured to not provide full PC remote control as described above.

b

VVoIP component(s) are NOT addressed using the defined dedicated VVoIP system addresses

Medium - V-19628 - SV-21769r2_rule

RMF Control

Severity

M

CCI

Version

VVoIP 5225

Vuln IDs

V-19628

Rule IDs

SV-21769r2_rule

The protection of the VVoIP system is enhanced by ensuring all VVoIP systems and components within the LAN (Enclave) are deployed using separate address blocks from the normal data address blocks. This is one of the required steps required to help protect the VVoIP infrastructure and services by allowing traffic and access control via firewalls and router ACLs.

Checks: C-23948r1_chk

Ensure all VVoIP systems and components within the LAN (Enclave) are deployed using the dedicated VVoIP address space defined in the VVoIP system design for the given network type. Inspect the VVoIP core equipment components (endpoints checked separately) to determine if they are addressed using the dedicated VVoIP address space defined in the VVoIP system design for the given network type. NOTE: The affected devices in this case are as follows: > VVoIP Call or session controllers; LSC / MFSS > Adjunct UC systems > Edge Boundary Controller (EBC) internal and external interfaces > Customer Edge (Premise) router internal interface to the VVoIP VLANs

Fix: F-20332r1_fix

Ensure all VVoIP systems and components within the LAN (Enclave) are deployed using the using the dedicated VVoIP address space defined in the VVoIP system design for the given network type. NOTE: This is applicable to the following: > A closed unclassified LAN > A unclassified LAN connected to a unclassified WAN such as the NIPRNet or Internet > A closed classified LAN > A classified LAN connected to a classified WAN (such as the SIPRNet). NOTE: In the case of a classified WAN where network wide address based accountability or traceability is required by the network PMO, the PMO must provide a segregated, network wide address block(s) so that the attached classified LANs can meet this requirement. Provide or use a dedicated address space for the VVoIP system that is segregated from the address space used for the general LAN, management VLANs, and other segregated services running on the LAN. Use this address space when configuring VVoIP VLANs and when assigning addresses to VVoIP endpoints and core equipment.

b

VVoIP core components use random address assignment via DHCP and are not statically addressed

Medium - V-19629 - SV-21770r2_rule

RMF Control

Severity

M

CCI

Version

VVoIP 5230

Vuln IDs

V-19629

Rule IDs

SV-21770r2_rule

Assigning static addresses to core VVoIP devices permits tighter control using ACLs on firewalls and routers to help in the protection of these devices. NOTE: In the event DHCP is used for address assignment, ensure the DHCP server assigns the same address to the core VVoIP device each time one is requested.Information Assurance Officer

Checks: C-23951r1_chk

Interview the IAO to confirm compliance with the following requirement: Ensure the VVoIP core components are statically addressed.

Fix: F-20333r1_fix

Ensure the VVoIP core components are statically addressed and do not use DHCP to obtain a randomly assigned address Do not use DHCP to assign IP addresses to V-VoIP core devices; Configure each device with a specific IP address OR If DHCP must be used, configure the DHCP server to provide the same IP address to each specific VVoIP system core device when requested

b

VVoIP endpoints must receive IP address assignment and configuration information from a DHCP server dedicated to the VVoIP system.

Medium - V-19630 - SV-21771r3_rule

RMF Control

Severity

M

CCI

Version

VVoIP 5235

Vuln IDs

V-19630

Rule IDs

SV-21771r3_rule

When using Dynamic Host Configuration Protocol (DHCP) for address assignment and host configuration, different DHCP scopes (different address space, subnets, and VLANs) must be used for voice components and data components. Optimally, the design would place a DHCP server dedicated to providing IP address and configuration information to the VVoIP endpoints separate from the IP address and configuration information to data hosts (workstations etc.). The DHCP server providing VVoIP devices should be in the V_VUC domain having the same address space and VLAN to prevent DHCP requests routed onto the data environment that degrade the separation of the VVoIP environment and the data environment. With centralized management of DHCP (and other services, such as DNS) this separation is obviously eliminated. DHCP requests and responses for voice must reside on a segregated VLAN. The best practice is to manually assign addresses when authorizing the instrument by generating its configuration file. In the event a dedicated DHCP server for VVoIP endpoints is not implemented, the network (i.e., the router controlling access to and from the VVoIP endpoint VLANs) must route VVoIP endpoint DHCP requests directly to the DHCP server in such a manner that prevents traffic to flow between the VVoIP and data VLANs. Additionally the DHCP server must prevent such traffic flows while providing the VVoIP endpoints with proper VVoIP addresses and other information within the VVoIP address/subnet range (scope).Information Assurance Officer

Checks: C-23954r2_chk

Interview the IAO to confirm compliance with the following requirement: For VVoIP system designed to use DHCP for VVoIP initial endpoint address assignment/configuration, Ensure the following: - The DHCP server provides addresses from the segregated VVoIP address space and associated configuration information to VVoIP endpoints exclusively. - In the event the DHCP server is not dedicated to VVoIP, ensure it does not provide data addresses and configuration information to the VVoIP endpoints and conversely does not provide VVoIP addresses and configuration information to the data endpoints (hosts or workstations). - In the event the DHCP server is not dedicated to VVoIP, ensure the DHCP server and associated network routing prevents traffic to flow between the VVoIP VLANs and data VLANs. Review VVoIP network design to determine the IP address the of VVoIP DHCP server. Alternately, determine the VLAN tag the VVoIP DHCP server uses or responds to or inspect the Ethernet port configuration of the LAN network equipment connected to the DHCP server to determine the VLAN assigned to the port. If the DHCP server’s IP address is not within the designated VVoIP VLAN structure or IP address range, this is a finding. Inspect the configuration of all DHCP servers within the enclave to determine their address scope(s), and placement within the network for the VVoIP, data, or other VLANs. If the DHCP server providing address and network configuration information to data components or hosts and also provides this information to VVoIP endpoints or other system components, this is a finding. Conversely, if a DHCP server providing address and network configuration information to VVoIP endpoints also provides VVoIP addresses and information to data components, hosts, or other non-VVoIP system components, this is a finding. NOTE: dedicated hardware IP-VTC endpoints that are integrated with the VVoIP system, (i.e., they establish calls/sessions by signaling with the VVoIP LSC) may utilize the services of the VVoIP DHCP server because they may reside in the VVoIP system of VLANs. Dedicated hardware IP-VTC endpoints that are not associated with the LSC are required to reside in their own system of VLANs and therefore should have their own DHCP server or, better yet, be statically addressed.

Fix: F-20334r2_fix

Configure the DHCP server supporting VVoIP endpoints to have different DHCP scopes used for VVoIP components, data components, and independent IP-VTC endpoints. Ensure these servers reside in their respective voice, VTC, or data address space and VLANs and the VVoIP endpoints (or independent IP-VTC endpoints) only receive address/configuration information from the DHCP server dedicated to them. Alternately, if a dedicated DHCP server is not implemented, ensure the DHCP server provides addresses from the segregated VVoIP address space and associated configuration information to VVoIP endpoints exclusively; ensure it does not provide data addresses and configuration information to the VVoIP endpoints and conversely does not provide VVoIP addresses and configuration information to the data endpoints (hosts or workstations); and ensure the DHCP server and associated network routing prevents traffic to flow between the VVoIP VLANs and data VLANs. NOTE: Dedicated hardware IP-VTC endpoints that are integrated with the VVoIP system, (i.e., they establish calls/sessions by signaling with the VVoIP LSC) may utilize the services of the VVoIP DHCP server because they may reside in the VVoIP system of VLANs. Dedicated hardware IP-VTC endpoints that are not associated with the LSC are required to reside in their own system of VLANs and therefore should have their own DHCP server or, better yet, be statically addressed.

b

A VVoIP core system/device or a traditional TDM based telecom switch is acting as a network router in that it does not block traffic between its attached management network interfaces(s) (one or more; logical or physical) and/or its production network interface(s) (logical or physical).

Medium - V-19631 - SV-21772r2_rule

RMF Control

Severity

M

CCI

Version

VVoIP 5400

Vuln IDs

V-19631

Rule IDs

SV-21772r2_rule

Based on a previously stated requirement, a VVoIP system must have one or more production VLANs containing the VVoIP endpoints and a separate OOB management network or virtual management network (management VLAN). Also previously stated is the requirement that the LAN NEs maintain the separation between management network(s) and the production network VLANs by blocking traffic from passing between them. Maintaining this separation is also incumbent upon the managed devices that are connected to both the management and production VLANs. Individual VVoIP system core devices and traditional TDM based telecom switches connect to their production and management networks or VLANs in different ways. In some cases there are separate dedicated physical management and production interfaces. There may also be one or more physically separate management interfaces. On the other hand these interfaces may be logical or there may be some combination of logical and physical interfaces that support the required production and management traffic. In the event production and management connections use separate interfaces, whether logical or physical, the target/ managed device must not permit one network (physical or logical VLAN) to access another network through the device. That is, the device must not route IP traffic between logical or physical interfaces connected to different VLANs or physical networks that are part of a different logical security zone (protected VLAN) or physical network enclave. Permitting such routing permit a host on one network or VLAN to gain unauthorized access to a host on another network which can lead to complete corruption of the accessed system or device causing the, loss of availability (denial-of-service), integrity, and information or communications confidentiality. NOTE: While this specifically addresses a similar situation addressed in the Network Infrastructure STIG that essentially requires that the production side of a managed device must not be accessible from the management interface and vise versa, this requirement extends that requirement to multiple management interfaces. Many DSN switches and DISN IPVS system core devices are managed from the BCPS network and CCSA NOC via one interface and also monitored and potentially managed by the DISA ADIMSS or other NOC. These are separate enclaves which must be protected from inappropriate access between them. In some cases the connections from these enclaves to the managed devices are via separate interfaces on the managed devices. Ergo the requirement the managed device must not pass traffic between these interfaces. Information Assurance Officer

Checks: C-23955r1_chk

Interview the IAO to confirm compliance with the following requirement: In the event a VVoIP core device or a traditional TDM circuit switch supports multiple management interfaces that are separate from the production interfaces (as required), ensure the device does not permit traffic to flow between these interfaces. This is a finding in the event any of the three domains can be reached and therefore potentially compromised from any of the others. NOTE: While this specifically addresses a similar situation found in the Network Infrastructure STIG, essentially it requires that the production side of a managed device must not be accessible from the management interface and vise versa, this requirement extends that requirement to multiple management interfaces. Many DSN switches and DISN IPVS system core devices are managed from the BCPS network and CCSA NOC via one interface and also monitored and potentially managed by the DISA ADIMSS or other NOC. These are separate enclaves which must be protected from inappropriate access between them. In some cases the connections from these enclaves to the managed devices are via separate interfaces on the managed devices. Ergo the requirement the managed device must not pass traffic between these interfaces.

Fix: F-20335r1_fix

Configure VVoIP core system/devices and traditional TDM based telecom switches to comply with the following: In the event a target system/device supports separate IP based production and management interfaces (logical or physical), or multiple management interfaces (logical or physical), connected to different networks or VLANs, ensure the target system/device does not rout IP traffic between the networks or VLANs attached / connected to these interfaces. NOTE: this also applies to traditional TDM based telecom switches that are managed via IP networks that connect to the switch via different ports no matter the type of connection (Ethernet or serial). The purpose of this requirement is to ensure that other devices connected to one side of the target device cannot be accessed or compromised through the target device via one of its other interfaces. Configure the target system/device to NOT route between multiple attached management networks and/or its production network whether physically different or only logically different by being connected to different VLANs. NOTE: While this specifically addresses a similar situation addressed in the Network Infrastructure STIG that essentially requires that the production side of a managed device must not be accessible from the management interface and vise versa, this requirement extends that requirement to multiple management interfaces. Many DSN switches and DISN IPVS system core devices are managed from the BCPS network and CCSA NOC via one interface and also monitored and potentially managed by the DISA ADIMSS or other NOC. These are separate enclaves which must be protected from inappropriate access between them. In some cases the connections from these enclaves to the managed devices are via separate interfaces on the managed devices. Ergo the requirement the managed device must not pass traffic between these interfaces.

b

Logical or physical interfaces must be configured on the VVoIP core routing devices for the VVoIP core equipment to support access and traffic control for the VVoIP system components.

Medium - V-19632 - SV-21773r3_rule

RMF Control

Severity

M

CCI

Version

VVoIP 5520

Vuln IDs

V-19632

Rule IDs

SV-21773r3_rule

VLAN and IP address segmentation enables access and traffic control for the VVoIP system components. Only the required protocols are to reach a given VVoIP device thereby protecting it from non-essential protocols. This protection is afforded on the LAN by implementing ACLs based on VLAN/subnet, protocol and in some instances specific IP addresses. While a firewall placed between the core equipment and endpoint VLANs might provide better protection for the core equipment as a whole, a router is best suited to control the varying traffic patterns between the various devices.

Checks: C-23958r2_chk

Inspect the configurations of the VVoIP core routing devices to determine compliance with the following requirement: Ensure logical or physical interfaces (VLAN/subnets or direct connect physical interfaces with discrete subnets) are configured on the VVoIP core routing devices for the VVoIP core equipment as follows: - VVoIP system core control equipment containing the LSC, endpoint configuration server, and DHCP server if used, etc. - VVoIP system management VLAN which is separate from the general LAN management VLAN. - Media gateways to the DSN and PSTN. - Signaling gateways (SG) to the DSN. - DoD WAN access VVoIP firewall (SBC or other). - Voicemail and Unified Messaging Servers, which may need to be accessible from both the voice and data VLANs. - UC servers supporting presence, web browser based conferencing, and directory services. These may need to be accessible from both the voice and data VLANs. Alternately, ensure the VVoIP core equipment employs direct connections with discrete subnets to the VVoIP core routing devices so that the ACLs may be implemented on the physical interface to the device instead of the logical interface to the VLAN. NOTE: If the device for which a VLAN/subnet is designated does not exist in the system, the VLAN is not required. These devices may be the core routing devices for the data LAN as well. If the logical or physical interfaces with discrete subnets have not been implemented against which the ACLs can be applied, this is a finding.

Fix: F-20336r2_fix

Ensure logical or physical interfaces (VLAN/subnets or direct connect physical interfaces with discrete subnets) are established/configured on the VVoIP core routing devices for the VVoIP core equipment as follows: - VVoIP system core control equipment containing the LSC, endpoint configuration server, and DHCP server if used, etc. - VVoIP system management VLAN which is separate from the general LAN management VLAN. - Media gateways to the DSN and PSTN. - Signaling gateways (SG) to the DSN. - DoD WAN access VVoIP firewall (SBC or other). - Voicemail and Unified Messaging Servers, which may need to be accessible from both the voice and data VLANs. - UC servers supporting presence, web browser based conferencing, and directory services. These may need to be accessible from both the voice and data VLANs. Alternately, ensure the VVoIP core equipment employs direct connections with discrete subnets to the VVoIP core routing devices so that the ACLs may be implemented on the physical interface to the device instead of the logical interface to the VLAN. NOTE: If the device for which a VLAN/subnet is designated does not exist in the system, the VLAN is not required. These devices may be the core routing devices for the data LAN as well.

b

VLANs established for the VVoIP system are NOT pruned from trunks and/or interfaces that are not required to carry the VVoIP traffic

Medium - V-19634 - SV-21775r2_rule

RMF Control

Severity

M

CCI

Version

VVoIP 5530

Vuln IDs

V-19634

Rule IDs

SV-21775r2_rule

While VLANs facilitate access and traffic control for the VVoIP system components and enhanced QoS, they should only be implemented on the network elements that are needed to carry the traffic from the attached devices. LAN switches will typically learn the VLANs configured on an adjacent switch and configure it locally. As such a VLAN configured on one switch can be learned and configured on the entire LAN in a very short period of time. Too many learned VLANs and a NE can crash. Additionally, a VLAN that appears on NEs where it is not required to carry traffic, places the VLAN at risk of compromise by presenting many more points at which the VLAN might be accessed. Therefore the VLANs must be pruned from trunks and interfaces where the VLAN does not need to send traffic. A VLAN that supports a number of local VVoIP endpoints only needs to traverse the NEs in two paths to the core routing devices at the VVoIP core equipment, Any specific endpoint VLAN does not need to appear on every switch in the LAN unless it serves endpoints everywhere on the LAN. Likewise the VVoIP core equipment VLANs do not need to extend past the VVoIP core routing devices (routers or layer 3 switches. The endpoint VLANs come to the core, the core VLANs do not extend to the endpoints. As such all VLANs must be pruned from any trunk where its traffic does not need to go.

Checks: C-23960r1_chk

Inspect the configurations of the LAN devices supporting the VVoIP system on which the required VLANs are configured to determine compliance with the following requirement: Ensure VLANs established for the VVoIP system are pruned from trunks and/or interfaces that are not required to carry the traffic as follows: > VVoIP core equipment VLANs will not extend past the core routing devices that support the core equipment. These VLANs should not appear on distribution or access layer NEs in the LAN. > VVoIP endpoint VLANs established on access layer switches shall only appear on a primary uplink and a backup in addition to the access ports that are assigned to the local VVoIP VLAN. > VVoIP endpoint VLANs established on distribution layer switches shall only appear on a primary uplink and a backup that leads toward a routing device. If the distribution layer switch is a routing device, there may be other endpoint VLANs present and available for routing or a local VLAN may traverse a horizontal link if available to another distribution layer NE for routing. Typically however this routing should occur on the core routing devices rather than traversing horizontal links to be routed.

Fix: F-20338r1_fix

Ensure VLANs established for the VVoIP system are pruned from trunks and/or interfaces that are not required to carry the traffic as follows: > VVoIP core equipment VLANs will not extend past the core routing devices that support the core equipment. These VLANs should not appear on distribution or access layer NEs in the LAN. > VVoIP endpoint VLANs established on access layer switches shall only appear on a primary uplink and a backup in addition to the access ports that are assigned to the local VVoIP VLAN. > VVoIP endpoint VLANs established on distribution layer switches shall only appear on a primary uplink and a backup that leads toward a routing device. If the distribution layer switch is a routing device, there may be other endpoint VLANs present and available for routing or a local VLAN may traverse a horizontal link if available to another distribution layer NE for routing. Typically however this routing should occur on the core routing devices rather than traversing horizontal links to be routed.

b

A deny-by-default ACL for VVoIP endpoint VLAN interfaces must be implemented on VVoIP core routing devices as defined in the VVoIP system ACL design.

Medium - V-19635 - SV-21776r3_rule

RMF Control

Severity

M

CCI

Version

VVoIP 5600

Vuln IDs

V-19635

Rule IDs

SV-21776r3_rule

Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general the defined ACLs are designed in a deny-by-default manner such that only the protocols and traffic that needs to reach the device or devices in the VLAN receive the packets. The ACLs filter on VLAN, IP address and subnet, protocol type, and associated standard IP port for the protocol. In general, the ACLs mentioned are egress filters (referenced the router core) on the VLAN interfaces. Additionally, the routing devices should log and alarm on inappropriate traffic. An example of this is an HTTP request sourced from the data VLANs to the endpoint or media gateway VLANs. The primary purpose of ACL on all VVoIP VLAN interfaces is to block traffic to or from the data VLAN interfaces. Similar restrictions are placed on a dedicated VTC VLAN interface, however, VVoIP media and signaling is permitted in the event a VTC unit needs to communicate with the UC system.

Checks: C-23961r2_chk

Review site documentation, especially the VVoIP system ACL design, to confirm a deny-by-default ACL for VVoIP endpoint VLAN interfaces is implemented on VVoIP core routing devices. Ensure a deny-by-default ACL is implemented on all VVoIP endpoint (hardware and software) VLAN interfaces at the VVoIP core routing device to control traffic as follows: - Endpoint configuration and registration - Permit (only as required for proper functionality) the specific system required endpoint registration / configuration protocols/traffic (e.g., DHCP, BootP, TFTP, FTP, HTTP, DNS, etc.) to/from the core control equipment VLAN interfaces (VLAN/subnet). - Endpoint Signaling - Permit (only as required for proper functionality) the specific system required endpoint signaling protocols/traffic (e.g., AS-SIP, H.323, vendor proprietary such as SCCP, UniStim, etc.) to/from the core control equipment VLAN interfaces (VLAN/subnets). - Endpoint Directory - Permit (only as required for proper functionality) the specific system required endpoint directory access protocols (e.g., HTTP and/or potentially others) to/from the core control equipment VLAN interfaces. - Endpoint Media - Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the Media Gateway VLAN interfaces (VLAN/subnets). - Endpoint Media - Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the Voicemail/Unified Messaging VLAN interfaces (VLAN/subnets). - Endpoint Media - Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from other endpoint VLAN interfaces (VLAN/subnets) wherever they intersect. - Deny all other traffic. End the ACL with a “deny all” statement. If a deny-by-default ACL for VVoIP endpoint VLAN interfaces is not implemented on VVoIP core routing devices as defined in the VVoIP system ACL design, this is a finding.

Fix: F-20339r2_fix

Implement and document a deny-by-default ACL for VVoIP endpoint VLAN interfaces on VVoIP core routing devices as defined in the VVoIP system ACL design as follows: - Endpoint configuration and registration - Permit (only as required for proper functionality) the specific system required endpoint registration / configuration protocols/traffic (e.g., DHCP, BootP, TFTP, FTP, HTTP, DNS, etc.) to/from the core control equipment VLAN interfaces (VLAN/subnet). - Endpoint Signaling - Permit (only as required for proper functionality) the specific system required endpoint signaling protocols/traffic (e.g., AS-SIP, H.323, vendor proprietary such as SCCP, UniStim, etc.) to/from the core control equipment VLAN interfaces (VLAN/subnets). - Endpoint Directory - Permit (only as required for proper functionality) the specific system required endpoint directory access protocols (e.g., HTTP and/or potentially others) to/from the core control equipment VLAN interfaces. - Endpoint Media - Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the Media Gateway VLAN interfaces (VLAN/subnets). - Endpoint Media - Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the Voicemail/Unified Messaging VLAN interfaces (VLAN/subnets). - Endpoint Media - Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from other endpoint VLAN interfaces (VLAN/subnets) wherever they intersect. - Deny all other traffic. End the ACL with a “deny all” statement.

b

A deny-by-default ACL for all VVoIP endpoint VLAN interfaces must be implemented on VVoIP non-core routing devices as defined in the VVoIP system ACL design.

Medium - V-19636 - SV-21777r3_rule

RMF Control

Severity

M

CCI

Version

VVoIP 5605

Vuln IDs

V-19636

Rule IDs

SV-21777r3_rule

Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general, the defined ACLs are designed in a deny-by-default manner such that only the protocols and traffic that needs to reach the device or devices in the VLAN receive the packets. The ACLs filter on VLAN, IP address and subnet, protocol type, and associated standard IP port for the protocol. In general, the ACLs mentioned are egress filters (referenced the router core) on the VLAN interfaces. Additionally, the routing devices should log and alarm on inappropriate traffic. An example of this is an HTTP request sourced from the data VLANs to the endpoint or media gateway VLANs. The primary purpose of ACL on all VVoIP VLAN interfaces is to block traffic to or from the data VLAN interfaces. Similar restrictions are placed on a dedicated VTC VLAN interface, however, VVoIP media and signaling is permitted in the event a VTC unit needs to communicate with the UC system.

Checks: C-23964r2_chk

Review site documentation, especially the VVoIP system ACL design, to confirm a deny-by-default ACL for all VVoIP endpoint VLAN interfaces is implemented on VVoIP non-core routing devices. Ensure a deny-by-default ACL is implemented on all VVoIP endpoint (hardware and software) VLAN interfaces on the VVoIP routing devices throughout the LAN that do not support the VVoIP system core equipment directly to control traffic as follows: - Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from other endpoint VLAN interfaces (VLAN/subnets) wherever they intersect. - Deny all other traffic. End the ACL with a “deny all” statement. If a deny-by-default ACL for all VVoIP endpoint VLAN interfaces is not implemented on VVoIP non-core routing devices as defined in the VVoIP system ACL design, this is a finding.

Fix: F-20340r2_fix

Implement and document a deny-by-default ACL for all VVoIP endpoint VLAN interfaces on VVoIP non-core routing devices as defined in the VVoIP system ACL design as follows: - Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from other endpoint VLAN interfaces (VLAN/subnets) wherever they intersect. - Deny all other traffic. End the ACL with a “deny all” statement. All other EI traffic at this level in the network remains confined to the VLAN and is passed to the routing device that manages EI access to the VVoIP core equipment/infrastructure. The purpose of permitting media traffic to be routed between VVoIP EI VLANs at this level is to reduce the loading of the core routing device and LAN NEs in between. This also enhances QoS within the LAN itself.

b

A deny-by-default ACL for session manager VLAN interfaces must be implemented on VVoIP core routing devices as defined in the VVoIP system ACL design.

Medium - V-19637 - SV-21778r3_rule

RMF Control

Severity

M

CCI

Version

VVoIP 5610

Vuln IDs

V-19637

Rule IDs

SV-21778r3_rule

Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general, the defined ACLs are designed in a deny-by-default manner such that only the protocols and traffic that needs to reach the device or devices in the VLAN receive the packets. The ACLs filter on VLAN, IP address and subnet, protocol type, and associated standard IP port for the protocol. In general, the ACLs mentioned are egress filters (referenced the router core) on the VLAN interfaces. Additionally, the routing devices should send an alarm in response to inappropriate traffic and log the occurrence. An example of this is an HTTP request sourced from the data VLANs to the endpoint or media gateway VLANs. The primary purpose of ACL on all VVoIP VLAN interfaces is to block traffic to or from the data VLAN interfaces. Similar restrictions are placed on a dedicated VTC VLAN interface, however, VVoIP media and signaling is permitted in the event a VTC unit needs to communicate with the UC system.

Checks: C-23967r2_chk

Review site documentation, especially the VVoIP system ACL design, to confirm a deny-by-default ACL for session manager VLAN interfaces is implemented on VVoIP core routing devices. Ensure a deny-by-default ACL is implemented on the VVoIP session manager VLAN interfaces on the VVoIP routing devices supporting the VVoIP system core equipment to control traffic as follows: - Endpoint configuration - Permit (only as required for proper functionality) the specific system required endpoint registration / configuration protocols/traffic (e.g., DHCP, BootP, TFTP, FTP, HTTP, DNS, etc.) to/from the endpoint VLAN interfaces (VLAN/subnets). - Endpoint signaling - Permit (only as required for proper functionality) the specific system required endpoint signaling protocols/traffic (e.g., AS-SIP, H.323, vendor proprietary such as SCCP, UniStim, etc.) to/from the endpoint VLAN interfaces (VLAN/subnets). - Endpoint directory - Permit (only as required for proper functionality) the specific system required endpoint directory access protocols (e.g., HTTP and/or potentially others) to/from the endpoint VLAN interfaces. - Media gateway - Permit (only as required for proper functionality) the specific system required signaling protocols used by the media gateway (e.g., MGCP, H.248, H.323, AS-SIP) to/from the VVoIP media gateway VLAN interfaces (VLAN/subnets). - Signaling gateway - Permit (only as required for proper functionality and the VLAN exists) the specific system required signaling protocols used by the signaling gateway (e.g., MGCP, H.248, H.323, AS-SIP) to/from the VVoIP signaling gateway VLAN interfaces (VLAN/subnets) - Session border controller - Permit (only as required for proper functionality and the VLAN exists) the specific signaling protocols used by the Edge Boundary Controller (AS-SIP) to/from the VVoIP session border controller VLAN interfaces (VLANs / subnet). - Customer edge router - Permit (only as required for proper functionality) the specific signaling or management protocols used to communicate with the Customer Edge (Premises / enclave perimeter) Router for NETOPS etc. (e.g., SNMP and potentially others) to/from the VVoIP data mgmt VLAN interfaces, OOB management LAN, or data network VLAN interfaces (VLANs / subnet) via data mgmt VLAN, OOB management LAN, or data network. - Voicemail/Unified messaging - Permit the specific signaling protocols used by the Voicemail/Unified Messaging servers (e.g., AS-SIP, H.323, vendor proprietary such as SCCP, UniStim, etc.) to/from the VVoIP Voicemail or Unified Messaging server VLAN interfaces (VLANs / subnet). - Unified capabilities - Permit (only as required for proper functionality and the VLAN exists) the specific signaling protocols used by any unified communications servers (e.g., AS-SIP, H.323, vendor proprietary such as SCCP, UniStim, etc.) to/from the VVoIP UC server VLAN interfaces (VLANs / subnet). - Permit Media protocols (RTP/RTCP, SRTP/SRTCP) to/from the endpoint VLAN interfaces, media gateway VLAN interfaces, and voicemail/unified messaging VLAN interfaces (VLAN/subnets). (Call control equipment does not typically process media therefore there is typically no need to permit this traffic and thereby provide a potential attack vector.) - Permit only those other protocols/traffic between specific VLANs, subnets, and devices as required for the system to properly function. - Deny all other traffic. End the ACL with a “deny all” statement. NOTE: The ACLs must mirror the ACLs imposed for access to/from each of the mating VLANs based on the protocols that VLAN accepts. If a deny-by-default ACL for session manager VLAN interfaces is not implemented on VVoIP core routing devices as defined in the VVoIP system ACL design, this is a finding.

Fix: F-20341r2_fix

Implement and document a deny-by-default ACL for session manager VLAN interfaces on VVoIP core routing devices as defined in the VVoIP system ACL design as follows: - Endpoint configuration - Permit (only as required for proper functionality) the specific system required endpoint registration / configuration protocols/traffic (e.g., DHCP, BootP, TFTP, FTP, HTTP, DNS, etc.) to/from the endpoint VLAN interfaces (VLAN/subnets). - Endpoint signaling - Permit (only as required for proper functionality) the specific system required endpoint signaling protocols/traffic (e.g., AS-SIP, H.323, vendor proprietary such as SCCP, UniStim, etc.) to/from the endpoint VLAN interfaces (VLAN/subnets). - Endpoint directory - Permit (only as required for proper functionality) the specific system required endpoint directory access protocols (e.g., HTTP and/or potentially others) to/from the endpoint VLAN interfaces. - Media gateway - Permit (only as required for proper functionality) the specific system required signaling protocols used by the media gateway (e.g., MGCP, H.248, H.323, AS-SIP) to/from the VVoIP media gateway VLAN interfaces (VLAN/subnets). - Signaling gateway - Permit (only as required for proper functionality and the VLAN exists) the specific system required signaling protocols used by the signaling gateway (e.g., MGCP, H.248, H.323, AS-SIP) to/from the VVoIP signaling gateway VLAN interfaces (VLAN/subnets) - Session border controller - Permit (only as required for proper functionality and the VLAN exists) the specific signaling protocols used by the Edge Boundary Controller (AS-SIP) to/from the VVoIP session border controller VLAN interfaces (VLANs / subnet). - Customer edge router - Permit (only as required for proper functionality) the specific signaling or management protocols used to communicate with the Customer Edge (Premises / enclave perimeter) Router for NETOPS etc. (e.g., SNMP and potentially others) to/from the VVoIP data mgmt VLAN interfaces, OOB management LAN, or data network VLAN interfaces (VLANs / subnet) via data mgmt VLAN, OOB management LAN, or data network. - Unified messaging - Permit the specific signaling protocols used by the Voicemail/Unified Messaging servers (e.g., AS-SIP, H.323, vendor proprietary such as SCCP, UniStim, etc.) to/from the VVoIP Voicemail or Unified Messaging server VLAN interfaces (VLANs / subnet). - Unified capabilities - Permit (only as required for proper functionality and the VLAN exists) the specific signaling protocols used by any unified communications servers (e.g., AS-SIP, H.323, vendor proprietary such as SCCP, UniStim, etc.) to/from the VVoIP UC server VLAN interfaces (VLANs / subnet). - Permit Media protocols (RTP/RTCP, SRTP/SRTCP) to/from the endpoint VLAN interfaces, media gateway VLAN interfaces, and voicemail/unified messaging VLAN interfaces (VLAN/subnets). (Call control equipment does not typically process media therefore there is typically no need to permit this traffic and thereby provide a potential attack vector.) - Permit only those other protocols/traffic between specific VLANs, subnets, and devices as required for the system to properly function. - Deny all other traffic. End the ACL with a “deny all” statement.

b

A deny-by-default ACL for media gateway VLAN interfaces must be implemented on VVoIP core routing devices as defined in the VVoIP system ACL design.

Medium - V-19638 - SV-21779r3_rule

RMF Control

Severity

M

CCI

Version

VVoIP 5615

Vuln IDs

V-19638

Rule IDs

SV-21779r3_rule

Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general, the defined ACLs are designed in a deny-by-default manner such that only the protocols and traffic that needs to reach the device or devices in the VLAN receive the packets. The ACLs filter on VLAN, IP address and subnet, protocol type, and associated standard IP port for the protocol. In general, the ACLs mentioned are egress filters (referenced the router core) on the VLAN interfaces. Additionally, the routing devices should log and alarm on inappropriate traffic. An example of this is an HTTP request sourced from the data VLANs to the endpoint or media gateway VLANs. The primary purpose of ACL on all VVoIP VLAN interfaces is to block traffic to or from the data VLAN interfaces. Similar restrictions are placed on a dedicated VTC VLAN interface, however, VVoIP media and signaling is permitted in the event a VTC unit needs to communicate with the UC system.

Checks: C-23970r2_chk

Review site documentation, especially the VVoIP system ACL design, to confirm a deny-by-default ACL for media gateway VLAN interfaces is implemented on VVoIP core routing devices. Ensure a deny-by-default ACL is implemented on the VVoIP Media Gateway (MG) VLAN interfaces on the VVoIP routing devices supporting the VVoIP system core equipment to control traffic as follows: - Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the endpoint VLAN interfaces (VLAN/subnets). - Permit (only as required for proper functionality) the specific system required signaling protocols used by the media gateway ((e.g., MGCP, H.248, H.323, AS-SIP) to/from the VVoIP core control equipment VLAN interfaces (VLAN/subnets). - Deny all other traffic. End the ACL with a “deny all” statement. If a deny-by-default ACL for media gateway VLAN interfaces is not implemented on VVoIP core routing devices as defined in the VVoIP system ACL design, this is a finding.

Fix: F-20342r2_fix

Implement and document a deny-by-default ACL for media gateway VLAN interfaces on VVoIP core routing devices as defined in the VVoIP system ACL design as follows: - Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the endpoint VLAN interfaces (VLAN/subnets) - Permit (only as required for proper functionality) the specific system required signaling protocols used by the media gateway ((e.g., MGCP, H.248, H.323, AS-SIP) to/from the VVoIP core control equipment VLAN interfaces (VLAN/subnets). - Deny all other traffic. End the ACL with a “deny all” statement.

b

A deny-by-default ACL for signaling gateway VLAN interfaces must be implemented on VVoIP core routing devices as defined in the VVoIP system ACL design.

Medium - V-19639 - SV-21780r3_rule

RMF Control

Severity

M

CCI

Version

VVoIP 5620

Vuln IDs

V-19639

Rule IDs

SV-21780r3_rule

Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general, the defined ACLs are designed in a deny-by-default manner such that only the protocols and traffic that needs to reach the device or devices in the VLAN receive the packets. The ACLs filter on VLAN, IP address and subnet, protocol type, and associated standard IP port for the protocol. In general, the ACLs mentioned are egress filters (referenced the router core) on the VLAN interfaces. Additionally, the routing devices should log and alarm on inappropriate traffic. An example of this is an HTTP request sourced from the data VLANs to the endpoint or media gateway VLANs. The primary purpose of ACL on all VVoIP VLAN interfaces is to block traffic to or from the data VLAN interfaces. Similar restrictions are placed on a dedicated VTC VLAN interface, however, VVoIP media and signaling is permitted in the event a VTC unit needs to communicate with the UC system.

Checks: C-23973r2_chk

Review site documentation, especially the VVoIP system ACL design, to confirm a deny-by-default ACL for signaling gateway VLAN interfaces is implemented on VVoIP core routing devices. Ensure a deny-by-default ACL is implemented on the VVoIP Signaling Gateway (SG) VLAN interfaces on the VVoIP routing devices supporting the VVoIP system core equipment to control traffic as follows: - Permit (only as required for proper functionality) the specific system required signaling protocols used by the Signaling Gateway ((e.g., MGCP, H.248, H.323, AS-SIP) to/from the VVoIP core control equipment VLAN interfaces (VLAN/subnets). - Deny all other traffic. End the ACL with a “deny all” statement. If a deny-by-default ACL for signaling gateway VLAN interfaces is not implemented on VVoIP core routing devices as defined in the VVoIP system ACL design, this is a finding.

Fix: F-20343r2_fix

Implement and document a deny-by-default ACL for signaling gateway VLAN interfaces must be implemented on VVoIP core routing devices as defined in the VVoIP system ACL design as follows: - Permit (only as required for proper functionality) the specific system required signaling protocols used by the Signaling Gateway (e.g., MGCP, H.248, H.323, AS-SIP) to/from the VVoIP core control equipment VLAN interfaces (VLAN/subnets) - Deny all other traffic. End the ACL with a “deny all” statement.

b

A deny-by-default ACL for session border VLAN interfaces must be implemented on VVoIP core routing devices as defined in the VVoIP system ACL design.

Medium - V-19640 - SV-21781r3_rule

RMF Control

Severity

M

CCI

Version

VVoIP 5625

Vuln IDs

V-19640

Rule IDs

SV-21781r3_rule

Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general the defined ACLs are designed in a deny-by-default manner such that only the protocols and traffic that needs to reach the device or devices in the VLAN receive the packets. The ACLs filter on VLAN, IP address and subnet, protocol type, and associated standard IP port for the protocol. In general, the ACLs mentioned are egress filters (referenced the router core) on the VLAN interfaces. Additionally, the routing devices should log and alarm on inappropriate traffic. An example of this is an HTTP request sourced from the data VLANs to the endpoint or media gateway VLANs. The primary purpose of ACL on all VVoIP VLAN interfaces is to block traffic to or from the data VLAN interfaces. Similar restrictions are placed on a dedicated VTC VLAN interface, however, VVoIP media and signaling is permitted in the event a VTC unit needs to communicate with the UC system .

Checks: C-23976r2_chk

Review site documentation, especially the VVoIP system ACL design, to confirm a deny-by-default ACL for session border VLAN interfaces is implemented on VVoIP core routing devices. Ensure a deny-by-default ACL is implemented on the VVoIP session border controller VLAN or firewall VLAN interfaces on the VVoIP routing devices supporting the VVoIP system core equipment to control traffic as follows: - Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the endpoint VLAN interfaces (VLAN/subnets). - Permit (only as required for proper functionality) the specific system required signaling protocols used by the session manager ((e.g., H.323, SIP, AS-SIP) to/from the VVoIP core control equipment VLAN interfaces (VLAN/subnets). - Deny all other traffic. End the ACL with a “deny all” statement. If a deny-by-default ACL for session border VLAN interfaces is not implemented on VVoIP core routing devices as defined in the VVoIP system ACL design, this is a finding.

Fix: F-20344r2_fix

Implement and document a deny-by-default ACL for session border VLAN interfaces on VVoIP core routing devices as defined in the VVoIP system ACL design as follows: - Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the endpoint VLAN interfaces (VLAN/subnets). - Permit (only as required for proper functionality) the specific system required signaling protocols used by the session manager ((e.g., H.323, SIP, AS-SIP) to/from the VVoIP core control equipment VLAN interfaces (VLAN/subnets). - Deny all other traffic. End the ACL with a “deny all” statement.

b

A deny-by-default ACL for voicemail and unified messaging servers VLAN interfaces must be implemented on core routing devices as defined in the VVoIP system ACL design.

Medium - V-19642 - SV-21783r3_rule

RMF Control

Severity

M

CCI

Version

VVoIP 5635

Vuln IDs

V-19642

Rule IDs

SV-21783r3_rule

Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general, the defined ACLs are designed in a deny-by-default manner such that only the protocols and traffic that needs to reach the device or devices in the VLAN receive the packets. The ACLs filter on VLAN, IP address and subnet, protocol type, and associated standard IP port for the protocol. In general, the ACLs mentioned are egress filters (referenced the router core) on the VLAN interfaces. Additionally, the routing devices should log and alarm on inappropriate traffic. An example of this is an HTTP request sourced from the data VLANs to the endpoint or media gateway VLANs. The primary purpose of ACL on all VVoIP VLAN interfaces is to block traffic to or from the data VLAN interfaces. Similar restrictions are placed on a dedicated VTC VLAN interface, however, VVoIP media and signaling is permitted in the event a VTC unit needs to communicate with the UC system. Information Assurance Officer

Checks: C-23982r2_chk

Review site documentation, especially the VVoIP system ACL design, to confirm a deny-by-default ACL for voicemail and unified messaging servers VLAN interfaces must be implemented on core routing devices as defined in the VVoIP system ACL design. Ensure a deny-by-default ACL is implemented on the VVoIP Voicemail / Unified Messaging Servers VLAN interfaces on the VVoIP routing devices supporting the VVoIP system core equipment to control traffic as follows: - Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the endpoint VLAN interfaces (VLAN/subnets) (for depositing and retrieving VM from internal endpoints). - Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the Media Gateway VLAN interfaces (VLAN/subnets) ((for depositing and retrieving VM from outside the enclave via a TDM network). - Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the DoD WAN access VVoIP firewall (session border controller or other) VLAN interfaces (VLAN/subnets) (for depositing and retrieving VM from outside the enclave via an IP network). - Permit (only as required for proper functionality) the specific system required signaling protocols used by the Voicemail / Unified Messaging Servers (e.g., H.323, SIP, AS-SIP, proprietary) to/from the VVoIP core control equipment VLAN interfaces (VLAN/subnets) (for session manager VM call setup/teardown). - Permit (only as required for proper functionality) the specific system required protocols used by a VM server to send email attachments (e.g., SMTP) to the user’s email server to/from the VVoIP general data user VLAN interfaces (VLAN/subnets) (for retrieving VM via email from a PC). - Permit (only as required for proper functionality) the specific system required protocols used by a user’s Unified Messaging client application on their PC (e.g., SMTP) to/from the VVoIP general data user VLAN interfaces (VLAN/subnets) (for retrieving email and VM from a PC in the event the VM server is also the user’s email server). - Deny all other traffic. End the ACL with a “deny all” statement. If a deny-by-default ACL for voicemail and unified messaging servers VLAN interfaces is not implemented on core routing devices as defined in the VVoIP system ACL design, this is a finding.

Fix: F-20346r2_fix

Implement and document a deny-by-default ACL for voicemail and unified messaging servers VLAN interfaces must be implemented on core routing devices as defined in the VVoIP system ACL design. as follows: - Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the endpoint VLAN interfaces (VLAN/subnets). - Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the Media Gateway VLAN interfaces (VLAN/subnets). - Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the DoD WAN access VVoIP firewall (session border controller or other) VLAN interfaces (VLAN/subnets). - Permit (only as required for proper functionality) the specific system required signaling protocols used by the Voicemail / Unified Messaging Servers (e.g., H.323, SIP, AS-SIP, proprietary) to/from the VVoIP core control equipment VLAN interfaces (VLAN/subnets). - Permit (only as required for proper functionality) the specific system required protocols used by a user’s Unified Messaging client application (e.g., SMTP) to/from the VVoIP general data user VLAN interfaces (VLAN/subnets). - Deny all other traffic. End the ACL with a “deny all” statement.

b

A deny-by-default ACL for unified communications server VLAN interfaces must be implemented on core routing devices as defined in the VVoIP system ACL design.

Medium - V-19643 - SV-21784r3_rule

RMF Control

Severity

M

CCI

Version

VVoIP 5640

Vuln IDs

V-19643

Rule IDs

SV-21784r3_rule

Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general, the defined ACLs are designed in a deny-by-default manner such that only the protocols and traffic that needs to reach the device or devices in the VLAN receive the packets. The ACLs filter on VLAN, IP address and subnet, protocol type, and associated standard IP port for the protocol. In general, the ACLs mentioned are egress filters (referenced the router core) on the VLAN interfaces. Additionally, the routing devices should log and alarm on inappropriate traffic. An example of this is an HTTP request sourced from the data VLANs to the endpoint or media gateway VLANs. The primary purpose of ACL on all VVoIP VLAN interfaces is to block traffic to or from the data VLAN interfaces. Similar restrictions are placed on a dedicated VTC VLAN interface, however, VVoIP media and signaling is permitted in the event a VTC unit needs to communicate with the UC system .

Checks: C-23987r2_chk

Review site documentation, especially the VVoIP system ACL design, to confirm a deny-by-default ACL for unified communications server VLAN interfaces is implemented on core routing devices. Ensure a deny-by-default ACL is implemented on the Unified Communications Servers VLAN interfaces on the VVoIP routing devices supporting the VVoIP system core equipment to control traffic as follows: - Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the endpoint VLAN interfaces (VLAN/subnets). - Permit (only as required for proper functionality) the specific system required signaling protocols used by the Unified Communications Servers (e.g., H.323, SIP, AS-SIP, proprietary, other) to/from the VVoIP core control equipment VLAN interfaces (VLAN/subnets). - Deny all other traffic. End the ACL with a “deny all” statement. If a deny-by-default ACL for unified communications server VLAN interfaces is not implemented on core routing devices as defined in the VVoIP system ACL design, this is a finding.

Fix: F-20347r2_fix

Implement and document a deny-by-default ACL for unified communications server VLAN interfaces on core routing devices as defined in the VVoIP system ACL design as follows: - Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the endpoint VLAN interfaces (VLAN/subnets). - Permit (only as required for proper functionality) the specific system required signaling protocols used by the Unified Communications Servers (e.g., H.323, SIP, AS-SIP, proprietary, other) to/from the VVoIP core control equipment VLAN interfaces (VLAN/subnets). - Deny all other traffic. End the ACL with a “deny all” statement.

b

A deny-by-default ACL for system management VLAN interfaces must be implemented on VVoIP core routing devices as defined in the VVoIP system ACL design.

Medium - V-19644 - SV-21785r3_rule

RMF Control

Severity

M

CCI

Version

VVoIP 5645

Vuln IDs

V-19644

Rule IDs

SV-21785r3_rule

Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general, the defined ACLs are designed in a deny-by-default manner such that only the protocols and traffic that needs to reach the device or devices in the VLAN receive the packets. The ACLs filter on VLAN, IP address and subnet, protocol type, and associated standard IP port for the protocol. In general, the ACLs mentioned are egress filters (referenced the router core) on the VLAN interfaces. Additionally, the routing devices should log and alarm on inappropriate traffic. An example of this is an HTTP request sourced from the data VLANs to the endpoint or media gateway VLANs. The primary purpose of ACL on all VVoIP VLAN interfaces is to block traffic to or from the data VLAN interfaces. Similar restrictions are placed on a dedicated VTC VLAN interface, however, VVoIP media and signaling is permitted in the event a VTC unit needs to communicate with the UC system.

Checks: C-23988r2_chk

Review site documentation, especially the VVoIP system ACL design, to confirm a deny-by-default ACL for system management VLAN interfaces is implemented on VVoIP core routing devices. Ensure a deny-by-default ACL is implemented on the VVoIP system management VLAN interfaces on the VVoIP routing devices supporting the VVoIP system core equipment to control traffic as follows: - Deny access to the VVoIP system management VLAN from the VVoIP endpoint and core equipment production VLANs - Deny access to the VVoIP system management VLAN from the general data production VLANs - Deny general access to the VVoIP system management VLAN from the general LAN management VLAN and any other management VLAN - Permit access to the VVoIP system management VLAN from other management VLANs, NOC VPNs, and enterprise management/monitoring networks as specifically required to meet mission and NETOPS requirements. Such permissions will be based on the specific IP addresses (or limited address ranges) requiring access - Permit only those ports and protocols specifically required to meet mission and NETOPS requirements If a deny-by-default ACL for system management VLAN interfaces is not implemented on VVoIP core routing devices as defined in the VVoIP system ACL design, this is a finding.

Fix: F-20348r2_fix

Implement and document a deny-by-default ACL for system management VLAN interfaces must be implemented on VVoIP core routing devices as defined in the VVoIP system ACL design as follows: - Deny access to the VVoIP system management VLAN from the VVoIP endpoint and core equipment production VLANs - Deny access to the VVoIP system management VLAN from the general data production VLANs - Deny general access to the VVoIP system management VLAN from the general LAN management VLAN and any other management VLAN - Permit access to the VVoIP system management VLAN from other management VLANs, NOC VPNs, and enterprise management/monitoring networks as specifically required to meet mission and NETOPS requirements. Such permissions will be based on the specific IP addresses (or limited address ranges) requiring access - Permit only those ports and protocols specifically required to meet mission and NETOPS requirements

b

The implementation of Unified Mail services degrades the separation between the voice and data protection zones (VLANs).

Medium - V-19645 - SV-21786r2_rule

RMF Control

Severity

M

CCI

Version

VVoIP 5560

Vuln IDs

V-19645

Rule IDs

SV-21786r2_rule

Voice mail services in a VoIP environment are available in several different configurations. A legacy voice mail platform can connect to a VoIP environment to provide voice mail services for VoIP users. In the same respect, a VoIP voice mail platform can provide voice mail services to the legacy voice users and the VoIP users. Some voice mail systems are also capable of providing unified mail by interacting with email messaging systems. Voicemails when recorded are converted to a .wav or similar digital audio file and sent to the email server as an attachment to an email. The subject line will typically contain the caller ID information if available. The email user can then open the attachment and listen to the voicemail on their PC or whatever device that provides properly authenticated access to the user’s email. Since the voicemail server must access the voice network (which, in a VoIP system is the VoIP VLAN system), and the data network (data VLANs) to send the email, caution and control must be exercised to not degrade the separation between the voice and data VLANs. Additionally, if the email server is part of or collocated with the voicemail server, user access to email must also not degrade the separation between the voice and data VLANs. Since this server may have 2 NICs and be connected to both voice and data VLANs, the server must not act as a bridge between the voice and data VLANs.

Checks: C-23991r1_chk

Interview the IAO to confirm compliance with the following requirement: Ensure the implementation of a unified mail system does not degrade the separation and traffic filtering between the voice and data security zones or VLANs. This is a finding in the event the sending of voicemails to an email server or user access to email degrades the separation between the voice and data VLAN(s) such that the hosts or users on the data VLAN(s) have easy access to the VoIP instruments, traffic and infrastructure hosts on the VoIP VLAN(s).

Fix: F-20349r1_fix

Ensure the implementation of a unified mail system does not degrade the separation and traffic filtering between the voice and data security zones or VLANs. Configure unified mail services with access to both the data and voice VLANs to NOT bridge the two environments together.

b

The LAN Access switch port is NOT configured to place the VVoIP or VTC traffic in the proper VLAN (e.g., the port is NOT assigned to the proper VLAN) or the port does not assign the appropriate VLAN tag via some other method.

Medium - V-19646 - SV-21787r2_rule

RMF Control

Severity

M

CCI

Version

VVoIP 5540

Vuln IDs

V-19646

Rule IDs

SV-21787r2_rule

Some VVoIP hardware endpoints and hardware based VTC endpoints contain a multi-port Ethernet switch to provide a connection on the endpoint for external devices such as a workstation (i.e., PC port). Additionally, some of these endpoints have the capability of defining the VLAN that their traffic will use via various methods but most typically by using 802.1Q trunking (VLAN tagging). However, some endpoints do not support VLAN assignment or cannot themselves maintain VLAN separation. In these cases, the responsibility of VLAN assignment and maintenance of VLAN separation falls to the LAN access switch (discrete NE or module in a larger NE) that supports the LAN cable drop to which the endpoint(s) is connected. Typically the LAN access switch port configurations contain a statement assigning the port to a specific VLAN.

Checks: C-23993r1_chk

If the VVoIP or VTC endpoints DO NOT provide a PC Port (and embedded Ethernet switch or hub), OR they do but cannot support VLAN separation (e.g., they have a hub) OR they cannot tag their traffic with the appropriate VLAN tag ((802.1Q). Inspect the configurations of the NE to determine compliance with the following requirement: In the event a LAN Access switch port supports a VVoIP or VTC endpoint that does not contain a multi-port Ethernet switch OR cannot maintain VLAN separation OR cannot provide an appropriate VLAN tag (802.1Q), ensure the LAN Access switch port is configured to place the VVoIP or VTC traffic in the proper VLAN (e.g., the port is assigned to the VLAN) or the port assigns the appropriate VLAN tag via some other method. Look at the LAN access port configurations to determine if the ports are assigned to the appropriate VLAN for the device it supports (VVoIP, VTC, Data, etc) Alternately, look for configuration settings that identify the type of traffic and assign the traffic or the port to the proper VLAN or add the appropriate VLAN tag. This is a finding if the initial condition is met and the LAN access ports are not configured as described.

Fix: F-20350r1_fix

In the event a LAN Access switch port supports a VVoIP or VTC endpoint that does not contain a multi-port Ethernet switch OR cannot maintain VLAN separation OR cannot provide an appropriate VLAN tag (802.1Q), ensure the LAN Access switch port is configured to place the VVoIP or VTC traffic in the proper VLAN (e.g., the port is assigned to the VLAN) or the port assigns the appropriate VLAN tag via some other method. Configure the LAN access ports such that they are assigned to the appropriate VLAN for the device it supports (VVoIP, VTC, Data, etc) Alternately Configure the LAN access ports to identify the type of traffic and assign the traffic or the port to the proper VLAN or add the appropriate VLAN tag.

b

The LAN access switch (discrete NE or module in a larger NE) is NOT capable of, or is NOT configured to; maintain the required VLAN separation for traffic originating from supported endpoints and DOES NOT route voice, VTC, PC communications client, and data traffic to their respective VLANs on the LAN.

Medium - V-19647 - SV-21788r2_rule

RMF Control

Severity

M

CCI

Version

VVoIP 5535

Vuln IDs

V-19647

Rule IDs

SV-21788r2_rule

Some VVoIP hardware endpoints and hardware based VTC endpoints contain a multi-port Ethernet switch to provide a connection on the endpoint for external devices such as a workstation (i.e., PC port). This is done so that a PC and a workstation can share a single network cable drop and LAN access layer switch port. The PC port can, in general, support any device requiring an Ethernet connection. In theory, a VoIP phone, a desktop VTC unit could be daisy chained on a single LAN drop. These embedded multi-port Ethernet switches must be capable of maintaining the separation of the voice (VVoIP), data, VLANs as well as the VTC VLAN and PC Comm Client VLAN if present. For example the attached PC must not be able to directly access the phone’s or VTU’s configurations or communications traffic. VAN separation helps to prevent this. NOTE: the switch or endpoint will typically utilize 802.1Q trunking (VLAN tagging) but may use some other means to separate voice and data traffic. Typically when 802.1Q VLAN tagging is used, the phone firmware tags the VoIP packets while the embedded switch passes all packets without modification. This permits devices connected to the PC port to tag their packets and assign the proper VLAN to their traffic type. 802.1Q VLAN tagging enables the LAN to better maintain separation of the traffic and is therefore the preferred method. The LAN access switch (discrete NE or module in a larger NE) must be capable of, and must be configured to, support the VLAN separation method used by the supported endpoints. The NE may perform this function in various ways as determined by the overall VVoIP system and LAN design. However, the typical (or preferred) method used by an endpoint to maintain VLAN separation is 802.1Q VLAN tagging. As such, the LAN access port and NE needs to support the receipt of tagged packets and handle them appropriately to also maintain VLAN separation. While the NE may retag the packets thereby reassigning the VLAN based on some defined rule, the NE may not strip the tags and mix all traffic together. Furthermore, The LAN access NE supporting LAN cable drops will typically have a VLAN defined for each service (VVoIP, VTC, Data, PC Comm. Client) supported by the endpoints connected to the NE. Traffic within the respective VLANs may flow between different physical ports on the NE but may not change VLANs in the process. This must be done by a routing device (discrete NE or module in a larger NE) and must be controlled by an appropriate ACL. The LAN access layer Ethernet switch may be combined in the same unit with the routing device as in the case of a layer-3 switch or a router containing an Ethernet switch module.

Checks: C-23995r1_chk

If the VVoIP or VTC endpoints supported by this NE provide a PC Port (has an embedded Ethernet switch), inspect the configurations of the NE to determine compliance with the following requirement: In the event the LAN access switch port supports a VVoIP or VTC endpoint with an embedded Ethernet switch, ensure the NE is capable of, and configured to, maintain the required VLAN separation from the endpoint and route voice, VTC, PC communications client, and data traffic to their respective VLANs on the LAN. NOTE: The NE may perform this function in various ways as determined by the overall VVoIP system and LAN design. However, the typical (or preferred) method used by an endpoint to maintain VLAN separation is 802.1Q VLAN tagging of the VVoIP traffic while letting PC port traffic pass unchanged. This permits both tagged and untagged traffic to come through the PC port. As such, the LAN access port and NE needs to support the receipt of tagged packets and handle them appropriately to also maintain VLAN separation. This may require the port be assigned to the data VLAN for the “default” traffic, while recognizing the VVoIP VLAN tag and then split the VVoIP traffic into its VLAN. While the NE may retag the packets thereby reassigning the VLAN based on some defined rule, the NE may not strip the tags and mix all traffic together. NOTE The LAN access layer Ethernet switch (discrete NE or module in a larger NE) supporting LAN cable drops will typically have a VLAN defined for each service (VVoIP, VTC, Data, PC Comm. Client) supported by the endpoints connected to the NE. Traffic within the respective VLANs may flow between different physical ports on the NE but may not change VLANs in the process. This must be done by a routing device (discrete NE or module in a larger NE) and must be controlled by an appropriate ACL. The LAN access layer Ethernet switch may be combined in the same unit with the routing device as in the case of a layer-3 switch or a router containing an Ethernet switch module.

Fix: F-20351r1_fix

In the event the LAN access switch port supports a VVoIP or VTC endpoint with an embedded Ethernet switch, ensure the NE is capable of, and configured to, maintain the required VLAN separation from the endpoint and route voice, VTC, PC communications client, and data traffic to their respective VLANs on the LAN. NOTE: The NE may perform this function in various ways as determined by the overall VVoIP system and LAN design. However, the typical (or preferred) method used by an endpoint to maintain VLAN separation is 802.1Q VLAN tagging. As such, the LAN access port and NE needs to support the receipt of tagged packets and handle them appropriately to also maintain VLAN separation. While the NE may retag the packets thereby reassigning the VLAN based on some defined rule, the NE may not strip the tags and mix all traffic together. NOTE: The LAN access layer Ethernet switch (discrete NE or module in a larger NE) supporting LAN cable drops will typically have a VLAN defined for each service (VVoIP, VTC, Data, PC Comm. Client) supported by the endpoints connected to the NE. Traffic within the respective VLANs may flow between different physical ports on the NE but may not change VLANs in the process. This must be done by a routing device (discrete NE or module in a larger NE) and must be controlled by an appropriate ACL. The LAN access layer Ethernet switch may be combined in the same unit with the routing device as in the case of a layer-3 switch or a router containing an Ethernet switch module.

b

LAN access switchports supporting VVoIP or VTC endpoints containing a PC port are configured in trunk mode, NOT in access mode or “802.1Q tagged access mode.”

Medium - V-19648 - SV-21789r2_rule

RMF Control

Severity

M

CCI

Version

VVoIP 5545

Vuln IDs

V-19648

Rule IDs

SV-21789r2_rule

Policy regarding LAN access switchport mode has been established in the Network Infrastructure STIG by NET1416 which states “ensure trunking is disabled on all access ports (do not configure trunk on, desirable, non-negotiate, or auto—only off).” The reason for this is that a malicious user could affect a VLAN hopping attack. VLAN “hopping” occurs when a tagged frame destined for one VLAN is redirected to a different VLAN, threatening network security. The redirection can be initiated using two methods: “tagging attack” and “double encapsulation.” Frame tagging attacks allow a malicious user on a VLAN to get unauthorized access to another VLAN. For example, if a switch port’s trunk mode were configured as auto (enables a port to become a trunk if the connected switch it is negotiating trunking with has its state set to on or desirable) and were to receive a fake DTP packet specifying trunk on or desirable, it would become a trunk port and it could then start accepting traffic destined for all VLANs that belong to that trunk group. The attacker could start communicating with other VLANs through that compromised port—including the management VLAN. Insuring that trunk mode for any non-trunking port is configured as off can prevent this type of attack. Double encapsulation can be initiated by an attacker who has access to a switch port belonging to the native VLAN of the trunk port. Knowing the victim’s MAC address and with the victim attached to a different switch belonging to the same trunk group, thereby requiring the trunk link and frame tagging, the malicious user can begin the attack by sending frames with two sets of tags. The outer tag that is the attacker’s VLAN ID (probably the well known and omnipresent VLAN 1) is stripped off by the switch, and the inner tag that will have the victim’s VLAN ID is used by the switch as the next hop and sent out the trunk port. To ensure the integrity of the trunk link and prevent unauthorized access, the native VLAN of the trunk port should be changed from the default VLAN 1 to its own unique VLAN. NOTE: Trunk mode is typically used between LAN switches to extend defined VLANs across a network. This mode is used to interconnect LAN switches and routers with other LAN switches and routers to create a network across multiple NEs. Trunk mode generally requires each packet to be tagged with the VLAN ID that it belongs to. This tagging can follow the 802.1Q standard format or can use a vendor proprietary protocol such as Cisco’s ISL. Access mode on the other hand is used on a switchport that supports a connection to a LAN endpoint device. Typically single endpoint devices connected to a switchport send traffic that does not contain a VLAN tag. In this case, if a VLAN is defined for the endpoint, the switchport is statically assigned to a VLAN. As such, when a packet is received and sent out the “Trunk” the packet is tagged with the VLAN ID. Best practices dictate that the implementation of VVoIP on a network requires one or more VVoIP VLANs be established within the network. Therefore LAN access switchports that support VVoIP and VTC endpoints that do not tag or are capable but not configured to add a VLAN tag to their traffic must be statically assigned to the local VVoIP VLAN. VVoIP and VTC endpoints that do have the capability of adding the VLAN tag to their traffic typically use 802.1Q format and also typically support a PC port on the device. The PC port is added to the VVoIP or VTC endpoints since it reduces cabling and LAN infrastructure cost. Typically, VVoIP or VTC endpoints that support a PC port pass traffic from this port unchanged whether the traffic is tagged or not, while adding the VVoIP VLAN tag for the locally defined VVoIP VLAN to its VVoIP traffic. As such, a LAN access switchport must now support tagged and untagged traffic and keep the traffic separated. This is done by defining a default “data” VLAN (that is not the default VLAN on the NE such as VLAN 0 or 1) for the switchport in which untagged traffic is placed and defining a secondary VVoIP VLAN that matches the 802.1Q tag used for the VVoIP traffic. This method maintains the LAN access nature of the port even though it supports multiple VLANs while not requiring it to be configured as a trunk.

Checks: C-23997r1_chk

Inspect LAN access switchport configuration settings to confirm compliance with the following requirement: Ensure all LAN access switchports that support VVoIP and/or VTC endpoints containing a PC port are configured in access mode or “802.1Q tagged access mode” and NOT trunk mode. (e.g., “switchport mode access” NOT “switchport mode trunk”).

Fix: F-20352r1_fix

Ensure all LAN access switchports that support VVoIP and/or VTC endpoints containing a PC port are configured in access mode or “802.1Q tagged access mode” and NOT trunk mode. (e.g., “switchport mode access” NOT “switchport mode trunk”)

b

LAN access switchport supporting a VVoIP or VTC endpoint that does not, or is not configured to, apply 802.1Q VLAN tags to its traffic is NOT statically assigned to the appropriate local VVoIP or VTC VLAN.

Medium - V-19649 - SV-21790r2_rule

RMF Control

Severity

M

CCI

Version

VVoIP 5550

Vuln IDs

V-19649

Rule IDs

SV-21790r2_rule

VVoIP or VTC endpoints that are not configured to or cannot provide a 802.1Q VLAN tag to its VVoIP traffic have no control over what VLAN their traffic ends up in, if any. Therefore the responsibility of placing VVoIP or VTC traffic in an appropriate VLAN for the type of traffic falls to the LAN switch. As such each switchport on a LAN NE that supports a VVoIP or VTC endpoint must place the traffic in the correct VLAN. This means that, in lieu of any other means to sort the traffic, each switchport must be statically assigned to the appropriate VLAN. NOTE: In some cases a LAN NE can use some other endpoint or traffic characteristic other than 802.1Q tagging to assign the traffic to the correct VLAN.

Checks: C-23998r1_chk

Inspect LAN access switchport configuration settings to confirm compliance with the following requirement: In the event a VVoIP or VTC endpoint does not, or is not configured to, apply 802.1Q VLAN tags to its VVoIP or VTC traffic, ensure the supporting LAN access switchport is statically assigned to the appropriate local VVoIP or VTC VLAN. This is not a finding in the event the LAN NE is configured to place the VVoIP or VTC traffic in the correct VLAN by some other method (e.g., MAC based). This is a finding in the event static VLAN assignment of the LAN access switchport is not configured to place the VVoIP VTC traffic in the correct VLAN in lieu of another method being configured. NOTE: While some LAN NEs have the capability of sorting traffic into VLANs based upon the protocol type, this method does not meet the intent of this requirement (i.e., the separation of VVoIP or VTC traffic to limit access to it and protect the system) since a PC could use similar protocols to those used by VVoIP or VTC endpoints for applications that are not associated with the VVoIP or VTC system which should therefore be kept separate. Using this method, the separation and resulting protection of the VVoIP or VTC system is diminished and a malicious user might be capable of using this to compromise the system.

Fix: F-20353r1_fix

In the event the VVoIP or VTC endpoint does not, or is not configured to, apply 802.1Q VLAN tags to its VVoIP traffic; and the switchport is not configured to place the VVoIP or VTC traffic in the correct VLAN by some other method (other than by protocol type) ensure the supporting LAN access switchport is statically assigned to the appropriate local VVoIP or VTC VLAN.

b

A LAN access switchport supports a VVoIP or VTC endpoint containing a PC port but is not configured with a default “data” VLAN to handle untagged PC port traffic and assign a secondary VVoIP or VTC VLAN to handle the tagged VVoIP or VTC traffic.

Medium - V-19650 - SV-21791r2_rule

RMF Control

Severity

M

CCI

Version

VVoIP 5555

Vuln IDs

V-19650

Rule IDs

SV-21791r2_rule

Many VVoIP and VTC endpoints provide a PC port on the device. Doing so permits a PC to share the same LAN drop as a VoIP phone or desktop VTC endpoint. The net effect is reduced installation and maintenance cost for the LAN infrastructure. Endpoints that provide a PC port have an embedded Ethernet switch which is required to support the separation of the PC data traffic from the VVoIP and VTC traffic. This is primarily accomplished by the embedded Ethernet switch in the endpoint supporting VLANs. In support of this, many VVoIP and VTC endpoints have the capability of adding a VLAN tag to their traffic using the 802.1Q format. Typically the PC port traffic is passed to the LAN unchanged whether the traffic is tagged or not, while adding the VVoIP VLAN tag for the locally defined VVoIP VLAN to its VVoIP traffic. NOTE: this is a limitation of the switchport access mode. It seems that configuring more than a default and tagged VLAN on a switchport requires the port to be set as a trunk, which is not permissible based on NET1416. This causes a limitation in the number of devices and applications that can be supported by a single switchport and LAN drop. For example, a single switchport will support a single VoIP phone (w/ an embedded switch and PC port) which tags its traffic and a connected PC that does not. Similarly, a single switchport will support a single VTC endpoint (w/ an embedded switch and PC port) which tags its traffic and a connected PC that does not. Similarly, a single switchport will support a single PC that supports a soft phone and tags its VoIP traffic while not tagging its data traffic (per the PCCC STIG). A single port will not support a VoIP phone and a VTC endpoint and a PC on a single drop unless the VTC endpoint also tags its VTC traffic with the VoIP VLAN. If a PC with a compliant soft phone is connected, it must also tag its traffic with the single VoIP VLAN tag. NOTE: Traffic to/from a VTC endpoint may use the same VLAN as the VVoIP phone system. Some exceptions may apply. NOTE: Do not use the default VLAN for the switch which is generally VLAN 1. This is used for LAN control traffic. No traffic or interface is permitted to be assigned to the switches’ default VLAN.

Checks: C-23999r1_chk

Inspect LAN access switchport configuration settings to confirm compliance with the following requirement: In the event a LAN access switchport supports a VVoIP or VTC endpoint containing a PC port assign the switchport to a default “data” VLAN to handle untagged PC port traffic and assign a secondary VVoIP or VTC VLAN to handle the tagged VVoIP or VTC traffic. NOTE: 802.1Q format is typically used for VLAN tagging in this application. While this is the standard method, this requirement is not intended to preclude other methods to affect the required behavior. This is a finding in the event a LAN access switchport that supports a VVoIP or VTC endpoint containing a PC port is not configured with two VLANs, one that is a default “data” VLAN to handle untagged PC port traffic and a secondary VVoIP or VTC VLAN to handle the tagged VVoIP or VTC traffic. NOTE: Do not use the default VLAN for the switch which is generally VLAN 1. This is used for LAN control traffic. No traffic or interface is permitted to be assigned to the switches’ default VLAN.

Fix: F-20354r1_fix

In the event a LAN access switchport supports a VVoIP or VTC endpoint containing a PC port configure the switchport to assign a “default” “data” VLAN to handle untagged PC port traffic and assign a secondary VVoIP or VTC VLAN to handle the tagged VVoIP or VTC traffic. NOTE: 802.1Q format is typically used for VLAN tagging in this application. While this is the standard method, this requirement is not intended to preclude other methods to affect the required behavior. NOTE: Do not use the default VLAN for the switch which is generally VLAN 1. This is used for LAN control traffic. No traffic or interface is permitted to be assigned to the switches’ default VLAN.

c

The data network boundary must block all traffic destined to or sourced from VVoIP VLAN IP address space and VLANs except specifically permitted media and signaling traffic.

High - V-19661 - SV-21802r5_rule

RMF Control

Severity

H

CCI

Version

VVoIP 6200

Vuln IDs

V-19661

Rule IDs

SV-21802r5_rule

The typical data firewall does not adequately protect the enclave when permitting VVoIP to traverse the boundary. Furthermore, a data firewall breaks VVoIP call completion when implementing NAT. NAT is no longer a security requirement. To properly protect the enclave when implementing VVoIP across the boundary, there are a specific set of processes and protections required, referred to as the VVoIP firewall function. These are separate from the data firewall processes and protections. The data firewall function plays a part in the protection of the VVoIP sub-enclave within the LAN, while the VVoIP firewall function protects the entire enclave while permitting the VVoIP system to function properly.

Checks: C-24027r4_chk

Review site documentation to confirm the data network boundary protects the VVoIP VLANS by blocking all but specifically permitted traffic destined to or sourced from the Voice VLAN IP address space and VLANs. The data firewall configuration must block all traffic destined to or sourced from VVoIP VLANs and address space, except as follows: - VVoIP signaling, media, and registration protocols to and from a remote endpoint via a properly authenticated VPN tunnel. When an SBC is not in use, traffic is blocked from the data VLANs and routed to the VVoIP VLANs. When an SBC is in use, session traffic must be routed through the SBC. - Management traffic to and from a remote NOC destined for the VVoIP management VLAN address space. In this case, the data firewall and IDS inspects this traffic before it is routed to the VVoIP management VLAN. Such routing must block all traffic from the data VLAN, data subnets, and the general data network management VLANs. - Protected LSC to LSC communications clustered across the WAN. - The enclave is connected to a limited access or closed WAN, and the WAN has a dedicated address space for VVoIP. In this case, the VVoIP traffic may pass through the data firewall when the permitted traffic is limited to/from the dedicated WAN address space and routed to the internal VVoIP VLANs. If the network perimeter does not protect the VVoIP VLANS by blocking all but specifically permitted traffic destined to or sourced from the Voice VLAN IP address space and VLANs, this is a finding.

Fix: F-20366r4_fix

Implement the network perimeter to protect the VVoIP VLANS by blocking all but specifically permitted traffic destined to or sourced from the Voice VLAN IP address space and VLANs.

b

The Customer Edge Router (CE-R) must expedite forwarding of VVoIP packets based on Differential Service Code Point (DSCP) packet marking.

Medium - V-19662 - SV-21803r4_rule

RMF Control

Severity

M

CCI

Version

VVoIP 6205

Vuln IDs

V-19662

Rule IDs

SV-21803r4_rule

The typical perimeter or premise router may not be capable of supporting the needs of VVoIP and UC when entering the DISN WAN. Modern routers are capable of dealing with service classes and expedited forwarding. This why the DISN IPVS PMO specifies the specific additional capabilities required of the perimeter or premise router to support the needs of the Assures Service network. The router designated by the DISN IPVS PMO needed to support the service is the CE-R. The CE-R provides the following functionality: - Provides minimally four forwarding cues (eight preferred) - Places traffic within expedited forwarding cues based on the DSCP markings carried by the traffic. - Routes inbound AS-SIP-TLS packets and SRTP/SRTCP packets to the Session Border Controller (SBC). - Routes SIP and SRTP traffic encapsulated on port 443 to the SBC. - Routes all other inbound traffic to the data firewall. - Provides all of the filtering required of a perimeter or premise router as required by the Router STIG. Proper DSCP marking of VVoIP packets is required to provide appropriate QoS for Command and Control (C2) priority calls in support of Assured Service.

Checks: C-24030r3_chk

Review site documentation to confirm the CE-R expedites forwarding of VVoIP packets based on DSCP packet marking. When the VVoIP system connects to the DISN WAN for VVoIP transport between enclaves and the system provides Assured Services to any C2 user (Special-C2, C2, or C2-R), the required CE-R must expedite forwarding of VVoIP packets based on DSCP packet marking in accordance with the DISN IPVS DSCP marking plan. Proper DSCP marking provides appropriate QoS for C2 priority calls in support of Assured Service. If the CE-R does not expedite forwarding of VVoIP packets based on DSCP packet marking, this is a finding. NOTE: The CE-R must allow traditional SIP and SRTP traffic, and traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

Fix: F-20367r3_fix

Implement the CE-R to expedite forwarding of VVoIP packets based on DSCP packet marking. NOTE: The CE-R must allow traditional SIP and SRTP traffic, and traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

b

The Customer Edge Router (CE-R) must route all inbound traffic to the data firewall function except SIP, AS-SIP, and SRTP/SRTCP, which must route to the Session Border Controller (SBC).

Medium - V-19663 - SV-21804r4_rule

RMF Control

Severity

M

CCI

Version

VVoIP 6210

Vuln IDs

V-19663

Rule IDs

SV-21804r4_rule

The CE-R is the first line of defense at the gateway to the enclave or LAN. The data firewall and SBC functions are the second line of defense. Since the SBC function only processes VVoIP traffic in the form of SIP, AS-SIP, and SRTP/SRTCP packets, the CE-R should only forward these packets to the SBC, including SIP and SRTP traffic encapsulated on port 443. All other traffic must be forwarded to the data firewall.

Checks: C-24032r3_chk

Review site documentation to confirm the CE-R routes all inbound traffic to the data firewall function except SIP, AS-SIP, and SRTP/SRTCP, which must route to the SBC. This supports the VVoIP system connecting to the DISN WAN for VVoIP transport between enclaves and the system providing Assured Services to any Command and Control (C2) user (Special-C2, C2, or C2-R). If the CE-R does not route all inbound traffic to the data firewall function except SIP, AS-SIP, and SRTP/SRTCP, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

Fix: F-20368r3_fix

Implement the CE-R to route all inbound traffic to the data firewall function except SIP, AS-SIP, and SRTP/SRTCP, which must route to the SBC. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

a

The Customer Edge Router (CE-R) must filter inbound AS-SIP-TLS traffic addressed to the local Session Border Controller (SBC) based on the source address of the signaling messages.

Low - V-19664 - SV-21805r4_rule

RMF Control

Severity

L

CCI

Version

VVoIP 6215

Vuln IDs

V-19664

Rule IDs

SV-21805r4_rule

The CE-R (premise or perimeter) router is the first line of defense at the gateway to the enclave or LAN. The data firewall and SBC functions are the second line of defense. The SBC processes VVoIP traffic in the form of AS-SIP-TLS and SRTP/SRTCP packets, and the CE-R must forward these packets to the SBC. A filter performed by the CE-R to prevent a denial-of-service is to filter the AS-SIP-TLS packets based on their source address. Within the DISN IPVS network, Local Session Controllers (LSC) only signal to their assigned Multi-Function Soft Switch (MFSS) and its backup. MFSSs are only to signal with their assigned LSCs, for which they are primary or backup, and other MFSSs. To support this, the SBC is required to authenticate the source of, and validate the integrity of, the signaling packets it receives and only process authenticated and valid packets, thereby only signaling with the appropriate devices. Still, the SBC could be flooded and overloaded with too many unauthenticated or invalid signaling packets. The CE-R can help prevent this by preventing signaling packets that are not sourced from authorized devices from ever reaching the SBC.

Checks: C-24034r3_chk

Review site documentation to confirm the CE-R filters inbound SIP and AS-SIP traffic addressed to the local SBC based on the source address of the signaling messages. This supports the VVoIP system connecting to the DISN WAN for VVoIP transport between enclaves and the system providing Assured Services to any Command and Control (C2) user (Special-C2, C2, or C2-R). Permit inbound signaling messages sourced as follows: - When the enclave contains one or more Local Session Controllers (LSCs), filter on the IP addresses of the SBCs fronting the primary and secondary MFSSs associated with the enclave. - When the enclave contains an MFSS filter based on IP addresses of SBCs fronting the LSCs associated with the SS. If the CE-R does not filter inbound SIP and AS-SIP traffic addressed to the local SBC based on the source address of the signaling messages, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

Fix: F-20370r3_fix

Implement the CE-R to filter inbound SIP and AS-SIP traffic addressed to the local SBC based on the source address of the signaling messages. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

b

The Session Border Controller (SBC) must filter inbound SIP and AS-SIP traffic based on the IP addresses of the internal Enterprise Session Controller (ESC), Local Session Controller (LSC), or Multi-Function Soft Switch (MFSS).

Medium - V-19665 - SV-21806r3_rule

RMF Control

Severity

M

CCI

Version

VVoIP 6300

Vuln IDs

V-19665

Rule IDs

SV-21806r3_rule

The SBC is in the VVoIP signaling between the LSC and MFSS. To limit exposure to compromise and DOS, the SBC must only exchange signaling messages using the designated protocol (AS-SIP-TLS) with the LSC(s) within the enclave and the SBC fronting the MFSS (and its backup) to which the LSC is assigned. Similarly, an SBC fronting an MFSS must only exchange signaling messages with the MFSS and LSC(s) within the enclave and the SBCs fronting other MFSSs and the LSCs assigned to it. While the SBC is also required to authenticate the source and integrity of the signaling packets it receives, filtering on source IP address adds a layer of protection for the MFSS. This is also a backup measure in the event this filtering is not done on the CE-R. Internal to the enclave, filtering signaling traffic based on the IP address(es) of the LSC(s) within the enclave limits the ability of rogue Voice Video Endpoints attempting to establish calls or cause a DOS.

Checks: C-24039r2_chk

Interview the ISSO to confirm compliance with the following requirement: Ensure the DISN NIPRNet IPVS SBC is configured to only communicate as follows: - Within the enclave, ensure the SBC only establishes SIP and AS-SIP sessions with the primary or backup LSC or the MFSS and its backup LSC within the enclave. - If the SBC is at a site without a MFSS: External to the enclave (across the WAN), ensure the SBC only establishes SIP and AS-SIP sessions with the SBC at the enclave’s assigned primary and secondary (backup) MFSS sites. - If the SBC is at a MFSS site: External to the enclave (across the WAN), ensure the SBC only establishes SIP and AS-SIP sessions with SBCs located at other MFSS sites and the LSC sites assigned to it. Determine the following: - If the enclave contains LSCs, determine the IP address of SBCs fronting the primary and backup MFSSs to which the enclave is assigned or with which the LSC is to exchange signaling messages. - If the enclave contains a MFSS, determine the IP addresses of the SBCs fronting the LSCs with which it is to signal. Additionally determine the IP addresses of the SBCs fronting the other MFSSs. If the SBC does not filter inbound SIP and AS-SIP traffic based on the IP addresses of the SBCs fronting authorized ESCs, LSCs, and MFSSs, this is a finding. Alternatively, if the SBC does not filter SIP and AS-SIP traffic based on the IP addresses of the ESCs and LSCs within the enclave, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

Fix: F-20371r2_fix

Ensure the DISN NIPRNet IPVS SBC is configured to only communicate as follows: - Within the enclave, ensure the SBC only establishes SIP and AS-SIP sessions with the primary or backup LSC or the MFSS and its backup LSC within the enclave. - If the SBC is at a site without a MFSS: External to the enclave (across the WAN), ensure the SBC only establishes SIP and AS-SIP sessions with the SBC at the enclave’s assigned primary and secondary (backup) MFSS sites. - If the SBC is at a MFSS site: External to the enclave (across the WAN), ensure the SBC only establishes SIP and AS-SIP sessions with SBCs located at other MFSS sites and the LSC sites assigned to it. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

b

The Session Border Controller (SBC) must be configured to terminate and decrypt inbound and outbound SIP and AS-SIP sessions to ensure proper management for the transition of the SRTP/SRTCP streams.

Medium - V-19666 - SV-21807r3_rule

RMF Control

Severity

M

CCI

Version

VVoIP 6305

Vuln IDs

V-19666

Rule IDs

SV-21807r3_rule

The function of the SBC is to manage SIP and AS-SIP signaling messages. In order to perform its proper function in the enclave boundary, the SBC must decrypt and decode or understand the contents of SIP and AS-SIP messages. Additionally, the SBC can perform message validity checks and determine of an attack is being attempted. The SBC acts as an application level proxy and firewall for the SIP and AS-SIP signaling messages.

Checks: C-24041r2_chk

Interview the ISSO to confirm compliance with the following requirement: Ensure the DISN NIPRNet IPVS SBC is configured to terminate inbound and outbound SIP and AS-SIP sessions (messages) and decrypt the packets to determine the information needed to properly manage the transition of SRTP/SRTCP streams across the boundary. Additionally ensure the SBC establishes a new SIP or AS-SIP session for the “next hop” to the internal LSC or the far end SBC that fronts the destination MFSS. Inspect the configuration of the EBC to determine compliance with the requirement. If SIP or AS-SIP messages are just passed through the SBC without termination and decryption, this is a finding. If the SBC is not configured to, or is not capable of, terminating and decrypting the SIP or AS-SIP messages, this is a finding. If the SBC is not configured to, or is not capable of, understanding the contents of the decrypted SIP or AS-SIP messages, this is a finding. If the SBC is not configured to establish a new SIP or AS-SIP session with the far end SBC that fronts the destination LSC or MFSS, this is a finding. If the SBC is not configured to establish a new SIP or AS-SIP session with the LSC inside the enclave, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

Fix: F-20372r2_fix

Ensure the DISN NIPRNet IPVS SBC is configured to terminate inbound and outbound SIP and AS-SIP sessions (messages). The SBC must be configured to decrypt the packets to determine the information needed to properly manage the transition of SRTP/SRTCP streams across the boundary. Additionally ensure the SBC establishes a new SIP or AS-SIP session for the “next hop” to the internal LSC or the far end SBC that fronts the destination LSC or MFSS. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

b

The Session Border Controller (SBC) must be configured to only process packets authenticated from an authorized source within the DISN IPVS network.

Medium - V-19667 - SV-21808r3_rule

RMF Control

Severity

M

CCI

Version

VVoIP 6310

Vuln IDs

V-19667

Rule IDs

SV-21808r3_rule

The function of the SBC is to manage SIP and AS-SIP signaling messages. The SBC also authenticates SIP and AS-SIP signaling messages, ensuring they are from an authorized source. DoD policy dictates that authentication be performed using DoD PKI certificates. This also applies to network hosts and elements. SIP and AS-SIP are not a secure protocols. The information passed during a call session is in human readable plain text. To secure SIP and AS-SIP, TLS is used. TLS is PKI certificate based and is used for AS-SIP message encryption, authentication, and integrity validation. NOTE: Authentication is provided by validating the sending appliance’s public PKI certificate used to establish the TLS session. AS-SIP messages are not sent until the authenticated TLS session is established.

Checks: C-24043r2_chk

Interview the ISSO to confirm compliance with the following requirement: Ensure the DISN NIPRNet IPVS SBC is configured to only process packets authenticated from an authorized source as follows: - Authenticate outbound SIP and AS-SIP messages as being from the primary or backup LSC (or the site’s MFSS and its backup LSC) within the enclave. - Authenticate inbound SIP and AS-SIP messages as being from the SBC at the enclave’s assigned primary and secondary (backup) MFSS sites. Inspect the configurations of the EBC to determine compliance with the requirement. If the SBC does not use DoD PKI to authenticate the source of SIP and AS-SIP packets, this is a finding. the SBC is not configured to validate sending appliance’s public PKI certificate against the DoD PKI registry and CRLs, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

Fix: F-20373r2_fix

Ensure the DISN NIPRNet IPVS SBC is configured to only process packets authenticated from an authorized source as follows: - Authenticate outbound SIP and AS-SIP messages as being from the primary or backup LSC (or the site’s MFSS and is backup LSC) within the enclave. - Authenticate inbound SIP and AS-SIP messages as being from the SBC at the enclave’s assigned primary and secondary (backup) MFSS sites. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

b

The Session Border Controller (SBC) must be configured to only process signaling packets whose integrity is validated.

Medium - V-19668 - SV-21809r3_rule

RMF Control

Severity

M

CCI

Version

VVoIP 6315

Vuln IDs

V-19668

Rule IDs

SV-21809r3_rule

The validation of signaling packet integrity is required to ensure the packet has not been altered in transit. Packets can be altered during uncontrollable network events, such as bit errors and packet truncation that would cause the packet to contain erroneous information. Packets containing detectable errors must not be processed. Packets can also be modified by a man-in-the-middle attack. The current Unified Capabilities Requirements (UCR) document specifies the hashing algorithm to be used during transmission.

Checks: C-24045r2_chk

Interview the ISSO to confirm compliance with the following requirement: Ensure the DISN NIPRNet IPVS SBC is configured to only process signaling packets whose integrity is validated. Inspect the configurations of the EBC to determine compliance with the requirement. If the SBC does not validate the integrity of the received signaling packets, this is a finding. If the SBC is not configured to drop packets whose integrity is not validated, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

Fix: F-20374r2_fix

Ensure the DISN NIPRNet IPVS SBC is configured to only process signaling packets whose integrity is validated. The current Unified Capabilities Requirements (UCR) document specifies the hashing algorithm to be used during transmission. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

a

The Session Border Controller (SBC) must be configured to validate the structure and validity of SIP and AS-SIP messages, such that malformed messages or messages containing errors are dropped before action is taken on the contents.

Low - V-19669 - SV-21810r3_rule

RMF Control

Severity

L

CCI

Version

VVoIP 6320

Vuln IDs

V-19669

Rule IDs

SV-21810r3_rule

Malformed SIP and AS_SIP messages as well as messages containing errors could be an indication that an adversary is attempting some form of attack or denial-of-service. Such an attack is called fuzzing. Fuzzing is the deliberate sending of signaling messages that contain errors in an attempt to cause the target device to react in an inappropriate manner, such as the device could fail causing a denial-of-service or could permit traffic to pass that it would not normally permit. In some cases a target can be flooded with fuzzed messages. As such the SBC must not act on any portion of a signaling message that contains errors. It is possible that a malformed or erroneous message could be sent by the signaling partner and be properly hashed for integrity.

Checks: C-24047r2_chk

Interview the ISSO to confirm compliance with the following requirement: Verify the DISN NIPRNet IPVS SBC is configured to validate the structure and validity of SIP and AS-SIP messages such that malformed messages or messages containing errors are dropped before action is taken on the contents. If the SBC does not validate the correct format of the received AS-SIP message, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

Fix: F-20375r2_fix

Ensure the DISN NIPRNet IPVS SBC is configured to validate the structure and validity of SIP and AS-SIP messages such that malformed messages or messages containing errors are dropped before action is taken on its contents. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

b

The Session Border Controller (SBC) must drop all SIP and AS-SIP packets except those secured with TLS.

Medium - V-19670 - SV-21811r3_rule

RMF Control

Severity

M

CCI

Version

VVoIP 6325

Vuln IDs

V-19670

Rule IDs

SV-21811r3_rule

DISN NIPRNet IPVS PMO and the UCR require all session signaling across the DISN WAN and between the LSC and EBC to be secured with TLS. The standard IANA assigned IP port for SIP protected by TLS (SIP-TLS) is 5061. DoD PPSM requires that protocols traversing the DISN and DoD enclave boundaries use the standard IP ports for the specific protocol. Since AS-SIP is a standardized extension of the SIP protocol and since AS-SIP must be protected by TLS, AS-SIP-TLS must use IP port 5061. The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated using TLS on port 443 from Cloud Service Providers.

Checks: C-24049r2_chk

Interview the ISSO to confirm compliance with the following requirement: Ensure the DISN NIPRNet IPVS SBC is configured to drop the following signaling packets: - SIP packets arriving on IP port 5060 or 5061 - SIP packets arriving on IP port 443 not secured with TLS - AS-SIP packets arriving on IP port 5060 - AS-SIP packets arriving on IP port 5061 not secured with TLS If all SIP and AS-SIP packets are not dropped except AS-SIP packets secured with TLS arriving on IP Port 5061 and SIP packets secured with TLS arriving on IP Port 443 secured with TLS, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

Fix: F-20376r2_fix

Ensure the DISN NIPRNet IPVS SBC is configured to drop the following signaling packets: - SIP packets arriving on IP port 5060 or 5061 - SIP packets arriving on IP port 443 not secured with TLS - AS-SIP packets arriving on IP port 5060 - AS-SIP packets arriving on IP port 5061 not secured with TLS NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

b

The Session Border Controller (SBC) must be configured to manage IP port pinholes for the SRTP/SRTCP bearer streams based on the information in the SIP and AS-SIP messages.

Medium - V-19671 - SV-21812r3_rule

RMF Control

Severity

M

CCI

Version

VVoIP 6330

Vuln IDs

V-19671

Rule IDs

SV-21812r3_rule

The function of the SBC is to manage SIP and AS-SIP signaling messages. The SBC also manages the SRTP/SRTCP bearer streams. The DISN IPVS PMO has determined that the SBC will pass the negotiated and encrypted SRTP/SRTCP bearer streams without decryption and inspection. This is because doing so will not provide a significant security benefit but would cause a significant delay with a resulting decrease in the quality of the communications. Encoded audio and video is difficult to impossible to determine if an attack is being perpetrated or if sensitive information is being improperly disclosed without reconstituting the analog audio and video signals and having a person listen and watch each communication. Due to the volume of communications, to do so would be nearly impossible.

Checks: C-24051r2_chk

Interview the ISSO to confirm compliance with the following requirement: Ensure the DISN NIPRNet IPVS SBC is configured to manage IP port pinholes for the SRTP/SRTCP bearer streams based on the information in the SIP and AS-SIP messages as follows: - Opens specific IP port pinholes on a per session basis for the SRTP/SRTCP bearer streams as negotiated by the communicating endpoints through the LSC and MFSS. - Closes the specifically opened IP port pinholes when the session is to be torn down. Inspect the configurations of the EBC to determine compliance with the requirement. If the SBC is not configured to open the specifically negotiated IP ports for the SRTP/SRTCP bearer streams on an individual session basis, this is a finding. If the SBC is not configured to close specifically negotiated IP ports for the SRTP/SRTCP bearer streams on an individual session basis, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

Fix: F-20377r2_fix

Ensure the DISN NIPRNet IPVS SBC is configured to manage IP port pinholes for the SRTP/SRTCP bearer streams based on the information in the SIP and AS-SIP messages as follows: - Opens specific IP port pinholes on a per session basis for the SRTP/SRTCP bearer streams as negotiated by the communicating endpoints through the LSC and MFSS. - Closes the specifically opened IP port pinholes when the session is to be torn down. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

c

The Session Border Controller (SBC) must perform stateful inspection and packet authentication for all VVoIP traffic (inbound and outbound), and deny all other packets.

High - V-19673 - SV-21814r4_rule

RMF Control

Severity

H

CCI

Version

VVoIP 6340

Vuln IDs

V-19673

Rule IDs

SV-21814r4_rule

Once a pinhole is opened in the enclave boundary for a known session, the packets that are permitted to pass must be managed. If they are not properly managed, packets that are not part of a known session could traverse the pinhole thereby giving unauthorized access to the enclave’s LAN or connected hosts. One method for managing these packets is called stateful packet inspection. This inspection minimally validates that the permitted packets are part of a known session. This is a relatively weak but somewhat effective firewall function. A better method is to authenticate the source of the packet as coming from a known and authorized source.

Checks: C-69773r2_chk

Verify the DISN NIPRnet boundary SBC is configured to deny all packets attempting to traverse the enclave boundary (inbound or outbound) through the IP port pinholes opened for VVoIP sessions that are not validated as being part of an established session. This requires a stateful inspection of the packets passed through the IP port pinholes or the authentication of the source of those packets. If packets that are not part of an established session can pass through the SBC, this is a finding. If stateful packet inspection or SRTP/SRTCP packet authentication is not configured, this is a finding. If stateful packet inspection is not configured but the source of the SRTP/SRTCP packets is authenticated from an authorized source, such as an internal endpoint or a remote DISN SBC, this is not a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

Fix: F-20379r3_fix

Configure the DISN NIPRnet SBC to deny all packets attempting to traverse the enclave boundary (inbound or outbound) through the IP port pinholes opened for known sessions, except those validated as being part of an established session. This requires a stateful inspection of the packets passed through the IP port pinholes or the authentication of the source of those packets. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

c

The Session Border Controller (SBC) must deny all packets traversing the enclave boundary (inbound or outbound) through the IP port pinholes opened for VVoIP sessions, except RTP/RTCP, SRTP/SRTCP, or other protocol/flow established by signaling messages.

High - V-19674 - SV-21815r4_rule

RMF Control

Severity

H

CCI

Version

VVoIP 6345

Vuln IDs

V-19674

Rule IDs

SV-21815r4_rule

Once a pinhole is opened in the enclave boundary for a known session, the packets that are permitted to pass must be managed. If they are not properly managed, packets that are not part of a known session may traverse a pinhole, giving unauthorized access to the enclave’s LAN or connected hosts. Another method for managing packets through a pinhole opened for a VVoIP session is to only permit packets to pass matching the expected protocol type, such as RTP/RTCP or SRTP/SRTCP. If only RTP/RTCP or SRTP/SRTCP packets are permitted to pass, this reduces the exposure presented to the enclave by the open pinhole. Additional flows or protocols may be permitted if specifically required for an approved function and establishment is signaled or controlled by the signaling protocol in use by the system. An example of this is the transmission of H.281 far end camera control messages for a video conferencing session. Using AS-SIP for signaling, a UDP-based 6.4kbps H.224 over RTP control channel over which the H.281 far end camera control messages are transmitted might be established along with the media streams. This additional flow would require additional pinholes.

Checks: C-24057r3_chk

Verify the DISN NIPRnet boundary SBC is configured to deny all packets attempting to traverse the enclave boundary (inbound or outbound) through the IP port pinholes opened for VVoIP sessions that are not an approved protocol. The allowed protocols are RTP/RTCP, SRTP/SRTCP, and other approved protocols/flows established by signaling messages. This requires filtering on protocol type. If the DISN NIPRnet boundary SBC does not deny all packets traversing the enclave boundary (inbound or outbound) through the IP port pinholes opened for VVoIP sessions, except approved protocols, this is a finding. If packets that are not RTP/RTCP or SRTP/SRTCP (or other approved packet type as established in the signaling messages) protocol packets can pass through the boundary SBC, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

Fix: F-20380r3_fix

Configure the DISN NIPRnet boundary SBC to drop any packet attempting to traverse the enclave boundary (inbound or outbound) through the IP port pinholes opened for VVoIP sessions that is not a RTP/RTCP or SRTP/SRTCP packet or other approved protocol / flow established by the signaling messages. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

b

The Session Border Controller (SBC) must be configured to notify system administrators and ISSO when attempts to cause a denial-of-service (DoS) or other suspicious events are detected.

Medium - V-19675 - SV-21816r3_rule

RMF Control

Severity

M

CCI

Version

VVoIP 6350

Vuln IDs

V-19675

Rule IDs

SV-21816r3_rule

Action cannot be taken to thwart an attempted denial-of-service or compromise if the system administrators responsible for the operation of the SBC and/or the network defense operators are not alerted to the occurrence in real time.

Checks: C-24059r2_chk

Interview the ISSO to confirm compliance with the following requirement: Ensure the DISN NIPRNet IPVS SBC is configured to notify system administrators and ISSO when the following conditions occur: - Any number of malformed SIP, AS-SIP, or SRTP/SRTCP messages are received that could indicate an attempt to compromise the SBC. - Excessive numbers of SIP or AS-SIP messages are received from any given IP address that could indicate an attempt to cause a DoS. - Excessive numbers of messages are dropped due to authentication or integrity check failures; potentially indicating an attempt to cause a DoS or an attempt to effect a man in the middle attack. If the SBC does not notify system administrators and ISSO when attempts to cause a DoS or other suspicious events are detected, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

Fix: F-20381r2_fix

Ensure the DISN NIPRNet IPVS SBC is configured to notify system administrators and ISSO when the following conditions occur: - Any number of malformed SIP, AS-SIP, or SRTP/SRTCP messages are received that could indicate an attempt to compromise the SBC. - Excessive numbers of SIP or AS-SIP messages are received from any given IP address that could indicate an attempt to cause a DoS. - Excessive numbers of messages are dropped due to authentication or integrity check failures; potentially indicating an attempt to cause a DoS or an attempt to effect a man in the middle attack. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

b

The VVoIP system connects with a DISN IPVS (NPRNET or SIPRNet) but the LSC(s) is not configured to signal with a backup MFSS (or SS) in the event the primary cannot be reached.

Medium - V-19676 - SV-21817r2_rule

RMF Control

Severity

M

CCI

Version

VVoIP 6400

Vuln IDs

V-19676

Rule IDs

SV-21817r2_rule

Redundancy of equipment and associations is used in and IP network to increase the availability of a system. Multiple MFSSs in the DISN NIPRNet IPVS network and multiple SSs in the DISN SIPRNet IPVS network have been implemented in each theatre to provide network wide redundancy of their functions. They are intended to work in pairs such that one can provide its backbone services to multiple LSCs that are configured to use one as a primary and the other as a backup. This is necessary to the maintenance of backbone functionality in the event there is a circuit (network path) failure, a MFSS or SS failure, or one of the sites housing a MFSS or SS is lost or the MFSS or SS becomes unavailable. Based on this, when establishing a call on the WAN, each LSC must be configured to signal with a backup MFSS or SS in the event it cannot reach its primary.

Checks: C-24060r1_chk

Interview the IAO to confirm compliance with the following requirement: In the event the VVoIP system connects to the DISN WAN for VVoIP transport between enclaves AND the system is intended to provide assured service communications to any level of C2 user (Special C2, C2, C2(R)), ensure each enclave containing one or more LSCs is assigned to, associated with, or serviced by two DISN IPVS core backbone systems as follows: > For DISN NIPRNet IPVS, each enclave will be serviced minimally by one primary and one secondary (backup) MFSS. > For DISN SIPRNet IPVS, each enclave will be serviced minimally by one primary and one secondary Soft Switch (SS) at the SIPRNET tier 0 routers. Determine to which backbone MFSSs or SSs the enclaves LSC(s) is assigned as primary and backup.

Fix: F-20382r1_fix

In the event the VVoIP system connects to the DISN WAN for VVoIP transport between enclaves AND the system is intended to provide assured service communications to any level of C2 user (Special C2, C2, C2(R)), ensure each enclave containing one or more LSCs is assigned to, associated with, or serviced by two DISN IPVS core backbone systems as follows: > For DISN NIPRNet IPVS, each enclave will be serviced minimally by one primary and one secondary (backup) MFSS. > For DISN SIPRNet IPVS, each enclave will be serviced minimally by one primary and one secondary Soft Switch (SS) at the SIPRNET tier 0 routers.

b

The MFSS is NOT configured to synchronize minimally with a paired MFSS and/or others such that each may serve as a backup for the other when signaling with its assigned LSCs, thus reducing the reliability and survivability of the DISN IPVS network.

Medium - V-19677 - SV-21818r2_rule

RMF Control

Severity

M

CCI

Version

VVoIP 6405

Vuln IDs

V-19677

Rule IDs

SV-21818r2_rule

MFSSs are critical to the operation of the DISN NIPRNet IPVS network. They broker the establishment of calls between enclaves. A MFSS provides the following functions: > Receives AS-SIP-TLS messages from other MFSSs and a specific set of regionally associated LSCs to act as a call routing manager across the backbone. > Sends AS-SIP-TLS messages to interrogate the ability of another MFSS or a LSC to receive a call, whether routine or priority. > Sends AS-SIP-TLS messages to manage the establishment of priority calls and the pre-emption of lower priority calls to LSCs and other MFSSs > Once a “trunk side” session request is received the MFSS determines if the destination is one of its assigned LSC’s. If so, it interrogates that LSC to determine if it can receive the call. If so, it signals to establish the call. If the destination is not one of its LSCs it signals with other MFSSs to locate the destination LSC and then the remote MFSS negotiates with its LSC. > Acts as a backup MFSS for LSCs assigned to other MFSSs as primary. As such, a LSC must be able to signal with a MFSS in order to establish any call across the DISN WAN. LSCs do not interact directly with LSCs. This hierarchical arrangement is required in order to be able to manage and establish priority calls and manage access circuit budgets. We established previously that each LSC must have a backup MFSS. In support of this function MFSSs must be operated in pairs with all the information about its assigned LSCs replicated across the pair.

Checks: C-24062r1_chk

Interview the IAO to confirm compliance with the following requirement: Ensure the MFSS is configured to synchronize minimally with a paired MFSS and/or others such that each may serve as a backup for the other when signaling with its assigned LSCs and regarding the overall operation of the DISN IPVS network and the negotiation of call establishment between enclaves. NOTE: We have already established that the local LSC portion of the MFSS requires a local backup LSC such that the ability to establish calls within the enclave and to local commercial network and emergency services is maintained. This requirement does not address redundancy or COOP within the enclave. Determine which other MFSS(s) is acting as backup for the MFSS under review. Additionally determine which LSCs are assigned this MFSS as primary and which LSCs are assigned this MFSS as backup.

Fix: F-20383r1_fix

Ensure each MFSS is configured to synchronize with a paired MFSS such that each may serve as a backup for the other when signaling with its assigned LSCs and regarding the overall operation of the DISN IPVS network and the negotiation of call establishment between enclaves.

b

Network elements configuration supporting VoIP services must provide redundancy supporting command and control (C2) assured services and Fire and Emergency Services (FES) communications.

Medium - V-21517 - SV-23729r3_rule

RMF Control

Severity

M

CCI

Version

VVoIP 5111

Vuln IDs

V-21517

Rule IDs

SV-23729r3_rule

Policy sets the minimum requirements for the availability and reliability of VVoIP systems and the supporting LAN with emphasis on C2 communications. The high availability and reliability required for Special-C2 and C2 users is achieved in part by redundancy within the LAN network elements. Policy sets the minimum requirements for the availability and reliability of VVoIP systems Special-C2 users at 99.999 percent, C2 users at 99.997 percent, and C2 Routine only users (C2R) and non-C2 users at 99.9 percent. Voice services in support of high-priority military command and control precedence must meet minimum requirements for reliability and survivability of the supporting infrastructure. Design requirements for networks supporting DoD VVoIP implementations are in the Unified Capabilities Requirements (UCR), specifying assured services supporting DoD IP-based voice services. Network survivability refers to the capability of the network to maintain service continuity in the presence of faults within the network. This can be accomplished by recovering from network failures quickly and maintaining the required QoS for existing services.Reduced to CAT III when the network elements do not directly support Special-C2 and C2 users.

Checks: C-25770r2_chk

If the network elements do not support a minimum of 96 instruments, this is not applicable. Review the network elements configuration supporting VoIP services to provide redundancy supporting C2 assured services and FES communications. Visually confirm the routing and switching network devices are redundant as follows: - Dual Power Supplies - Each platform must have a minimum of two power supplies and the loss of a single power supply shall not cause any loss of functions within the chassis. - Dual Processors (Control Supervisors) - Each chassis shall support dual control processors and failure of any one processor shall not cause any loss of functions within the chassis. - Termination Sparing - Each chassis shall support a (N + 1) sparing capability minimally for available Ethernet modules used to terminate to an IP subscriber. - Protocol Redundancy - Each routing device shall support protocols allowing for dynamic rerouting. - Backplane Redundancy – each switching platform shall support a redundant (1 + 1) switching fabric or backplane and the second fabric’s backplane shall be in active standby so that failure of the first shall not cause loss of ongoing events within the switch. Alternately, a secondary product may be added to provide redundancy to the primary product when redundant protocols are implemented such that the failover over to the secondary product must not result in any lost calls. Additionally, test the redundancy failover capability. While it is possible to unplug power cords and take other measures to test the failover capabilities, this is not recommended and must not be done in a production network unless scheduled for off duty hours. If required failover capability is tested and fails, this is a finding. If the network elements configuration supporting VoIP services does not provide the redundancy conditions above to support C2 assured services and FES communications, this is a finding.

Fix: F-22309r2_fix

Configure the network elements supporting VoIP services to provide redundancy supporting C2 assured services and FES communications. Ensure the routing and switching network devices have redundant capability and configured to implement as follows: - Dual Power Supplies - each platform must have a minimum of two power supplies and the loss of a single power supply shall not cause any loss of functions within the chassis. - Dual Processors (Control Supervisors) - each chassis shall support dual control processors and failure of any one processor shall not cause any loss of functions within the chassis. - Termination Sparing - each chassis shall support a (N + 1) sparing capability minimally for available Ethernet modules used to terminate to an IP subscriber. - Protocol Redundancy - each routing device shall support protocols allowing for dynamic rerouting. - Backplane Redundancy - Each switching platform shall support a redundant (1 + 1) switching fabric or backplane and the second fabric’s backplane shall be in active standby so that failure of the first shall not cause loss of ongoing events within the switch. Alternately, a secondary product may be added to provide redundancy to the primary product when redundant protocols are implemented such that the failover over to the secondary product must not result in any lost calls.

b

Network elements configuration supporting VoIP services must interconnect redundant uplinks following physically diverse paths to physically diverse network elements in the layer above with support for the full bandwidth handled by the network element using routing protocols facilitating failover.

Medium - V-21518 - SV-23730r3_rule

RMF Control

Severity

M

CCI

Version

VVoIP 5116

Vuln IDs

V-21518

Rule IDs

SV-23730r3_rule

Policy sets the minimum requirements for the availability and reliability of VoIP systems and the supporting LAN with emphasis on C2 communications. The high availability and reliability required for Special-C2 and C2 users is achieved in part by interconnecting LAN network elements with redundant uplinks via geographically diverse paths. The core layer connects to the distribution layer below it, which then connects to the access layer below it. Voice services in support of high-priority military command and control precedence must meet minimum requirements for reliability and survivability of the supporting infrastructure. Design requirements for networks supporting DoD VVoIP implementations are in the Unified Capabilities Requirements (UCR), specifying assured services supporting DoD IP-based voice services. Network survivability refers to the capability of the network to maintain service continuity in the presence of faults within the network. This can be accomplished by recovering quickly from network failures quickly and maintaining the required QoS for existing services. Reduced to CAT III when the network elements do not directly support Special-C2 and C2 users.

Checks: C-25773r2_chk

If the network elements do not support a minimum of 96 instruments, this is not applicable. If the network elements are deployed in a LAN that covers an extremely small geographical area in a single physical location, this is not applicable. To meet the applicability for a geographical area, most users must be within 100 meters cabling distance of the core equipment, and the access layer switches must not be separated from the single central core location. Confirm the network elements configuration supporting VoIP services to interconnect redundant uplinks following physically diverse paths to physically diverse network elements in the layer above with support for the full bandwidth handled by the network element using routing protocols facilitating failover. If the network elements supporting VoIP services do not connect redundant uplinks following physically diverse paths to physically diverse network elements in the layer above, this is a finding. If the network elements configuration does not support the full bandwidth handled by the network element using routing protocols facilitating failover, this is a finding.

Fix: F-22310r2_fix

Configure the network elements supporting VoIP services to interconnect redundant uplinks following physically diverse paths to physically diverse network elements in the layer above. Configure the network elements to support the full bandwidth handled by the network element using routing protocols facilitating failover.

b

The extension mobility feature must only be enabled per user when specific security features are configured.

Medium - V-21520 - SV-23732r3_rule

RMF Control

Severity

M

CCI

Version

VVoIP 1670

Vuln IDs

V-21520

Rule IDs

SV-23732r3_rule

Extension mobility is a feature of a VVoIP system that permits a person to transfer their phone number extension and phone features (or configuration) to a phone that is not in their normal workspace. This is useful when a person is visiting a remote office away from their normal office and typically functions within an established enterprise wide VVoIP system where the system is designed as a contiguous system. In this case, the system is typically a single vendor solution. The system might be within one LAN/CAN may include multiple LAN/CANs at multiple interconnected sites. To activate this feature, the user approaches a phone that is not their regular phone and identifies themselves to the phone system via a username, password, pin, code, or some combination of these. Upon validation, the system configuration manager will configure the temporary phone to match the configuration of the user’s regular phone. Minimally, the phone number is transferred and possibly some or all of the user’s speed dial numbers and other personal preferences. This capability is dependant upon the capabilities of the temporary phone. Once activated the user’s inbound calls are directed to the temporary location. The user’s regular phone may or may not maintain its normal capabilities and also may also answer inbound calls. Extension mobility is similar to but not the same as forwarding ones calls. Forwarding is typically activated from the user’s normal phone or their user preferences configuration settings. Forwarding is therefore pre-set to a known location. Extension mobility is typically activated from the remote location and is activated upon arrival at that location. Extension mobility should be available only to those individuals that need to use the feature.

Checks: C-25776r2_chk

If the extension mobility feature of the VVoIP system cannot be configured per user or is globally disabled, this is not applicable. Interview the ISSO to validate compliance with the following requirement: Verify the configuration for the extension mobility feature is only available when enabled per user. Confirm the following specific security features are configured: - The feature is enabled/disabled on a per user basis. - Feature activation requires user authentication minimally using a user unique PIN (preferably including a unique user ID) - Feature is not activated using a common activation code, or feature button on the phone. - The user (or system administrator) can manually disable the feature at their discretion. - The user may have the capability to set duration when activating the feature. (Optional) - The feature automatically deactivates based on a period of inactivity or the time of day. If the extension mobility feature is enabled and does not meet the above specific security features, this is a finding.

Fix: F-22311r2_fix

Configure the extension mobility feature only when enabled per user. Confirm the following specific security features are configured: - The feature is enabled/disabled on a per user basis. - Feature activation requires user authentication minimally using a user unique PIN (preferably including a unique user ID) - Feature is not activated using a common activation code, or feature button on the phone. - The user (or system administrator) can manually disable the feature at their discretion. - The user may have the capability to set duration when activating the feature. (Optional) - The feature automatically deactivates based on a period of inactivity or the time of day.

b

The extension mobility feature must be globally disabled.

Medium - V-80973 - SV-95685r2_rule

RMF Control

Severity

M

CCI

Version

VVoIP 1675

Vuln IDs

V-80973

Rule IDs

SV-95685r2_rule

Extension mobility is a feature of a VVoIP system that permits a person to transfer their phone number extension and phone features (or configuration) to a phone that is not in their normal workspace. This is useful when a person is visiting a remote office away from their normal office and typically functions within an established enterprise wide VVoIP system where the system is designed as a contiguous system. In this case, the system is typically a single vendor solution. The system might be within one LAN/CAN may include multiple LAN/CANs at multiple interconnected sites. To activate this feature, the user approaches a phone that is not their regular phone and identifies themselves to the phone system via a username, password, pin, code, or some combination of these. Upon validation, the system configuration manager will configure the temporary phone to match the configuration of the user’s regular phone. Minimally, the phone number is transferred and possibly some or all of the user’s speed dial numbers and other personal preferences. This capability is dependant upon the capabilities of the temporary phone. Once activated the user’s inbound calls are directed to the temporary location. The user’s regular phone may or may not maintain its normal capabilities and also may also answer inbound calls. Extension mobility is similar to but not the same as forwarding ones calls. Forwarding is typically activated from the user’s normal phone or their user preferences configuration settings. Forwarding is therefore pre-set to a known location. Extension mobility is typically activated from the remote location and is activated upon arrival at that location. Extension mobility should be available only to those individuals that need to use the feature.

Checks: C-25775r2_chk

If the extension mobility feature of the VVoIP system can be configured per user and is enabled, this is not applicable. Interview the ISSO to validate compliance with the following requirement: Verify the configuration for the extension mobility feature is globally disabled. If the extension mobility feature is not globally disabled, this is a finding.

Fix: F-87831r1_fix

Configure the extension mobility feature to be globally disabled on the VVoIP system.

Content changes 28

Checks: C-23713r2_chk

Fix: F-20189r2_fix

Generate Mitigation Statement:

Checks: C-23918r1_chk

Fix: F-20329r1_fix

Generate Mitigation Statement:

Checks: C-23948r1_chk

Fix: F-20332r1_fix

Generate Mitigation Statement:

Checks: C-23951r1_chk

Fix: F-20333r1_fix

Generate Mitigation Statement:

Checks: C-23954r2_chk

Fix: F-20334r2_fix

Generate Mitigation Statement:

Checks: C-23955r1_chk

Fix: F-20335r1_fix

Generate Mitigation Statement:

Checks: C-23958r2_chk

Fix: F-20336r2_fix

Generate Mitigation Statement:

Checks: C-23960r1_chk

Fix: F-20338r1_fix

Generate Mitigation Statement:

Checks: C-23961r2_chk

Fix: F-20339r2_fix

Generate Mitigation Statement:

Checks: C-23964r2_chk

Fix: F-20340r2_fix

Generate Mitigation Statement:

Checks: C-23967r2_chk

Fix: F-20341r2_fix

Generate Mitigation Statement:

Checks: C-23970r2_chk

Fix: F-20342r2_fix

Generate Mitigation Statement:

Checks: C-23973r2_chk

Fix: F-20343r2_fix

Generate Mitigation Statement:

Checks: C-23976r2_chk

Fix: F-20344r2_fix

Generate Mitigation Statement:

Checks: C-23982r2_chk

Fix: F-20346r2_fix

Generate Mitigation Statement:

Checks: C-23987r2_chk

Fix: F-20347r2_fix

Generate Mitigation Statement:

Checks: C-23988r2_chk

Fix: F-20348r2_fix

Generate Mitigation Statement:

Checks: C-23991r1_chk

Fix: F-20349r1_fix

Generate Mitigation Statement:

Checks: C-23993r1_chk

Fix: F-20350r1_fix

Generate Mitigation Statement:

Checks: C-23995r1_chk

Fix: F-20351r1_fix

Generate Mitigation Statement:

Checks: C-23997r1_chk

Fix: F-20352r1_fix

Generate Mitigation Statement:

Checks: C-23998r1_chk

Fix: F-20353r1_fix

Generate Mitigation Statement:

Checks: C-23999r1_chk

Fix: F-20354r1_fix

Generate Mitigation Statement:

Checks: C-24027r4_chk

Fix: F-20366r4_fix

Generate Mitigation Statement:

Checks: C-24030r3_chk

Fix: F-20367r3_fix

Generate Mitigation Statement:

Checks: C-24032r3_chk

Fix: F-20368r3_fix

Generate Mitigation Statement:

Checks: C-24034r3_chk