Voice/Video over Internet Protocol STIG

Unified messaging / mail systems provide the capability to receive voicemails via email and in some cases, have emails read to the user via a text-to-speech feature when accessing the system from a telephone (dial-in). For DoD, this presents two issues or vulnerabilities. Access to voicemail from a telephone only requires the user’s telephone number and a PIN. The telephone number is the account or mailbox number on the voicemail system while the PIN is the user password for accessing the account. This is a rather weak authentication method. The first issue for DoD, is that DoD policy states that access to email requires CAC/PKI based authentication of the user before they are granted access to their email account. Additionally, CAC based PKI certificates are required to decrypt encrypted email. CAC based authentication is not available when using a standard telephone. While some organizations might implement CAC authenticated access to the site’s phone system, such a facility is not available via most DoD phone systems and certainly not via the PSTN. Additionally, while a non-CAC enabled text-to-speech feature would not be able to read encrypted email (which would be considered the most sensitive) the unencrypted email is still considered sensitive DoD information. The argument could be made that normal voicemail messages and regular telephone conversations can also contain sensitive information, however, there is typically more sensitive information in email. Due to these two issues email should not be accessible via the voicemail / unified messaging / mail text-to-speech feature in DoD. That said, this issue does not apply to DoD issued PDA/PED devices that provide CAC authenticated access to email. An example of such a device is the CAC enabled Blackberry. In this case, access to unified mail voicemail would be via the CAC authenticated email service through which the user could listen to the voicemail. Text-to-speech conversion would be permitted in this case even though caution should be used when listening to any voicemail, particularly in a public place. The use of a wired earphone is highly recommended. Wireless Bluetooth earphones or headsets are vulnerable. Guidance for their use can be found in the Wireless STIG. NoneDenial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. Information Assurance OfficerECSC-1

Traditional telephone systems require physical wiring and/or switch configuration changes to add an instrument to the system. This makes it difficult for someone to add an unauthorized digital instrument to the system. This, however, could be done easier with older analog systems by tapping an existing analog line. With VoIP, this is no longer the case. Some VoIP systems employ an automatic means of detecting and registering a new instrument on the network with the local session controller (LSC) and then downloading its configuration to the instrument. This feature is called ‘auto-registration’ and can be used to initially connect and test un-configured instruments. This presents a vulnerability whereby unauthorized instruments could be added to the system, or instruments could be moved without authorization. Such activity can happen anywhere there is an active network port or outlet. This is not only a configuration management problem but it could also allow theft of services or some other malicious attack. It is recognized however, that auto-registration is necessary during large deployments of VoIP instruments, as well as a short time thereafter, to facilitate additions and troubleshooting. This applies to initial system setup and to any subsequent large redeployments or additions. Normal, day to day, moves, additions, and changes will require manual registration. Since, it may be possible for an unauthorized VoIP instrument to easily be added to the system during auto-registration, the registration logs must be compared to the authorized terminal inventory. Alternately the system could have a method of automatically registering only pre-authorized terminals. This feature would support VoIP instruments that are DAA approved for connection from multiple local or remote locations. The Auto-registration feature provided in some VoIP systems creates various issues. In general, this feature allows any end instrument to function using a default configuration, as soon as it is plugged into the network without prior authorization and configuration by an SA. In general, this feature should never be used even in the limited situations mentioned in the requirement, since the SA loses control of the system. In this situation the SA may not know what phones are on the system, or where they are, and since phone numbers are usually assigned out of a pool, there is no SA control over the phone number assignments. Additionally, since end instruments can work as soon as they are plugged in, they could be used to abuse the phone system. NoneUnauthorized access to network or voice system resources or services and the information they contain. Potential system abuse.Information Assurance OfficerDCBP-1, ECSC-1

It is critical to the security of the system that all IPT / VoIP end instruments be authorized to connect to and use the system. Only authorized instruments should be configured in the system controller and therefore allowed to operate. Unauthorized instruments could lead to system abuse.NoneUnauthorized use or abuse of the systemInformation Assurance OfficerECSC-1

The VTC STIG discusses the possibility of undesired or improper viewing of and/or listening to activities and conversations in the vicinity of a hardware based VTC endpoint, whether it is a conference room system or an office based executive or desktop system. If this was to occur, there could be inadvertent disclosure of sensitive or classified information to individuals without the proper clearance or need-to-know. This vulnerability could occur if the endpoint was set to automatically answer a voice, VTC, or collaboration call with audio and video capabilities enabled, or if the endpoint was compromised and remotely controlled. The stated requirements and mitigations involve muting the microphone(s) and disabling or covering the camera(s). These or similar vulnerabilities could exist in PC based communications/collaboration applications due to an auto answer feature or compromised application or platform. As such, the simplest mitigation would be to only operate the software that accesses the microphone and camera when they are needed for communication. This does not work well for a unified communications application that is used to enhance our communications/collaboration capabilities since the application would be running most, if not all of the time when the PC is operating. In this case, the microphone could be muted and camera disabled in software as a mitigation. However, this also may not work well due to the possibility of the communications/collaboration application, microphone, or camera could be remotely activated if the platform or a communications application is compromised. In this case positive physical controls may be required. We must also rely on our defense in depth strategy for protecting our PC applications, including our communications applications, from compromise. Physical disablement such as unplugging from the PC, using a physical mute switch, or covering a camera could work if using external devices. However, this mitigation would not work for embedded microphones and cameras as is the trend in laptops and monitors today. While it may not be easily feasible to physically disable an embedded microphone, the lens of an embedded camera can be covered. NoneInadvertent disclosure of sensitive or classified information in aural or visual formInformation Assurance OfficerDCBP-1, ECSC-1

Visual collaboration often requires the sharing or display of presentations, open documents, and white board information to one or more communicating endpoints. While the technology for doing this is different between hardware based endpoints and PC based application endpoints, the vulnerability it creates is the same. In both cases, the displayed information typically resides on a PC. While in presentation/sharing mode, care must be exercised so that the PC user does not inadvertently display and transmit information on their workstation that is not part of the communications session and not intended to be viewed by the other communicating parties. Users must be aware that anything they display on their PC monitor while presenting to a communications session may be displayed on the other communicating endpoints. This is particularly true when the PC video output is connected to a VTC CODEC since the information will be displayed on all of the conference monitors. This presentation/sharing feature could result in the disclosure of sensitive or classified information to individuals that do not have a validated need-to-know or have the proper clearance to view the information. Thus, the presentation/sharing feature presents a vulnerability to other information displayed on the PC, if the feature is misused. This is a problem when sharing (displaying) a PC desktop via any collaboration tool using any connection method. There is little that can be done to mitigate this vulnerability other than to develop policy and procedures to present to collaborative communications sessions. All users that perform this function must have awareness of the issues and be trained in the proper operational procedures. Such procedures may require that there be no non-session related documents or windows open or minimized on the PC while presenting or sharing. An additional requirement may be that the user may not permit others in a session to remotely control their PC. A similar issue is that some PC based collaboration applications can permit a user to allow other session participants to remotely control their PC. Depending upon how this feature is implemented and limited, it could lead to undesired activities on the part of the person in control and possible compromise of information that is external to the collaboration session. This would be the case if such sharing or remote control provided access to the local hard drive and non session related applications or network drives accessible from the controlled PC. NONECompromise of the host PC and the information it contains or can reach through the network.Information Assurance OfficerDCBP-1, ECSC-1

Visual collaboration often requires the sharing or display of presentations, open documents, and white board information to one or more communicating endpoints. While the technology for doing this is different between hardware based endpoints and PC based application endpoints, the vulnerability is the same. In both cases, the displayed information typically resides on a PC. While in presentation/sharing mode, care must be exercised so that the PC user does not inadvertently display and transmit information on their workstation that is not part of the communications session and not intended to be viewed by the other communicating parties. Users must be aware that anything they display on their PC monitor while presenting to a communications session may be displayed on the other communicating endpoints. This is particularly true when the PC video output is connected to a VTC CODEC since the information will be displayed on all of the conference monitors. This presentation/sharing feature could result in the disclosure of sensitive or classified information to individuals that do not have a validated need-to-know or have the proper clearance to view the information. Thus, the presentation/sharing feature presents a vulnerability to other information displayed on the PC, if the feature is misused. This is a problem when sharing (displaying) a PC desktop via any collaboration tool using any connection method. There is little that can be done to mitigate this vulnerability other than to develop policy and procedures on how to securely present to collaborative communications sessions . All users that perform this function must have awareness of the issues and be trained in the proper operational procedures. Such procedures may require that there be no non-session related documents or windows open or minimized on the PC while presenting or sharing. An additional requirement may be that the user may not permit others in a session to remotely control their PC. A similar issue is that some PC based collaboration applications can permit a user to allow other session participants to remotely control their PC. Depending upon how this feature is implemented and limited, it could lead to undesired activities on the part of the person in control and possible compromise of information that is external to the collaboration session. This would be the case if such sharing or remote control provided access to the local hard drive and non session related applications or network drives accessible from the controlled PC. It is also imperative that a collaboration session participant know with whom he/she is communicating and sharing information and/or to whom they might give remote control access to their PC or shared application. This is so that the communicating individuals can have a trust relationship before sharing occurs. NoneThe inadvertent or improper disclosure of sensitive or classified information. Information Assurance OfficerDCBP-1, ECSC-1

In addition to complying with the STIGs and VPN requirements for remotely connected PCs, there is an additional requirement for PC soft-phone and UC applications using the VPN. Soft-phone and UC application traffic which must interact or communicate with systems and devices in the voice VLAN/protection zone must be routed to that zone while the other data and communications traffic is routed to the data zone. This is to be accomplished without degrading the separation of these two zones, or bridging them together. This can be accomplished in a number of ways depending upon the LAN and its boundary/VPN architecture.NonePotential for the compromise of the phone system.Information Assurance OfficerDCBP-1, ECSC-1

The protection of the VVoIP system is enhanced by ensuring all VVoIP systems and components within the LAN (Enclave) are deployed using separate address blocks from the normal data address blocks. This is one of the required steps required to help protect the VVoIP infrastructure and services by allowing traffic and access control via firewalls and router ACLs. NoneDenial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. Additionally the corruption of data and/or unauthorized use of the supporting server.Information Assurance OfficerDCPA-1, DCSP-1, ECSC-1

Assigning static addresses to core VVoIP devices permits tighter control using ACLs on firewalls and routers to help in the protection of these devices. NOTE: In the event DHCP is used for address assignment, ensure the DHCP server assigns the same address to the core VVoIP device each time one is requested.NoneThe inability to properly control traffic to/from and access to the VVoIP system core devices resulting in unauthorized access or denial of serviceInformation Assurance OfficerECSC-1

When using Dynamic Host Configuration Protocol (DHCP) for address assignment and host configuration, different DHCP scopes (different address space, subnets, and VLANs) must be used for voice components and data components. Optimally, the design would place a DHCP server dedicated to providing IP address and configuration information to the VVoIP endpoints separate from the IP address and configuration information to data hosts (workstations etc.). The DHCP server providing VVoIP devices should be in the V_VUC domain having the same address space and VLAN to prevent DHCP requests routed onto the data environment that degrade the separation of the VVoIP environment and the data environment. With centralized management of DHCP (and other services, such as DNS) this separation is obviously eliminated. DHCP requests and responses for voice must reside on a segregated VLAN. The best practice is to manually assign addresses when authorizing the instrument by generating its configuration file. In the event a dedicated DHCP server for VVoIP endpoints is not implemented, the network (i.e., the router controlling access to and from the VVoIP endpoint VLANs) must route VVoIP endpoint DHCP requests directly to the DHCP server in such a manner that prevents traffic to flow between the VVoIP and data VLANs. Additionally the DHCP server must prevent such traffic flows while providing the VVoIP endpoints with proper VVoIP addresses and other information within the VVoIP address/subnet range (scope).Information Assurance OfficerECSC-1

Based on a previously stated requirement, a VVoIP system must have one or more production VLANs containing the VVoIP endpoints and a separate OOB management network or virtual management network (management VLAN). Also previously stated is the requirement that the LAN NEs maintain the separation between management network(s) and the production network VLANs by blocking traffic from passing between them. Maintaining this separation is also incumbent upon the managed devices that are connected to both the management and production VLANs. Individual VVoIP system core devices and traditional TDM based telecom switches connect to their production and management networks or VLANs in different ways. In some cases there are separate dedicated physical management and production interfaces. There may also be one or more physically separate management interfaces. On the other hand these interfaces may be logical or there may be some combination of logical and physical interfaces that support the required production and management traffic. In the event production and management connections use separate interfaces, whether logical or physical, the target/ managed device must not permit one network (physical or logical VLAN) to access another network through the device. That is, the device must not route IP traffic between logical or physical interfaces connected to different VLANs or physical networks that are part of a different logical security zone (protected VLAN) or physical network enclave. Permitting such routing permit a host on one network or VLAN to gain unauthorized access to a host on another network which can lead to complete corruption of the accessed system or device causing the, loss of availability (denial-of-service), integrity, and information or communications confidentiality. NOTE: While this specifically addresses a similar situation addressed in the Network Infrastructure STIG that essentially requires that the production side of a managed device must not be accessible from the management interface and vise versa, this requirement extends that requirement to multiple management interfaces. Many DSN switches and DISN IPVS system core devices are managed from the BCPS network and CCSA NOC via one interface and also monitored and potentially managed by the DISA ADIMSS or other NOC. These are separate enclaves which must be protected from inappropriate access between them. In some cases the connections from these enclaves to the managed devices are via separate interfaces on the managed devices. Ergo the requirement the managed device must not pass traffic between these interfaces. NoneDenial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. Additionally the corruption of data and/or unauthorized use of the supporting server.Information Assurance OfficerECSC-1

VLAN and IP address segmentation enables access and traffic control for the VVoIP system components. Only the required protocols are to reach a given VVoIP device thereby protecting it from non-essential protocols. This protection is afforded on the LAN by implementing ACLs based on VLAN/subnet, protocol and in some instances specific IP addresses. While a firewall placed between the core equipment and endpoint VLANs might provide better protection for the core equipment as a whole, a router is best suited to control the varying traffic patterns between the various devices. NoneThe inability to properly control traffic to/from and access to the VVoIP system core devices resulting in unauthorized access or denial of serviceInformation Assurance OfficerECSC-1

VLAN and IP address segmentation enables access and traffic control for the VVoIP system components. Only the required protocols are to reach a given VVoIP device thereby protecting it from non-essential protocols. This protection is afforded on the LAN by implementing ACLs based on VLAN/subnet, protocol and in some instances specific IP addresses. While a firewall placed between the core equipment and endpoint VLANs might provide better protection for the core equipment as a whole, a router is best suited to control the varying traffic patterns between the various devices. NoneDenial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. Additionally the corruption of data and/or unauthorized use of the supporting server.Information Assurance OfficerECSC-1

While VLANs facilitate access and traffic control for the VVoIP system components and enhanced QoS, they should only be implemented on the network elements that are needed to carry the traffic from the attached devices. LAN switches will typically learn the VLANs configured on an adjacent switch and configure it locally. As such a VLAN configured on one switch can be learned and configured on the entire LAN in a very short period of time. Too many learned VLANs and a NE can crash. Additionally, a VLAN that appears on NEs where it is not required to carry traffic, places the VLAN at risk of compromise by presenting many more points at which the VLAN might be accessed. Therefore the VLANs must be pruned from trunks and interfaces where the VLAN does not need to send traffic. A VLAN that supports a number of local VVoIP endpoints only needs to traverse the NEs in two paths to the core routing devices at the VVoIP core equipment, Any specific endpoint VLAN does not need to appear on every switch in the LAN unless it serves endpoints everywhere on the LAN. Likewise the VVoIP core equipment VLANs do not need to extend past the VVoIP core routing devices (routers or layer 3 switches. The endpoint VLANs come to the core, the core VLANs do not extend to the endpoints. As such all VLANs must be pruned from any trunk where its traffic does not need to go. NoneDenial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. Additionally the corruption of data and/or unauthorized use of the supporting server.Information Assurance OfficerECSC-1

Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general the defined ACLs are designed in a deny-by-default manner such that only the protocols and traffic that needs to reach the device or devices in the VLAN receive the packets. The ACLs filter on VLAN, IP address / subnet, protocol type, and associated standard IP port for the protocol. In general the ACLs mentioned are egress filters (referenced the router core) on the VLAN interfaces. Additionally, the routing devices should log and alarm on inappropriate traffic. An example of this is an HTTP request sourced from the data VLAN(s) to the endpoint or media gateway VLAN(s). The primary purpose of ACL on all VVoIP VLAN interface(s) is to block traffic to/from the data VLAN interface(s). Similar restrictions are placed on a dedicated VTC VLAN interface, however, VVoIP media and signaling is permitted in the event a VTC unit needs to communicate with the UC system NoneDenial of Service, loss of confidentiality, and/or unauthorized access to network or voice system resources or services and the information they contain. Possibly degradation of the data and VoIP network segregation.Information Assurance OfficerECSC-1

Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general, the defined ACLs are designed in a deny-by-default manner such that only the protocols and traffic that needs to reach the device or devices in the VLAN receive the packets. The ACLs filter on VLAN, IP address / subnet, protocol type, and associated standard IP port for the protocol. In general, the ACLs mentioned are egress filters (referenced the router core) on the VLAN interfaces. Additionally, the routing devices should log and alarm on inappropriate traffic. An example of this is an HTTP request sourced from the data VLAN(s) to the endpoint or media gateway VLAN(s). The primary purpose of ACL on all VVoIP VLAN interface(s) is to block traffic to/from the data VLAN interface(s). Similar restrictions are placed on a dedicated VTC VLAN interface, however, VVoIP media and signaling is permitted in the event a VTC unit needs to communicate with the UC system.NoneDenial of Service, loss of confidentiality, and/or unauthorized access to network or voice system resources or services and the information they contain. Possibly degradation of the data and VoIP network segregation.Information Assurance OfficerECSC-1

Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general, the defined ACLs are designed in a deny-by-default manner such that only the protocols and traffic that needs to reach the device or devices in the VLAN receive the packets. The ACLs filter on VLAN, IP address / subnet, protocol type, and associated standard IP port for the protocol. In general, the ACLs mentioned are egress filters (referenced the router core) on the VLAN interfaces. Additionally, the routing devices should send an alarm in response to inappropriate traffic and log the occurrence. An example of this is an HTTP request sourced from the data VLAN(s) to the endpoint or media gateway VLAN(s). The primary purpose of ACL on all VVoIP VLAN interface(s) is to block traffic to/from the data VLAN interface(s). Similar restrictions are placed on a dedicated VTC VLAN interface, however, VVoIP media and signaling is permitted in the event a VTC unit needs to communicate with the UC system.NoneDenial of Service, loss of confidentiality, and/or unauthorized access to network or voice system resources or services and the information they contain. Possibly degradation of the data and VoIP network segregation.Information Assurance OfficerECSC-1

Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general, the defined ACLs are designed in a deny-by-default manner such that only the protocols and traffic that needs to reach the device or devices in the VLAN receive the packets. The ACLs filter on VLAN, IP address / subnet, protocol type, and associated standard IP port for the protocol. In general, the ACLs mentioned are egress filters (referenced the router core) on the VLAN interfaces. Additionally, the routing devices should log and alarm on inappropriate traffic. An example of this is an HTTP request sourced from the data VLAN(s) to the endpoint or media gateway VLAN(s). The primary purpose of ACL on all VVoIP VLAN interface(s) is to block traffic to/from the data VLAN interface(s). Similar restrictions are placed on a dedicated VTC VLAN interface, however, VVoIP media and signaling is permitted in the event a VTC unit needs to communicate with the UC system.NoneDenial of Service, loss of confidentiality, and/or unauthorized access to network or voice system resources or services and the information they contain. Possibly degradation of the data and VoIP network segregation.Information Assurance OfficerECSC-1

Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general, the defined ACLs are designed in a deny-by-default manner such that only the protocols and traffic that needs to reach the device or devices in the VLAN receive the packets. The ACLs filter on VLAN, IP address / subnet, protocol type, and associated standard IP port for the protocol. In general, the ACLs mentioned are egress filters (referenced the router core) on the VLAN interfaces. Additionally, the routing devices should log and alarm on inappropriate traffic. An example of this is an HTTP request sourced from the data VLAN(s) to the endpoint or media gateway VLAN(s). The primary purpose of ACL on all VVoIP VLAN interface(s) is to block traffic to/from the data VLAN interface(s). Similar restrictions are placed on a dedicated VTC VLAN interface, however, VVoIP media and signaling is permitted in the event a VTC unit needs to communicate with the UC system.NoneDenial of Service, loss of confidentiality, and/or unauthorized access to network or voice system resources or services and the information they contain. Possibly degradation of the data and VoIP network segregation.Information Assurance OfficerECSC-1

Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general the defined ACLs are designed in a deny-by-default manner such that only the protocols and traffic that needs to reach the device or devices in the VLAN receive the packets. The ACLs filter on VLAN, IP address / subnet, protocol type, and associated standard IP port for the protocol. In general the ACLs mentioned are egress filters (referenced the router core) on the VLAN interfaces. Additionally, the routing devices should log and alarm on inappropriate traffic. An example of this is an HTTP request sourced from the data VLAN(s) to the endpoint or media gateway VLAN(s). The primary purpose of ACL on all VVoIP VLAN interface(s) is to block traffic to/from the data VLAN interface(s). Similar restrictions are placed on a dedicated VTC VLAN interface, however, VVoIP media and signaling is permitted in the event a VTC unit needs to communicate with the UC system NoneDenial of Service, loss of confidentiality, and/or unauthorized access to network or voice system resources or services and the information they contain. Possibly degradation of the data and VoIP network segregation.Information Assurance OfficerECSC-1

Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general, the defined ACLs are designed in a deny-by-default manner such that only the protocols and traffic that needs to reach the device or devices in the VLAN receive the packets. The ACLs filter on VLAN, IP address / subnet, protocol type, and associated standard IP port for the protocol. In general, the ACLs mentioned are egress filters (referenced the router core) on the VLAN interfaces. Additionally, the routing devices should log and alarm on inappropriate traffic. An example of this is an HTTP request sourced from the data VLAN(s) to the endpoint or media gateway VLAN(s). The primary purpose of ACL on all VVoIP VLAN interface(s) is to block traffic to/from the data VLAN interface(s). Similar restrictions are placed on a dedicated VTC VLAN interface, however, VVoIP media and signaling is permitted in the event a VTC unit needs to communicate with the UC system. NoneDenial of Service, loss of confidentiality, and/or unauthorized access to network or voice system resources or services and the information they contain. Possibly degradation of the data and VoIP network segregation.Information Assurance OfficerECSC-1

Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general, the defined ACLs are designed in a deny-by-default manner such that only the protocols and traffic that needs to reach the device or devices in the VLAN receive the packets. The ACLs filter on VLAN, IP address / subnet, protocol type, and associated standard IP port for the protocol. In general, the ACLs mentioned are egress filters (referenced the router core) on the VLAN interfaces. Additionally, the routing devices should log and alarm on inappropriate traffic. An example of this is an HTTP request sourced from the data VLAN(s) to the endpoint or media gateway VLAN(s). The primary purpose of ACL on all VVoIP VLAN interface(s) is to block traffic to/from the data VLAN interface(s). Similar restrictions are placed on a dedicated VTC VLAN interface, however, VVoIP media and signaling is permitted in the event a VTC unit needs to communicate with the UC system NoneDenial of Service, loss of confidentiality, and/or unauthorized access to network or voice system resources or services and the information they contain. Possibly degradation of the data and VoIP network segregation.Information Assurance OfficerECSC-1

Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general, the defined ACLs are designed in a deny-by-default manner such that only the protocols and traffic that needs to reach the device or devices in the VLAN receive the packets. The ACLs filter on VLAN, IP address / subnet, protocol type, and associated standard IP port for the protocol. In general, the ACLs mentioned are egress filters (referenced the router core) on the VLAN interfaces. Additionally, the routing devices should log and alarm on inappropriate traffic. An example of this is an HTTP request sourced from the data VLAN(s) to the endpoint or media gateway VLAN(s). The primary purpose of ACL on all VVoIP VLAN interface(s) is to block traffic to/from the data VLAN interface(s). Similar restrictions are placed on a dedicated VTC VLAN interface, however, VVoIP media and signaling is permitted in the event a VTC unit needs to communicate with the UC system. NoneDenial of Service, loss of confidentiality, and/or unauthorized access to network or voice system resources or services and the information they contain. Possibly degradation of the data and VoIP network segregation.Information Assurance OfficerECSC-1

Voice mail services in a VoIP environment are available in several different configurations. A legacy voice mail platform can connect to a VoIP environment to provide voice mail services for VoIP users. In the same respect, a VoIP voice mail platform can provide voice mail services to the legacy voice users and the VoIP users. Some voice mail systems are also capable of providing unified mail by interacting with email messaging systems. Voicemails when recorded are converted to a .wav or similar digital audio file and sent to the email server as an attachment to an email. The subject line will typically contain the caller ID information if available. The email user can then open the attachment and listen to the voicemail on their PC or whatever device that provides properly authenticated access to the user’s email. Since the voicemail server must access the voice network (which, in a VoIP system is the VoIP VLAN system), and the data network (data VLANs) to send the email, caution and control must be exercised to not degrade the separation between the voice and data VLANs. Additionally, if the email server is part of or collocated with the voicemail server, user access to email must also not degrade the separation between the voice and data VLANs. Since this server may have 2 NICs and be connected to both voice and data VLANs, the server must not act as a bridge between the voice and data VLANs. NoneDenial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. Additionally the corruption of data and/or unauthorized use of the supporting server.Information Assurance OfficerDCBP-1, ECSC-1

Some VVoIP hardware endpoints and hardware based VTC endpoints contain a multi-port Ethernet switch to provide a connection on the endpoint for external devices such as a workstation (i.e., PC port). Additionally, some of these endpoints have the capability of defining the VLAN that their traffic will use via various methods but most typically by using 802.1Q trunking (VLAN tagging). However, some endpoints do not support VLAN assignment or cannot themselves maintain VLAN separation. In these cases, the responsibility of VLAN assignment and maintenance of VLAN separation falls to the LAN access switch (discrete NE or module in a larger NE) that supports the LAN cable drop to which the endpoint(s) is connected. Typically the LAN access switch port configurations contain a statement assigning the port to a specific VLAN. NoneDenial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. Loss of confidentiality. Degradation of the data and VoIP network segregation and associated problems.Information Assurance OfficerECSC-1

Some VVoIP hardware endpoints and hardware based VTC endpoints contain a multi-port Ethernet switch to provide a connection on the endpoint for external devices such as a workstation (i.e., PC port). This is done so that a PC and a workstation can share a single network cable drop and LAN access layer switch port. The PC port can, in general, support any device requiring an Ethernet connection. In theory, a VoIP phone, a desktop VTC unit could be daisy chained on a single LAN drop. These embedded multi-port Ethernet switches must be capable of maintaining the separation of the voice (VVoIP), data, VLANs as well as the VTC VLAN and PC Comm Client VLAN if present. For example the attached PC must not be able to directly access the phone’s or VTU’s configurations or communications traffic. VAN separation helps to prevent this. NOTE: the switch or endpoint will typically utilize 802.1Q trunking (VLAN tagging) but may use some other means to separate voice and data traffic. Typically when 802.1Q VLAN tagging is used, the phone firmware tags the VoIP packets while the embedded switch passes all packets without modification. This permits devices connected to the PC port to tag their packets and assign the proper VLAN to their traffic type. 802.1Q VLAN tagging enables the LAN to better maintain separation of the traffic and is therefore the preferred method. The LAN access switch (discrete NE or module in a larger NE) must be capable of, and must be configured to, support the VLAN separation method used by the supported endpoints. The NE may perform this function in various ways as determined by the overall VVoIP system and LAN design. However, the typical (or preferred) method used by an endpoint to maintain VLAN separation is 802.1Q VLAN tagging. As such, the LAN access port and NE needs to support the receipt of tagged packets and handle them appropriately to also maintain VLAN separation. While the NE may retag the packets thereby reassigning the VLAN based on some defined rule, the NE may not strip the tags and mix all traffic together. Furthermore, The LAN access NE supporting LAN cable drops will typically have a VLAN defined for each service (VVoIP, VTC, Data, PC Comm. Client) supported by the endpoints connected to the NE. Traffic within the respective VLANs may flow between different physical ports on the NE but may not change VLANs in the process. This must be done by a routing device (discrete NE or module in a larger NE) and must be controlled by an appropriate ACL. The LAN access layer Ethernet switch may be combined in the same unit with the routing device as in the case of a layer-3 switch or a router containing an Ethernet switch module. NoneDenial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. Loss of confidentiality. Degradation of the data and VoIP network segregation and associated problems.Information Assurance OfficerECSC-1

Policy regarding LAN access switchport mode has been established in the Network Infrastructure STIG by NET1416 which states “ensure trunking is disabled on all access ports (do not configure trunk on, desirable, non-negotiate, or auto—only off).” The reason for this is that a malicious user could affect a VLAN hopping attack. VLAN “hopping” occurs when a tagged frame destined for one VLAN is redirected to a different VLAN, threatening network security. The redirection can be initiated using two methods: “tagging attack” and “double encapsulation.” Frame tagging attacks allow a malicious user on a VLAN to get unauthorized access to another VLAN. For example, if a switch port’s trunk mode were configured as auto (enables a port to become a trunk if the connected switch it is negotiating trunking with has its state set to on or desirable) and were to receive a fake DTP packet specifying trunk on or desirable, it would become a trunk port and it could then start accepting traffic destined for all VLANs that belong to that trunk group. The attacker could start communicating with other VLANs through that compromised port—including the management VLAN. Insuring that trunk mode for any non-trunking port is configured as off can prevent this type of attack. Double encapsulation can be initiated by an attacker who has access to a switch port belonging to the native VLAN of the trunk port. Knowing the victim’s MAC address and with the victim attached to a different switch belonging to the same trunk group, thereby requiring the trunk link and frame tagging, the malicious user can begin the attack by sending frames with two sets of tags. The outer tag that is the attacker’s VLAN ID (probably the well known and omnipresent VLAN 1) is stripped off by the switch, and the inner tag that will have the victim’s VLAN ID is used by the switch as the next hop and sent out the trunk port. To ensure the integrity of the trunk link and prevent unauthorized access, the native VLAN of the trunk port should be changed from the default VLAN 1 to its own unique VLAN. NOTE: Trunk mode is typically used between LAN switches to extend defined VLANs across a network. This mode is used to interconnect LAN switches and routers with other LAN switches and routers to create a network across multiple NEs. Trunk mode generally requires each packet to be tagged with the VLAN ID that it belongs to. This tagging can follow the 802.1Q standard format or can use a vendor proprietary protocol such as Cisco’s ISL. Access mode on the other hand is used on a switchport that supports a connection to a LAN endpoint device. Typically single endpoint devices connected to a switchport send traffic that does not contain a VLAN tag. In this case, if a VLAN is defined for the endpoint, the switchport is statically assigned to a VLAN. As such, when a packet is received and sent out the “Trunk” the packet is tagged with the VLAN ID. Best practices dictate that the implementation of VVoIP on a network requires one or more VVoIP VLANs be established within the network. Therefore LAN access switchports that support VVoIP and VTC endpoints that do not tag or are capable but not configured to add a VLAN tag to their traffic must be statically assigned to the local VVoIP VLAN. VVoIP and VTC endpoints that do have the capability of adding the VLAN tag to their traffic typically use 802.1Q format and also typically support a PC port on the device. The PC port is added to the VVoIP or VTC endpoints since it reduces cabling and LAN infrastructure cost. Typically, VVoIP or VTC endpoints that support a PC port pass traffic from this port unchanged whether the traffic is tagged or not, while adding the VVoIP VLAN tag for the locally defined VVoIP VLAN to its VVoIP traffic. As such, a LAN access switchport must now support tagged and untagged traffic and keep the traffic separated. This is done by defining a default “data” VLAN (that is not the default VLAN on the NE such as VLAN 0 or 1) for the switchport in which untagged traffic is placed and defining a secondary VVoIP VLAN that matches the 802.1Q tag used for the VVoIP traffic. This method maintains the LAN access nature of the port even though it supports multiple VLANs while not requiring it to be configured as a trunk. NoneDenial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. Loss of confidentiality. Degradation of the data and VoIP network segregation and associated problems.Information Assurance OfficerECSC-1

VVoIP or VTC endpoints that are not configured to or cannot provide a 802.1Q VLAN tag to its VVoIP traffic have no control over what VLAN their traffic ends up in, if any. Therefore the responsibility of placing VVoIP or VTC traffic in an appropriate VLAN for the type of traffic falls to the LAN switch. As such each switchport on a LAN NE that supports a VVoIP or VTC endpoint must place the traffic in the correct VLAN. This means that, in lieu of any other means to sort the traffic, each switchport must be statically assigned to the appropriate VLAN. NOTE: In some cases a LAN NE can use some other endpoint or traffic characteristic other than 802.1Q tagging to assign the traffic to the correct VLAN. NoneDenial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. Additionally the corruption of data and/or unauthorized use of the supporting server.Information Assurance OfficerECSC-1

Many VVoIP and VTC endpoints provide a PC port on the device. Doing so permits a PC to share the same LAN drop as a VoIP phone or desktop VTC endpoint. The net effect is reduced installation and maintenance cost for the LAN infrastructure. Endpoints that provide a PC port have an embedded Ethernet switch which is required to support the separation of the PC data traffic from the VVoIP and VTC traffic. This is primarily accomplished by the embedded Ethernet switch in the endpoint supporting VLANs. In support of this, many VVoIP and VTC endpoints have the capability of adding a VLAN tag to their traffic using the 802.1Q format. Typically the PC port traffic is passed to the LAN unchanged whether the traffic is tagged or not, while adding the VVoIP VLAN tag for the locally defined VVoIP VLAN to its VVoIP traffic. NOTE: this is a limitation of the switchport access mode. It seems that configuring more than a default and tagged VLAN on a switchport requires the port to be set as a trunk, which is not permissible based on NET1416. This causes a limitation in the number of devices and applications that can be supported by a single switchport and LAN drop. For example, a single switchport will support a single VoIP phone (w/ an embedded switch and PC port) which tags its traffic and a connected PC that does not. Similarly, a single switchport will support a single VTC endpoint (w/ an embedded switch and PC port) which tags its traffic and a connected PC that does not. Similarly, a single switchport will support a single PC that supports a soft phone and tags its VoIP traffic while not tagging its data traffic (per the PCCC STIG). A single port will not support a VoIP phone and a VTC endpoint and a PC on a single drop unless the VTC endpoint also tags its VTC traffic with the VoIP VLAN. If a PC with a compliant soft phone is connected, it must also tag its traffic with the single VoIP VLAN tag. NOTE: Traffic to/from a VTC endpoint may use the same VLAN as the VVoIP phone system. Some exceptions may apply. NOTE: Do not use the default VLAN for the switch which is generally VLAN 1. This is used for LAN control traffic. No traffic or interface is permitted to be assigned to the switches’ default VLAN. NoneDenial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. Additionally the corruption of data and/or unauthorized use of the supporting server.Information Assurance OfficerECSC-1

A PC port on a VVoIP or VTC endpoint that is not intended for regular use is required to be disabled. Unused LAN access switchports and LAN drops are also to be disabled per the Network Infrastructure STIG. From the Network Infrastructure Checklist NET1435 vulnerability discussion: “It is possible that a disabled port that is assigned to a user or management VLAN becomes enabled by accident or by an attacker and as a result gains access to that VLAN as a member.” The resulting requirement is: “ensure disabled ports are placed in an unused VLAN (do not use VLAN 1 ).” Similarly, a PC port on a VVoIP or VTC endpoint that is disabled may become “un-disabled” (activated). If this were to occur, and the switchport is statically assigned to the VVoIP or VTC VLAN, the connected device, PC or otherwise would have direct access to the VLAN that the VVoIP or VTC endpoint is configured to use and thereby compromising it. This could provide unauthorized access to the VVoIP or VTC traffic, endpoints, and core control devices. NoneDenial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. Additionally the corruption of data and/or unauthorized use of the supporting server.Information Assurance OfficerECSC-1

The Network Infrastructure (NI) STIG provides DoD policy for the use of “port security” or LAN access control on LAN access switchports. One of the methods is MAC based port security which limits the number of devices that can be connected to a LAN drop and LAN access switchport thereby protecting the LAN by providing a measure of access control. Allowing too many MAC addresses on a switch port could allow a mini-hub or switch to be added to the voice VLAN port or PC/data port on a VVoIP or VTC endpoint to which additional unauthorized devices or workstations to be connected. Thus, the entire VVoIP or VTC systems or the LAN may be compromised. This requirement works in association with the NI STIG requirements on MAC based port security. In some cases this requirement might conflict with or modify the requirements contained therein. This is because the focus of the NI STIG is data networks where typically only one data device is authorized to connect to any given LAN drop. This follows through for VVoIP or VTC endpoints providing the workspace in which they are to be installed is provisioned with enough LAN drops to support the number of devices to be used in the workspace. This also requires that each LAN drop that is to be used must be connected to a LAN access switchport. In such a scenario, it is best practice to limit the devices that are permitted to connect to any given LAN drop/switchport combination to one. There are two methods for effecting this limitation. The first is to statically map the MAC address of a pre-authorized device into the configuration of the PAN access switchport. The second method is called sticky (MAC based) port security in which the MAC address of the first device to connect to the switchport is learned and added to the configuration. This becomes the authorized device. Sticky port security requires that care be exercised regarding what device is connected to a port for the first time. In both cases an alarm will be generated if an unauthorized device is connected. Many VVoIP or VTC endpoints provide an extra Ethernet port called a PC port that permits the endpoint and a PC (or other device) to share the same LAN drop. This has several advantages. First, a VVoIP or VTC endpoint can be added to a LAN that heretofore only supported PCs without having to run additional cable or activate additional LAN drops. This provides a cost savings in both initial installation and operating costs for the LAN infrastructure. This is because this method reduces the number of active LAN access switchports thereby reducing energy consumption. This reduction not only reduces the energy needed to operate the LAN equipment but the energy required to cool the equipment is reduced thereby providing another reduction (or lack of increase) in energy usage and operating cost. Sharing LAN drops is green. There are other devices such as access control devices that can also share a LAN drop. It is possible to share a single LAN drop with a VVoIP endpoint, a desktop VTC endpoint, and a PC. The following limitations for MAC based port security are to be implemented to support VVoIP or VTC endpoints in various scenarios: > A single authorized VVoIP or VTC endpoint on a LAN drop/switchport requires one MAC to be statically configured or the learned maximum set to one whether it provides a PC port or not. In this case the PC port is disabled. Connecting a device to the PC port will cause an alarm. > A single VVoIP or VTC endpoint on a LAN drop/switchport that provides a PC port to which a PC will be connected will require two statically mapped MAC addresses or a maximum of three dynamically learned addresses. While there are two authorized devices permitted to connect, the endpoint address may be learned twice in association with the data VLAN and the VVoIP or VTC VLAN. > In the event a VVoIP endpoint, VTC endpoint, and a PC are to be daisy chained on one LAN drop/switchport and switchport, the switchport will need to be configured for 3 statically mapped addresses or a maximum of 5 dynamically learned MAC addresses. This is because both the VVoIP and VTC endpoints will typically be assigned to the VVoIP VLAN due to switchport mode configuration limitations and both endpoints may be learned twice in association with the data VLAN and the VVoIP or VTC VLAN. NOTE: another green initiative where a single LAN drop is shared among several devices is called "hot desking" which is related to conservation of office space and teleworking. Hot desking is where several people are assigned to work at the same desk at different times, each with their own laptop PC. In this case, a different MAC address needs to be permitted for each laptop that is supposed to connect to the LAN drop in the workspace. Additionally, this workspace could contain a single phone (and possibly desktop VTC endpoint) used by all assignees and the PC port on it might be the connection for their laptop. In this case it is best not to use sticky port security but to use a static mapping of pre-authorized devices or implement 802.1x. NoneDenial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. Loss of confidentiality. Numerous potential impacts are made available by vulnerabilities associated with unauthorized access to the network.Information Assurance OfficerECSC-1

IEEE 802.1x is a protocol that is used to control access to LAN services via a LAN access switchport or wireless access point. It requires a device or user (supplicant) to authenticate to the network element (authenticator) and become authorized by the authentication server before the authenticator provides access to the LAN. This process is used to activate the LAN access switchport and potentially limit traffic to a specific VLAN and/or install traffic filters. This method is more secure and capable than using basic MAC based port security. As such, it is required to be used in certain circumstances by the Network Infrastructure STIG. When 802.1x is used, all devices connecting to the LAN are required to use 802.1x.NoneDenial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. Additionally, the corruption of data and/or unauthorized use of the supporting server can occur.Information Assurance OfficerECSC-1

802.1x has the capability of configuring the LAN access switchport to assign a VLAN or apply filtering rules based upon the device that was just authenticated. This is done via the “success” message sent from the authentication server back to the authenticator (LAN switch). General VVoIP and VTC requirements dictate that traffic from these devices are to be separated from the general LAN traffic and workstations by VLAN and IP address separation or segregation. An implementation of 802.1x within the LAN must support this requirement. As such the authentication server must provide the LAN switch with the proper VLAN configuration depending upon the device that is authenticated. For example, if all LAN ports are configured to use 802.1x LAN access control, and (as the typical case would be) are configured as disabled until a device authenticates, each port must support the authentication of a general workstation (a data device) or a VVoIP endpoint, or a VTC endpoint. If a workstation authenticates, the switchport must be configured with the data VLAN. If a VVoIP endpoint authenticates, the switchport must be configured with the VVoIP VLAN. Similarly for a VTC endpoint. If a VVoIP endpoint t hat contains a PC port authenticates, the switchport must be configured with the VVoIP VLAN to receive the VVoIP traffic AND must be configured with the data VLAN to receive traffic from the PC port. Alternately, the switchport must be preconfigured for whatever device is expected to connect while in standby and implement the configuration when activated. This latter, however, is not how this is typically configured.NoneDenial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. Additionally the corruption of data and/or unauthorized use of the supporting server.Information Assurance OfficerECSC-1

A VVoIP or VTC endpoint that provides a PC port typically breaks 802.1x LAN access control mechanisms. The reason is that the LAN access switchport is turned on or authorized (and configured) when the VVoIP or VTC endpoint authenticates to the network and is authorized to operate. This typically permits whatever is connected to the PC port to have access to the LAN whether it is authorized or not or whether the device uses 802.1x or not. As such, the practice of daisy chaining devices on a single LAN drop that is “protected” by 802.1x must be prohibited unless certain mitigating circumstances exist, or are configured. The normal mitigation for this situation is to not implement VVoIP or VTC endpoints that provides a PC port if 802.1x is implemented as the LAN access control method. In the event a PC port is provided, the mitigation is to disable the port. However, the 802.1x implementation must install the configuration on the LAN access switchport that is required to support a VVoIP or VTC endpoint with a disabled PC port. This means that the required configuration for the LAN access switchports is to configure the appropriate VLAN for the VVoIP or VTC traffic (as required) as well as configuring the “unused” VLAN for the disabled PC port (as required). NOTE: the prohibition discussed here could be lifted (eliminated) in the event one of the following occurs: 1 - The LAN switchport can authorize access at the VLAN level and be reconfigured as additional devices are connected. That is, the switchport is activated and the VVoIP or VTC VLAN is configured/activated when the endpoint is authenticated/authorized but the data VLAN for the PC port is set to the “unused” VLAN until the PC or other device is connected. When a device is connected to the PC port, it must then use 802.1x to gain access to the LAN. Once authenticated and authorized, the LAN switchport is reconfigured with the active e data VLAN if a PC is connected. This process could, in theory, also support a VVoIP, VTC endpoint, and PC daisy chained on one LAN port if each was authenticated to the LAN one at a time in sequence from the LAN drop out. 2 - The VVoIP or VTC endpoint’s embedded switch and the PC port fully supports 802.1x as an authenticator. That is the PC port works like an 802.1x capable LAN access switchport and can be activated and deactivated (configured) by the 802.1x authentication server.NoneDenial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. Additionally, the corruption of data and/or unauthorized use of the supporting server.Information Assurance OfficerECSC-1

Many VVoIP endpoints have the capability of setting and/or displaying configuration settings in the instrument itself. While this makes it convenient to configure and troubleshoot at the desktop, it presents a vulnerability whereby, a user (or anybody in the area) can obtain information such as the IP addresses and URLs of system components that could in turn be used to facilitate an attack on the system by hackers or attackers. Therefore these devices should be considered a target to be defended against such individuals that would collect voice network information for illicit purposes. To help prevent against information gathering by the unscrupulous, measures must be taken to protect this information. Programming IP Phones to not display network information (i.e. IP address, subnet mask, gateway, LCC addresses or URLs, etc.), without entering a password or PIN code, should be considered as another layer of security in protecting the VoIP environment. Additionally, such a PIN/password should not be a well know or default “magic key sequence.” Such a PIN/password should only be available at initial setup of the instrument. While this PIN/password will most likely be group PIN/password (not meeting DoD password/auditing policy under IAGA-1) they should not be permanently stored on the instrument. Instead, they should be centrally managed. The instrument should query the Local Session Controller (LSC) to validate the PIN/Password, or minimally, should be changeable from the LSC as a function of the endpoint configuration. Instrument configuration PIN/passwords should be managed in accordance with normal DoD password policy. For example, the PIN/password needs to be changed on a regular basis. This finding can be reduced to a CAT III in the event The VVoIP endpoint’s configuration and/or configuration-display PIN/passwords does not remotely authenticate BUT IS centrally manageable / changeable from the LSC.Denial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. Loss of confidentiality. Password or PIN code compromise. As compromise is easier (or more likely) if they are not centrally managed since Password or PIN codes stored on the terminals or end instruments will most likely never be changed.Information Assurance OfficerECSC-1

VVoIP or VTC hardware endpoint possessing a “PC Port” can provide an easy avenue to access and compromise the endpoint configuration and communications traffic. Through such unauthorized access an attacker could also compromise the core of the VVoIP or VTC system or gain information for an attack from another vector. As such, VVoIP or VTC hardware endpoint must block access to its configuration and communications traffic from the PC port.None Denial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. Loss of confidentiality. Degradation of the data and VoIP network segregation and associated problems.Information Assurance OfficerECSC-1

NOTE: the switch or endpoint will typically utilize 802.1Q trunking (VLAN tagging) but may use some other means to separate voice and data traffic. Typically when 802.1Q VLAN tagging is used, the phone firmware tags the VoIP frames/packets while the embedded switch passes all frames/packets without modification. This permits devices connected to the PC port to tag their packets and assign the proper VLAN to their traffic type. 802.1Q VLAN tagging enables the LAN to better maintain separation of the traffic and is therefore the preferred method.NoneDenial of Service and/or unauthorized access to network or voice system resources or services and the information they contain. Loss of confidentiality. Degradation of the data and VoIP network segregation and associated problems.Information Assurance OfficerECSC-1

The typical perimeter or premise router (as designated by the NI and Enclave STIGs) will most likely not be capable of supporting the needs of VVoIP entering the DISN WAN. This is because only newer routers are capable of dealing with service classes and expedited forwarding. This why the DISN IPVS PMO specifies the specific additional capabilities required of the perimeter or premise router to support the needs of the Assures Service network. The router designated by the DISN IPVS PMO that is needed to support the service is called the Customer Edge Router (CER). This terminology is consistent with the terminology used by the DISN CORE PMO and other WAN service providers. The CER provides the following functionality: > Provides minimally four forwarding cues (eight preferred) > Places traffic within expedited forwarding cues based on the Differential Service Code Point (DSCP) markings carried by the traffic. > Routes inbound AS-SIP-TLS packets and SRTP/SRTCP packets to the EBC function. (VVoIP firewall) > Routes all other inbound traffic to the data firewall > Provides all of the filtering and security required of a perimeter or premise router as required by the NI STIG. NOTE: proper DSCP marking of VVoIP packets is required to provide appropriate QoS for C2 priority calls in support of Assured Service The UCR requires the CER to support Expedited Forwarding (EF) PHBs in accordance with RFC 3246 and Assured Forwarding (AF) PHB in accordance with RFC 2597. The UCR further requires the CER to minimally support four forwarding cues but prefers eight cues which will be the requirement in the future when the vendors can support eight. NoneThe inability to provide assured service for critical voice and video communications.Information Assurance OfficerECSC-1

The CER (premise or perimeter) router is the first line of defense at the gateway to the enclave or LAN. The data and VVoIP firewall (EBC) functions are the second line of defense. Since the VVoIP firewall function only processes VVoIP traffic in the form of AS-SIP-TLS and SRTP/SRTCP packets, the CER should only forward these packets to the VVoIP firewall such that it is better protected from being overloaded causing a denial of service. This is part of a layered defense. NoneThe inability to provide assured service for critical voice and video communications.Information Assurance OfficerECSC-1

The EBC is in the VVoIP signaling between the LSC and MFSS. To limit its exposure to compromise and DOS, it must only exchange signaling messages using the designated protocol (AS-SIP-TLS) with the LSC(s) within the enclave and the EBC fronting the MFSS (and its backup) to which the LSC is assigned. Similarly, an EBC fronting an MFSS must only exchange signaling messages with the MFSS and LSC(s) within the enclave and the EBCs fronting other MFSSs and the LSCs that are assigned to it. While the EBC is also required to authenticate the source and integrity of the signaling packets it receives, filtering on source IP address adds a layer of protection for the MFSS. This is also a backup measure in the event this filtering is not done on the CER. Internal to the enclave, filtering signaling traffic based on the IP address(es) of the LSC(s) within the enclave limits the ability of rogue EIs attempting to establish calls or cause a DOS. NoneThe inability to provide assured service for critical voice and video communications.Information Assurance OfficerECSC-1

We previously discussed the reasons why a special firewall function is needed to protect the enclave if VVoIP is to traverse the boundary (see VVoIP 1005 (GENERAL) under VVoIP policy). This requirement addresses the function of the EBC which manages the AS-SIP-TLS signaling messages. In order to perform its proper function in the enclave boundary, the EBC must decrypt and decode or understand the contents of AS-SIP-TLS messages. Doing so supports the requirements that are to follow. Additionally, the EBC can perform message validity checks and determine of an attack is being attempted. NOTE: The EBC acts as an application level proxy and firewall for the signaling AS-SIP-TLS messages. NoneThe inability to properly protect the enclave.Information Assurance OfficerECSC-1

We previously discussed the reasons why a special firewall function is needed to protect the enclave if VVoIP is to traverse the boundary (see VVoIP 1005 under VVoIP policy). This requirement addresses the function of the EBC which authenticates the AS-SIP-TLS signaling messages as being from an authorized source. DoD policy dictates that authentication be performed using DoD PKI certificates. This also applies to network hosts and elements. AS-SIP (and SIP on which it is based) is not a secure protocol. The information passed during call/session setup and teardown is in human readable plain text. To secure AS-SIP and SIP, TLS is used. TLS is PKI certificate based and is used for AS-SIP message encryption, authentication, and integrity validation. NOTE: Authentication is provided by validating the sending appliance’s public PKI certificate used to establish the TLS session. AS-SIP messages are not sent until the authenticated TLS session is established. NOTE: the methods used will be in accordance with the UCR. NoneUnauthorized access and use of the DISN NIPRNet IPVS system and/or the VVoIP system within the enclave.Information Assurance OfficerECSC-1

The validation of signaling packet integrity is required to ensure the packet has not been altered in transit. Packets can be altered in a couple of ways. The first is modification by uncontrollable network events such as bit errors and packet truncation that would cause the packet to contain erroneous information. Packets containing detectable errors must not be processed since the effect of doing so is unknown and most likely not good. The second could be modification by a man-in-the-middle. NOTE: The USR mandates the packets be hashed upon transmission and receipt using HMAC-SHA1-160 with 160 bit keys and the validation of the hash of the received packet against the transmitted hash. NoneInformation Assurance OfficerECSC-1

DISN NIPRNet IPVS PMO and the UCR require all session signaling across the DISN WAN and between the LSC and EBC to be secured with TLS. The standard IANA assigned IP port for SIP protected by TLS (SIP-TLS) is 5061. DoD PPSM requires that protocols traversing the DISN and DoD enclave boundaries use the standard IP port(s) for the specific protocol. Since AS-SIP is a standardized extension of the SIP protocol and since AS-SIP must be protected by TLS, AS-SIP-TLS must use IP port 5061. NoneInformation Assurance OfficerECSC-1

We previously discussed the reasons why a special firewall is needed to protect the enclave if VVoIP is to traverse the boundary. (see VVoIP 1005 (GENERAL) under VVoIP policy) This requirement addresses the function of the EBC which manages the SRTP/SRTCP bearer streams. NOTE: The DISN IPVS PMO has determined that the EBC will pass the negotiated and encrypted SRTP/SRTCP bearer streams without decryption and inspection. This is because doing so will not provide a significant security benefit but would cause a significant delay with a resulting decrease in the quality of the communications. Encoded audio and video is difficult to impossible to determine if an attack is being perpetrated or if sensitive information is being improperly disclosed without reconstituting the analog audio and video signals and having a person listen and watch each communication. Due to the volume of communications, to do so would be nearly impossible. NoneThe inability to provide assured service for critical voice and video communications AND the inability to properly protect the enclave.Information Assurance OfficerECSC-1

The DISN NIPRNet IPVS utilizes SRTP/SRTCP bearer streams for the transport of voice and video information within and between enclaves during a VVoIP session. Additionally, the VVoIP system devices within the enclave are to be addressed using “private” or RFC 1918 addresses. These addresses are different than the addresses used on the NIPRNet. NIPRNet addresses are a subset of the overall public address space used by the Internet. As such, Network Address Translation (NAT) is required at the enclave boundary in order to transfer IP packets into and out of the enclave. The proper place for this to happen is in the EBC. This is because the EBC has knowledge of the IP addresses of the communicating endpoints based on the AS-SIP-TLS signaling messages. NOTE: The DISN IPVS PMO has determined that the EBC will pass the negotiated and encrypted SRTP/SRTCP bearer streams without decryption and inspection. This is because doing so will not provide a significant security benefit but would cause a significant delay with a resulting decrease in the quality of the communications. Encoded audio and video is difficult to impossible to determine if an attack is being perpetrated or if sensitive information is being improperly disclosed without reconstituting the analog audio and video signals and having a person listen and watch each communication. Due to the volume of communications, to do so would be nearly impossible. NOTE: The need to use NAT/NAPT is a given when transitioning a boundary when RFC 1918 addresses are used within the enclave. NoneThe inability to establish a VVoIP session across the enclave boundary to endpoints in other enclaves.Information Assurance OfficerECSC-1

Action cannot be taken to thwart an attempted denial-of-service or compromise if the SAs responsible for the operation of the EBC and/or the network defense operators are not alerted to the occurrence in real time.NoneInformation Assurance OfficerECSC-1

Redundancy of equipment and associations is used in and IP network to increase the availability of a system. Multiple MFSSs in the DISN NIPRNet IPVS network and multiple SSs in the DISN SIPRNet IPVS network have been implemented in each theatre to provide network wide redundancy of their functions. They are intended to work in pairs such that one can provide its backbone services to multiple LSCs that are configured to use one as a primary and the other as a backup. This is necessary to the maintenance of backbone functionality in the event there is a circuit (network path) failure, a MFSS or SS failure, or one of the sites housing a MFSS or SS is lost or the MFSS or SS becomes unavailable. Based on this, when establishing a call on the WAN, each LSC must be configured to signal with a backup MFSS or SS in the event it cannot reach its primary. NoneInformation Assurance OfficerECSC-1

MFSSs are critical to the operation of the DISN NIPRNet IPVS network. They broker the establishment of calls between enclaves. A MFSS provides the following functions: > Receives AS-SIP-TLS messages from other MFSSs and a specific set of regionally associated LSCs to act as a call routing manager across the backbone. > Sends AS-SIP-TLS messages to interrogate the ability of another MFSS or a LSC to receive a call, whether routine or priority. > Sends AS-SIP-TLS messages to manage the establishment of priority calls and the pre-emption of lower priority calls to LSCs and other MFSSs > Once a “trunk side” session request is received the MFSS determines if the destination is one of its assigned LSC’s. If so, it interrogates that LSC to determine if it can receive the call. If so, it signals to establish the call. If the destination is not one of its LSCs it signals with other MFSSs to locate the destination LSC and then the remote MFSS negotiates with its LSC. > Acts as a backup MFSS for LSCs assigned to other MFSSs as primary. As such, a LSC must be able to signal with a MFSS in order to establish any call across the DISN WAN. LSCs do not interact directly with LSCs. This hierarchical arrangement is required in order to be able to manage and establish priority calls and manage access circuit budgets. We established previously that each LSC must have a backup MFSS. In support of this function MFSSs must be operated in pairs with all the information about its assigned LSCs replicated across the pair. NoneReduced the reliability and survivability of the DISN IPVS network.Information Assurance OfficerECSC-1

The implementation of Enhanced F&ES telecommunications services requires that the emergency services answering point or call center be able to automatically locate the calling party in the event they are unable provide their location themselves. This is a two part process. First the telephone system must be able to provide the answering station with the telephone number from which the emergency call originated. This is Automatic Number Identification (ANI) information. The second step in the process is that this phone number must be correlated to a physical address or location. This is called Automatic Location Identification (ALI) information. ANI information comes from the telephone system controller. ALI information may come from an external database that associates the ANI information to the ALI information or the telephone system controller may maintain the ALI database internally. If the ALI database is internal to the telephone system controller, emergency services answering point or call center only needs to receive ALI information providing it contains the originating telephone number. For enterprise systems, the support for E911 by the enterprise LSC (or any remote LSC construct) is governed by FCC rules, as well as other federal, state, and local law. The design and implementation of all MLTS systems must include reasonable efforts to provide E911, even when the access connection to the Enterprise LSC is severed.Information Assurance OfficerInformation Assurance ManagerOtherDCBP-1

Under FCC rules and the laws of some states, the implementation of Enhanced F&ES telecommunications services requires that the emergency services answering point or call center must be automatically provided with enough location information so that emergency services personnel can locate the calling party within a specified radius at their exact location in the event they are unable provide their location themselves. This is a two-part process that is exacerbated if the call originates from a Multi-Line Telephone System (MLTS). Some of the FCC rules and state laws address the MLTS issue. For enterprise systems, the support for E911 by the enterprise LSC (or any remote LSC construct) is governed by FCC rules, as well as other federal, state, and local law. The design and implementation of all MLTS systems must include reasonable efforts to provide E911, even when the access connection to the Enterprise LSC is severed. Public enhanced F&ES systems are implemented in conjunction with the local exchange carrier (LEC) using their central office switch (CO). When the designated F&ES number is dialed, the CO routes the call to the public F&ES answering point (PSAP) over special trunks that can provide the PSAP with the telephone number from which the emergency call originated and the geographic location of the originating telephone. The originating telephone number is provided as Automatic Number Identification (ANI) information. The geographic location of the originating telephone is provided as Automatic Location Identification (ALI) information. The ALI is generated from the ANI by looking up the ANI in a database. Typically this function is performed by the LEC and the ALI provided is the service delivery address for the telephone number. In some cases the ALI information is housed in a database at the PSAP or a at a third party provider such that the PSAP must make the “database dip” to identify the location of the caller. The information is regularly updated by the LEC based on new service deliveries and disconnections. This process does not go far enough if the originating telephone is behind (part of) a MLTS. An MLTS may serve a large building or may serve multiple buildings in a campus setting. It may also serve small or large remote sites that are geographically distant from the main MLTS switch. As discussed above, the normal process provides the address where the LEC delivers its phone service for the calling number. While this address will serve to get emergency services personnel to the lobby of a building or the front gate of a campus, it will not provide the exact location of the caller. This is where the federal and state MLTS related requirements come in. Under these rules, a MLTS operator and the system itself must provide complete ANI and ALI information to the answering point such that emergency services personnel can easily locate the caller. As such the MLTS must provide the exact location of the originating telephone minimally within a reasonably small area of it. The location information provided for telephones behind a MLTS is called Phone Switch-ALI (PS-ALI). To implement this, the MLTS must first be able to provide the F&ES answering station with the telephone number from which the emergency call originated via ANI. If the answering point is outside the MLTS, the number provided must be the exact Direct Inward Dialing (DID) number of the telephone placing the call so that the answering point can dial it directly. The number provided must not be that of an outbound trunk. Secondly, this phone number must be correlated to its physical address or location within the facility via PS-ALI. To implement PS-ALI, the owner/operator of a MLTS is responsible for maintaining an up-to-date database containing the telephone number (DID number and/or extension number) and physical location of each telephone attached to the MLTS. This database is then used to provide the PS-ALI information to the ALI database(s) accessed by the F&ES answering point. In association with each telephone and telephone number in the MLTS, the PS-ALI information contained in the database includes the following: - The address of the site containing the MLTS unless provided to the answering point by the LEC as part of its ANI/ALI information. - The name (or number) of the building in which the telephone is located. - The address of the building in which the telephone is located. - The floor in the building on which the telephone is located. - The area or quadrant of the floor where the telephone is located. - The room or cube number where the telephone is located. Additional information should be provided to the F&ES answering point and emergency services personnel in the form of up-to-date facility maps and floor plans. The maintenance of facility maps, floor plans, and PS-ALI information to keep them up-to-date is critical to life safety and facility protection and security. This can be an onerous process in light of changes in the facility and moves, adds, and changes within the MLTS. Maintaining accurate location information is exacerbated in a VoIP MLTS due to the ability of an IP phone to change its physical location within the LAN (and possibly beyond) while keeping its telephone number without specific intervention from, or knowledge of the MLTS operator. As such the PS_ALI database can quickly become inaccurate. A situation that could be life threatening. Automated systems can be used with a VoIP system and LAN to identify the general location of an IP phone within the facility based on the LAN switch and port to which the phone is connected. Once this information is obtained from the LAN, it is correlated with the documented location of the LAN switch and documented location of the outlet served by the switchport..Information Assurance OfficerInformation Assurance ManagerOtherDCBP-1

When calling the designated F&ES telephone number, the call must go through no matter what the state of other calls in the system. As such, emergency calls must be treated as a priority call by the system. For enterprise systems, the support for E911 by the enterprise LSC (or any remote LSC construct) is governed by FCC rules, as well as other federal, state, and local law. The design and implementation of all MLTS systems must include reasonable efforts to provide E911, even when the access connection to the Enterprise LSC is severed.Information Assurance OfficerInformation Assurance ManagerDCBP-1

A cross site scripting vulnerability has been demonstrated in at least one SIP based IP phone. The vulnerability was demonstrated by adding scripting code to the From: field in the SIP invite. Upon receiving the invite, the embedded code was executed by a “vulnerable embedded web server” to download additional malicious code and affect an attack. A desktop demonstration of the vulnerability also exists on www.securityfocus.com under Bugtraq ID: 25987 that benignly pops up an alert box containing the word “HACK” on the user’s workstation after downloading a SIP invite. While this vulnerability was demonstrated on a specific IP phone it could potentially affect all SIP based endpoints or clients and their signaling partners. This vulnerability is a result of improper filtering or validation of the content of the various fields in the SIP invite and potentially the Session Description Protocol (SDP) portion of the invite. The injected code could cause all sorts of malicious code to be run on the target device which could be an endpoint (hard or soft), a session controller, or any other SIP signaling partner. Additionally this vulnerability may affect other applications other than VoIP that use SIP such as IM clients and others. A similar vulnerability would result if URLs embedded in SIP messages were launched automatically. VVoIP 1980 NoneDenial of Service and/or loss of confidentiality or integrity of the information or configuration stored on the target device and devices connected to it.Disable the ability of script engines or web browsers/servers on the device to process script code or URLs surreptitiously embedded in SIP/AS-SIP/SDP messages.Information Assurance OfficerDCBP-1

Permitting hardware based VVoIP or VTC endpoints to browse the internet or enterprise intranet freely opens the endpoint to the possibility of inadvertently downloading malicious code to the endpoint for which it may have no protection. VVoIP and VTC endpoints cannot typically support host based intrusion detection or anti-virus software. While the downloaded malicious code might not effect the endpoint itself, the endpoint could be used by the malicious code as a launching pad into the network and attached workstations or servers.VVoIP/VTC 1610NoneInadvertent access to malicious code for which there is no protection on the platform. Such malicious code could cause a denial of service or the loss of device configuration, log/history, or communications confidentiality or integrity.Limit or block web traffic (HTTP, HTTPS, etc) traffic from the VVoIP or VTC VLANs through the enclave boundary. Implementing ACLs in compliance with VVoIP 5600 should suffice as web protocols will be denied by default. Similar ACLs would be required for any implemented VTC VLANs.Information Assurance OfficerECSC-1

Hardware based VVoIP and IP-VTC endpoints sometimes contain a web server for the implementation of various functions and features. In many cases these are used to configure the network settings or user preferences on the device. In some VVoIP phones, a user can access a missed call list, call history, or other information. If access to such a web server is not restricted to authorized entities, the device supporting it is subject to unauthorized access and compromise.NoneUnauthorized access to the platform potentially resulting in the injection of malicious code and/or denial of service or the loss of device configuration, log/history, or communications confidentiality or integrity.Information Assurance OfficerECSC-1

DoD Policy requires special-C2 users to be provided 8 hours of backup power in support of their VVoIP communications needs when primary power has failed. From CJCSI 6215.01C Appendix A Enclosure C Based on the GIG MA ICD requirements associated with availability and reliability, the following requirements shall be met by IP based RTS. (a) Availability requirement for equipment/software serving Special C2 users is 0.99999 with eight hours uninterrupted power supply. As such, all elements of the LAN infrastructure, WAN boundary infrastructure, VVoIP infrastructure, and VVoIP endpoints that directly support any Special-C2 user must be provided with sufficient backup power to meet the availability requirements. NoneReduced or no availability and denial-of-service. A high priority command and control or emergency life-safety/security call may not be able to be completed in a timely fashion or at all.Information Assurance OfficerInformation Assurance ManagerCOPS-2

Policy sets the minimum requirements for the availability and reliability of VVoIP systems and the supporting LAN with emphasis on C2 communications. The high availability and reliability required for spedial-C2 and C2 users is achieved in part by redundancy within the LAN network elements. For further detail, see VVoIP 5110 (LAN)NoneReduced availability and reliability or denial of service. A high priority command and control or emergency life-safety/security call may not be able to be completed in a timely fashion or at all.Information Assurance OfficerDCBP-1

Policy sets the minimum requirements for the availability and reliability of VVoIP systems and the supporting LAN with emphasis on C2 communications. The high availability and reliability required for spedial-C2 and C2 users is achieved in part by interconnecting LAN network elements with redundant uplinks via geographically diverse paths. For further detail, see VVoIP 5115 (LAN)This finding carries a severity of Cat II if the NE directly supports a Special-C2 or C2 user. This finding carries a severity of Cat III if the NE only directly supports C2R, or Non-C2/admin users. NOTE: This may not be applicable if the LAN as a whole supports 96 or fewer VVUC users or the LAN covers an extremely small geographical area out of a single physical location. This would mean that most if not all users would be within 100m cabling distance of the core equipment. If this LAN supports a wider area from a single central core location and the access layer switches were separated from the core, redundant uplinks must be used while the physically diverse pathways requirement may be waived if achieving such diverse pathing is not feasible. Reduced availability and reliability or denial of service. A high priority command and control or emergency life-safety/security call may not be able to be completed in a timely fashion or at all.Information Assurance OfficerDCBP-1

Extension mobility is a feature of a VVoIP system that permits a person to transfer their phone number extension and phone features (or configuration) to a phone that is not in their normal workspace. This is useful when a person is visiting a remote office away from their normal office and typically functions within an established enterprise wide VVoIP system where the system is designed as a contiguous system. In this case, the system is typically a single vendor solution. The system might be within one LAN/CAN may include multiple LAN/CANs at multiple interconnected sites. To activate this feature, the user approaches a phone that is not their regular phone and identifies themselves to the phone system via a username, password, pin, code, or some combination of these. Upon validation, the system configuration manager will configure the temporary phone to match the configuration of the user’s regular phone. Minimally, the phone number is transferred and possibly some or all of the user’s speed dial numbers and other personal preferences. This capability is dependant upon the capabilities of the temporary phone. Once activated the user’s inbound calls are directed to the temporary location. The user’s regular phone may or may not maintain its normal capabilities and also may also answer inbound calls. NOTE: This feature has nothing to do with LAN access control and is not related to moving physical phones/endpoints/instruments. The phone that is already in the temporary location is already authorized on the LAN and registered with the LSC. Moving phones requires pre-authorization and pre-configuration of the LAN access control mechanisms, potentially including the LSC. This feature should not be used to permanently move users from one office to another. NOTE: Extension mobility is similar to but not the same as forwarding ones calls. Forwarding is typically activated from the user’s normal phone or their user preferences configuration settings. Forwarding is therefore pre-set to a known location. Extension mobility is typically activated from the remote location and is activated upon arrival at that location. Extension mobility poses some vulnerabilities to the VVoIP system, user’s profile information, and conversations if not properly controlled. Extension mobility should be available only to those individuals that need to use the feature. There should be a configurable checkbox that enables/disables the feature within the configuration of the user’s normal phone or within the user’s profile. Making the feature available to all users all of the time broadens the exposure for potential compromise of other user’s profile information or conversations. Activation of the feature must not be via a feature button on the temporary phone or a commonly known code, either of which might be used along with the phone number to be transferred. This would leave all regular user’s phones vulnerable to anybody activating the feature from anywhere in the system to eavesdrop or collect information. Extension mobility transfer in some systems may have no time limitation. This means the temporary user’s phone configuration, preferences, speed dial information, and phone calls are available at the temporary phone until the transfer feature is deactivated. In the event the user does not specifically deactivate the transfer when they leave, the info is there until someone else deactivates it or another transfer is activated. While users should have the capability to deactivate the transfer at their discretion when they leave, the system should automatically deactivate the feature at some predetermined time of day or after a time period of inactivity. A timed deactivation might use a period of inactivity of one or two hours. Activation of the feature might be for a given period of time, such as eight hours, or for a user configurable time period set when they activate the feature. A time of day deactivation could be set to deactivate all such transfers at midnight each day. This feature might also be used as a backup for other methods. In the event controls such as those discussed above are not available, an extension mobility feature should be deactivated if the feature is provided or supported by the system. NoneInformation Assurance OfficerDCBP-1