Voice Video Session Management Security Requirements Guide

Attackers that are able to exploit an inactive account can potentially obtain and maintain undetected access to an application. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Voice video session managers must track periods of user inactivity and disable accounts after 35 days of inactivity. Such a process greatly reduces the risk that accounts will be misused, hijacked, or data compromised. DoD has determined that 35 days is the appropriate time period of inactivity for Inactive accounts. Therefore, systems with a per user paradigm of management would apply.

Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. For voice and video session managers, session flow of information is controlled by dial plans that coordinate connections between endpoints. Dial plans can also reduce connection costs in some cases, relying on routes across the DoDIN rather than over commercial services. Session managers can routes connections to known commercial services and DoD providers. Using DoDIN network paths reduces the risk of an adversary to intercept calls. However, dial plans can be mimicked and therefore are only part of a defense in depth approach.

Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are generated from several components within the Voice Video system (e.g., session manager, session border control, gateway, gatekeeper, or endpoints). Session record content that may be necessary to satisfy this requirement includes, for example, type of connection, connection origination, time stamps, outcome, user identities, and user identifiers. Additionally, an adversary must not be able to modify or delete session records.

Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are generated from several components within the Voice Video system (e.g., session manager, session border control, gateway, gatekeeper, or endpoints). Session record content that may be necessary to satisfy this requirement includes, for example, type of connection, connection origination, time stamps, outcome, user identities, and user identifiers. Additionally, an adversary must not be able to modify or delete session records.

Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are generated from several components within the Voice Video system (e.g., session manager, session border control, gateway, gatekeeper, or endpoints). Session record content that may be necessary to satisfy this requirement includes, for example, type of connection, connection origination, time stamps, outcome, user identities, and user identifiers. Additionally, an adversary must not be able to modify or delete session records.

Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are generated from several components within the Voice Video system (e.g., session manager, session border control, gateway, gatekeeper, or endpoints). Session record content that may be necessary to satisfy this requirement includes, for example, type of connection, connection origination, time stamps, outcome, user identities, and user identifiers. Additionally, an adversary must not be able to modify or delete session records.

Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are generated from several components within the Voice Video system (e.g., session manager, session border control, gateway, gatekeeper, or endpoints). Session record content that may be necessary to satisfy this requirement includes, for example, type of connection, connection origination, time stamps, outcome, user identities, and user identifiers. Additionally, an adversary must not be able to modify or delete session records.

Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are generated from several components within the Voice Video system (e.g., session manager, session border control, gateway, gatekeeper, or endpoints). Session record content that may be necessary to satisfy this requirement includes, for example, type of connection, connection origination, time stamps, outcome, user identities, and user identifiers. Additionally, an adversary must not be able to modify or delete session records.

Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are generated from several components within the Voice Video system (e.g., session manager, session border control, gateway, gatekeeper, or endpoints). Session record content that may be necessary to satisfy this requirement includes, for example, type of connection, connection origination, time stamps, outcome, user identities, and user identifiers. Additionally, an adversary must not be able to modify or delete session records.

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process session records. Without this notification, the security personnel may be unaware of an impending failure of the session record capability. Session record processing failures include software/hardware errors, failures in the capturing mechanisms, and storage capacity being reached or exceeded. This requirement applies to each session record data storage repository (i.e., distinct information system component where session records are stored), the centralized session record storage capacity of organizations (i.e., all session record data storage repositories combined), or both.

If session records were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of session records, the information system and/or the application must protect session information from unauthorized modification. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions, and limiting log data locations.

If session records were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of session records, the information system and/or the application must protect session information from unauthorized modification. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions, and limiting log data locations.

Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are generated from several components within the Voice Video system (e.g., session manager, session border control, gateway, gatekeeper, or endpoints). Session record content that may be necessary to satisfy this requirement includes, for example, type of connection, connection origination, time stamps, outcome, user identities, and user identifiers. Additionally, an adversary must not be able to modify or delete session records.

It is detrimental for voice video session managers to provide, or enable by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Voice video session managers are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).

Attacks against a Voice Video Session Manager may include DoS, replay attacks, or cross site scripting. A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators. A cross site scripting vulnerability was demonstrated on a SIP based IP phone by adding scripting code to the "From" field in the SIP invite. Upon receiving the invite, the embedded code was executed by the IP phone embedded web server to download additional malicious code.

Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Typically, devices can be identified by MAC or IP address but certificates provide a greater level of security. Identification of devices works with registration of devices as part of a defense in depth approach to Voice Video networks. Registration is the process of authorizing endpoints to communicate with the session manager. Registration occurs with the SIP server in VoIP systems and with a gatekeeper in H.323 systems. Without enforcing registration, an adversary could impersonate a legitimate device on the Voice Video network.

If MLPP attributes are not associated with the information being transmitted between systems, then access control policies and information flows which depend on these MLPP attributes will not function and unauthorized access may result. Without the implementation of safeguards which allocate network communication resources based on priority, network availability, and particularly high priority traffic, may be dropped or delayed. DoD relies on the implementation of MLPP to ensure that flag officers and senior staff are provided higher priority for communications than other users. For VoIP and videoconferencing systems, Voice Video Session Managers must communicate using protocols and services that provide expedited packets to users and other systems.

If MLPP attributes are not associated with the information being transmitted between components, then access control policies and information flows which depend on these MLPP attributes will not function and unauthorized access may result. When data is exchanged, the MLPP attributes associated with this data must be validated to ensure the data has not been changed. Without the implementation of safeguards which allocate network communication resources based on priority, network availability, and particularly high priority traffic, may be dropped or delayed. DoD relies on the implementation of MLPP to ensure that flag officers and senior staff are provided higher priority for communications than other users. For VoIP and videoconferencing systems, Voice Video Session Managers must communicate using protocols and services that provide expedited packets to users and other systems.

Failure in a known state can address safety or security in accordance with the mission needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. Preserving voice video session manager state information helps to facilitate restart and return to the operational mode of the organization with less disruption to mission-essential processes. This applies to the configuration of the functionality of the voice video session manager. Abort refers to stopping a program or function before it has finished naturally and refers to both requested and unexpected terminations. This control only applies to Committee on National Security Systems Instruction (CNSSI) 1253 high confidentiality and integrity baselines.

Failure in a known state can address safety or security in accordance with the mission needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. Preserving voice video session manager state information helps to facilitate restart and return to the operational mode of the organization with less disruption to mission-essential processes. This control only applies to Committee on National Security Systems Instruction (CNSSI) 1253 high confidentiality and integrity baselines.

Any Voice Video session manager providing too much information in session records risks compromising the data and security of the application and system. The structure and content of session records must be carefully considered by the organization and development team.

Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during operational hours can indicate hostile activity if it occurs during off hours. Depending on mission needs and conditions, usage restrictions based on conditions and circumstances may be critical to limit access to resources and data to comply with operational or mission access control requirements. Thus, the network element must be configured to enforce the specific conditions or circumstances under which application accounts can be used (e.g., by restricting usage to certain days of the week, time of day, or specific durations of time). Limiting access to the voice/video network by work hours and work week mitigates the risk of unauthorized access to the system outside of duty hours, reducing misuse or abuse of the system and its resources. Areas requiring service during other times may be identified. However, it is essential that endpoints be allowed access to emergency services at all times.

Without the enforcement of immediate change to privilege levels, users and devices may not provide the correct level of service. Privileges include access to outside connections, precedence, and preemption capabilities. A user with higher precedence and preemption capability may supplant users authorized higher levels of access. Endpoint users must be limited to the privileges needed to conduct business and changes to privileges must be enforced immediately. Access authorizations should be dynamic to reflect changing conditions; if a revocation is not enforced in a timely manner, users may have inappropriate access. Revocation of access rules may differ based on the types of access revoked. For example, if a subject (i.e., user or process) is removed from a group, access may not be revoked until the next time the object (e.g., file) is opened or until the next time the subject attempts a new access to the object. Revocation based on changes to security labels may take effect immediately. It may be necessary to immediately revoke access in certain circumstances (i.e., a compromised account is being used). This may be mitigated by implementing SRG-NET-000321-VVSM-00008.

Without the enforcement of immediate change to privilege levels, users and devices may not provide the correct level of service. Privileges include access to outside connections, precedence, and preemption capabilities. A user with higher precedence and preemption capability may supplant users authorized higher levels of access. Endpoints must be limited to the privileges needed to conduct business and changes to privileges must be enforced immediately. Access authorizations should be dynamic to reflect changing conditions; if a revocation is not enforced in a timely manner, users may have inappropriate access. Revocation of access rules may differ based on the types of access revoked. For example, if a subject (i.e., user or process) is removed from a group, access may not be revoked until the next time the object (e.g., file) is opened or until the next time the subject attempts a new access to the object. Revocation based on changes to security labels may take effect immediately. It may be necessary to immediately revoke access in certain circumstances (i.e., a compromised account is being used). This may be mitigated by implementing SRG-NET-000321-VVSM-00007.

Without the ability to centrally manage the content captured in the audit records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an ongoing attack. The content captured in audit records must be managed from a central location (necessitating automation). Centralized management of audit records and logs provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. Network components requiring centralized audit log management must have the capability to support centralized management. Session records for Voice Video systems are generally handled in a similar fashion to audit records for other systems and are used for billing, usage analysis, and record support for actions taken. These detailed records are typically produced by the session manager.

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited session record storage capacity.

Device registration is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices can access the system. Registration is the process of authorizing endpoints to communicate with the session manager. Registration occurs with the SIP server in VoIP systems and with a gatekeeper in H.323 systems. Without enforcing registration, an adversary could impersonate a legitimate device on the Voice Video network.

Device registration is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices and trunks can access the system. Registration is the process of authorizing endpoints and trunks to communicate with the session manager. Registration occurs with the SIP server in VoIP systems and with a gatekeeper in H.323 systems. Without enforcing registration, an adversary could impersonate a legitimate device or peer on the Voice Video network.

Device registration is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices can access the system. Registration is the process of authorizing endpoints to communicate with the session manager. Registration occurs with the SIP server in VoIP systems and with a gatekeeper in H.323 systems. Without enforcing registration, an adversary could impersonate a legitimate device on the Voice Video network.

Device registration is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices and trunks can access the system. Registration is the process of authorizing endpoints and trunks to communicate with the session manager. Registration occurs with the SIP server in VoIP systems and with a gatekeeper in H.323 systems. Without enforcing registration, an adversary could impersonate a legitimate device or peer on the Voice Video network.

Providing an explicit indication of current participants in videoconferences helps to prevent unauthorized individuals from participating in collaborative videoconference sessions without the explicit knowledge of other participants. videoconferences allow groups of users to collaborate and exchange information. Without knowing who is in attendance, information could be compromised. For videoconferences with large numbers of people present, the identified participant may be listed as the room rather than by each individual attending. Voice video session managers that provide a videoconference capability must provide a clear indication of who is attending the meeting, thus providing all attendees with the capability to clearly identify users who are in attendance.

If MLPP attributes are not associated with the information being transmitted between systems, then access control policies and information flows which depend on these MLPP attributes will not function and unauthorized access may result. Without the implementation of safeguards which allocate network communication resources based on priority, network availability, and particularly high priority traffic, may be dropped or delayed. DoD relies on the implementation of MLPP to ensure that flag officers and senior staff are provided higher priority for communications than other users. For VoIP and videoconferencing systems, Voice Video Session Managers must communicate using protocols and services that provide expedited packets to users and other systems.

Without the implementation of safeguards which allocate network communication resources based on priority, network availability, and particularly high priority traffic, may be dropped or delayed. DoD supporting C2 communications relies on the implementation of MLPP to ensure that flag officers and senior staff are provided higher priority for communications than other users. For VoIP and videoconferencing systems, Voice Video Session Managers must communicate using protocols and services that provide expedited packets to users and other systems. Additionally, Quality of Service (QoS) is an effective security safeguard used to ensure network communications availability based on priority. Different applications and other network traffic have unique requirements and toleration levels for delay, jitter, bandwidth, packet loss, and availability. To manage the multitude of applications and services, a network requires a QoS framework to differentiate traffic and provide a method to avoid and manage network congestion. When network congestion occurs, all traffic has an equal chance of being dropped. A QoS implementation categorizes network traffic into classes and provides priority treatment based on the classification.

An adversary may be able to gain access to information on whiteboards, listen to conversations on a microphone, or view areas with a camera since collaboration equipment is typically not designed with security access controls and protection measures of more sophisticated networked clients. Collaborative computing devices include, for example, networked whiteboards, cameras, and microphones. This requirement applies to collaboration applications that control collaborative computing devices. Exceptions to this would require acceptance of the risk by a cognizant AO. This requirement is not intended to prohibit remote activation of centrally managed, dedicated videoconferencing Suites for the purpose of remote testing of the equipment.

Configuring the voice video session manager to implement enhanced 911 (E911) and FES ensures compliance with Federal Communications Commission rules and establishes a common security baseline across DoD Voice Video systems. If E911 services are incorrectly configured, first responders may not have sufficient information to provide emergency services. Additionally, an adversary may use incorrectly configured E911 services to attack a system or location. For DoD systems, it is essential for FES communications to have sufficient priority, providing number and location information that is accurate. The FCC requires that providers of interconnected VoIP telephone services meet E911 obligations. E911 systems automatically provide to emergency service personnel a 911 caller's call back number and, in most cases, location information. Next Generation 9-1-1 (NG911) is an initiative updating the current E911 service infrastructure in the United States and Canada to improve public emergency communications services in a growingly wireless mobile society. This new service would enable the public to transmit text, images, video and data to the PSAP.

Configuring the voice video session manager to implement enhanced 911 (E911) and FES ensures compliance with Federal Communications Commission rules and establishes a common security baseline across DoD Voice Video systems. If E911 services are incorrectly configured, first responders may not have sufficient information to provide emergency services. Additionally, an adversary may use incorrectly configured E911 services to attack a system or location. For DoD systems, it is essential for FES communications to have sufficient priority, providing number and location information that is accurate. The FCC requires that providers of interconnected VoIP telephone services meet E911 obligations. E911 systems automatically provide to emergency service personnel a 911 caller's call back number and, in most cases, location information. Next Generation 9-1-1 (NG911) is an initiative updating the current E911 service infrastructure in the United States and Canada to improve public emergency communications services in a growingly wireless mobile society. This new service would enable the public to transmit text, images, video and data to the PSAP.

Configuring the voice video session manager to implement enhanced 911 (E911) and FES ensures compliance with Federal Communications Commission rules and establishes a common security baseline across DoD Voice Video systems. If E911 services are incorrectly configured, first responders may not have sufficient information to provide emergency services. Additionally, an adversary may use incorrectly configured E911 services to attack a system or location. For DoD systems, it is essential for FES communications to have sufficient priority, providing number and location information that is accurate. The FCC requires that providers of interconnected VoIP telephone services meet E911 obligations. E911 systems automatically provide to emergency service personnel a 911 caller's call back number and, in most cases, location information. Next Generation 9-1-1 (NG911) is an initiative updating the current E911 service infrastructure in the United States and Canada to improve public emergency communications services in a growingly wireless mobile society. This new service would enable the public to transmit text, images, video and data to the PSAP.

Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations.

Passwords need to be protected at all times and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Voice Video Session Managers must enforce password encryption when storing passwords within configuration files.

Configuring the Voice Video Session Manager in accordance with CNSSI 5000 for unclassified communication systems supporting VVoIP endpoints within SCIFs and SAPFs ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Voice Video Session Managers may support voice video endpoints that could potentially be activated from the session manager (inadvertently or covertly) and transmit classified conversations over unclassified networks if not properly configured. Voice Video Endpoint microphones and speakers may be activated to pick up conversation audio within the area and conduct it over the network connection, even when the endpoint is on-hook. The Technical Surveillance Counter-Measures (TSCM) program protects sensitive government information, to include classified information, through the establishment of on-hook audio security standards. References: CNSS Instruction No. 5000, Guidelines for Voice over Internet Protocol (VoIP), dated September 2016 IC Tech Spec-For ICD/ICS 705, Technical Specifications for Construction and Management of Sensitive Compartmented Information Facilities, version 1.3 dated September 10, 2015 Joint Air Force, Army, Navy (JAFAN) 6/0 Manual; Special Access Program Security Manual – Revision 1, dated May 29, 2008 Joint Air Force, Army, Navy (JAFAN) 6/9 Manual; Physical Security Standards for Special Access Program Facilities, dated March 23, 2004

When network elements do not dynamically reconfigure the data security attributes as data is created and combined, the possibility exists that security attributes will not correctly reflect the data with which they are associated. For the Voice Video Session Manager, the use of 802.1q tags on media and signaling, and the use of VLANs provides this layer of security. VLANs facilitate access and traffic control for voice video system components and enhanced QoS. Virtualized networking is used to separate voice video traffic from other types of traffic, such as data, management, and other special types. VLANs provide segmentation at layer 2. Virtual Routing and Forwarding (VRF) provides segmentation at layer 3, and works with Multiprotocol Label Switching (MPLS) for enterprise and WAN environments. When VRF is used without MPLS, it is referred to as VRF lite. For Voice Video systems, subnets, VLANs, and VRFs are used to separate media and signaling streams from all other traffic.

When network elements do not dynamically reconfigure the data security attributes as data is created and combined, the possibility exist that security attributes will not correctly reflect the data with which they are associated. For the Voice Video Session Manager, the use of 802.1q tags on media and signaling, and the use of VLANs provides this layer of security. VLANs facilitate access and traffic control for voice video system components and enhanced QoS. Virtualized networking is used to separate voice video traffic from other types of traffic, such as data, management, and other special types. VLANs provide segmentation at layer 2. Virtual Routing and Forwarding (VRF) provides segmentation at layer 3, and works with Multiprotocol Label Switching (MPLS) for enterprise and WAN environments. When VRF is used without MPLS, it is referred to as VRF lite. For Voice Video systems, subnets, VLANs, and VRFs are used to separate media and signaling streams from all other traffic.