V-19661 | High | The data network boundary must block all traffic destined to or sourced from VVoIP VLAN IP address space and VLANs except specifically permitted media and signaling traffic. | The typical data firewall does not adequately protect the enclave when permitting VVoIP to traverse the boundary. Furthermore, a data firewall breaks VVoIP call completion when implementing NAT.... |
V-19673 | High | The DISN NIPRnet boundary Session Border Controller (SBC) must perform stateful inspection and packet authentication for all VVoIP traffic (inbound and outbound), and deny all other packets. | Once a pinhole is opened in the enclave boundary for a known session, the packets that are permitted to pass must be managed. If they are not properly managed, packets that are not part of a known... |
V-19674 | High | The DISN NIPRnet boundary Session Border Controller (SBC) must deny all packets traversing the enclave boundary (inbound or outbound) through the IP port pinholes opened for VVoIP sessions, except RTP/RTCP, SRTP/SRTCP, or other protocol/flow established by signaling messages. | Once a pinhole is opened in the enclave boundary for a known session, the packets that are permitted to pass must be managed. If they are not properly managed, packets that are not part of a known... |
V-19444 | Medium | Unified messaging and email text-to-speech features must be disabled because there is no PKI authentication and no access control to email. | Unified messaging and email systems provide the capability to receive voicemails via email and in some cases, have emails read to the user via a text-to-speech feature when accessing the system... |
V-19642 | Medium | A deny-by-default ACL for voicemail and unified messaging servers VLAN interfaces must be implemented on core routing devices as defined in the VVoIP system ACL design. | Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general, the defined ACLs are designed in a... |
V-19643 | Medium | A deny-by-default ACL for unified communications server VLAN interfaces must be implemented on core routing devices as defined in the VVoIP system ACL design. | Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general, the defined ACLs are designed in a... |
V-19640 | Medium | A deny-by-default ACL for session border VLAN interfaces must be implemented on VVoIP core routing devices as defined in the VVoIP system ACL design. | Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general the defined ACLs are designed in a... |
V-19646 | Medium | The LAN Access switch port is NOT configured to place the VVoIP or VTC traffic in the proper VLAN (e.g., the port is NOT assigned to the proper VLAN) or the port does not assign the appropriate VLAN tag via some other method. | Some VVoIP hardware endpoints and hardware based VTC endpoints contain a multi-port Ethernet switch to provide a connection on the endpoint for external devices such as a workstation (i.e., PC... |
V-19647 | Medium | The LAN access switch (discrete NE or module in a larger NE) is NOT capable of, or is NOT configured to; maintain the required VLAN separation for traffic originating from supported endpoints and DOES NOT route voice, VTC, PC communications client, and data traffic to their respective VLANs on the LAN. | Some VVoIP hardware endpoints and hardware based VTC endpoints contain a multi-port Ethernet switch to provide a connection on the endpoint for external devices such as a workstation (i.e., PC... |
V-19644 | Medium | A deny-by-default ACL for system management VLAN interfaces must be implemented on VVoIP core routing devices as defined in the VVoIP system ACL design. | Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general, the defined ACLs are designed in a... |
V-19645 | Medium | The implementation of Unified Mail services degrades the separation between the voice and data protection zones (VLANs). | Voice mail services in a VoIP environment are available in several different configurations. A legacy voice mail platform can connect to a VoIP environment to provide voice mail services for VoIP... |
V-19648 | Medium | LAN access switchports supporting VVoIP or VTC endpoints containing a PC port are configured in trunk mode, NOT in access mode or “802.1Q tagged access mode.” | Policy regarding LAN access switchport mode has been established in the Network Infrastructure STIG by NET1416 which states “ensure trunking is disabled on all access ports (do not configure trunk... |
V-19649 | Medium | LAN access switchport supporting a VVoIP or VTC endpoint that does not, or is not configured to, apply 802.1Q VLAN tags to its traffic is NOT statically assigned to the appropriate local VVoIP or VTC VLAN. | VVoIP or VTC endpoints that are not configured to or cannot provide a 802.1Q VLAN tag to its VVoIP traffic have no control over what VLAN their traffic ends up in, if any. Therefore the... |
V-19668 | Medium | The DISN NIPRNet IPVS firewall (EBC) is NOT configured to drop (and not process) all signaling packets except those whose integrity is validated. | The validation of signaling packet integrity is required to ensure the packet has not been altered in transit. Packets can be altered in a couple of ways. The first is modification by... |
V-19625 | Medium | PC presentation or application sharing capabilities are not properly limited. | Visual collaboration often requires the sharing or display of presentations, open documents, and white board information to one or more communicating endpoints. While the technology for doing this... |
V-21520 | Medium | Activation/deactivation of and permission to use the extension mobility feature is not properly controlled. | Extension mobility is a feature of a VVoIP system that permits a person to transfer their phone number extension and phone features (or configuration) to a phone that is not in their normal... |
V-19662 | Medium | The Customer Edge Router (CER) must expedite forwarding of VVoIP packets based on Differential Service Code Point (DSCP) packet marking. | The typical perimeter or premise router may not be capable of supporting the needs of VVoIP and UC when entering the DISN WAN. Modern routers are capable of dealing with service classes and... |
V-19663 | Medium | The Customer Edge Router (CER) must route all inbound traffic to the data firewall function except AS-SIP-TLS and SRTP/SRTCP, which must go to the Session Border Controller (SBC). | The CER is the first line of defense at the gateway to the enclave or LAN. The data firewall and SBC functions are the second line of defense. Since the SBC function only processes VVoIP traffic... |
V-19628 | Medium | VVoIP component(s) are NOT addressed using the defined dedicated VVoIP system addresses | The protection of the VVoIP system is enhanced by ensuring all VVoIP systems and components within the LAN (Enclave) are deployed using separate address blocks from the normal data address... |
V-19629 | Medium | VVoIP core components use random address assignment via DHCP and are not statically addressed | Assigning static addresses to core VVoIP devices permits tighter control using ACLs on firewalls and routers to help in the protection of these devices.
NOTE: In the event DHCP is used for... |
V-19666 | Medium | The EBC is NOT configured to terminate and decrypt inbound and outbound AS-SIP-TLS sessions (messages) such that it can properly manage the transition of the SRTP/SRTCP streams | We previously discussed the reasons why a special firewall function is needed to protect the enclave if VVoIP is to traverse the boundary (see VVoIP 1005 (GENERAL) under VVoIP policy). This... |
V-19667 | Medium | The DISN NIPRNet IPVS firewall (EBC) is NOT configured to drop (and not process) all packets except those that are authenticated as being from an authorized source within the DISN IPVS network. | We previously discussed the reasons why a special firewall function is needed to protect the enclave if VVoIP is to traverse the boundary (see VVoIP 1005 under VVoIP policy). This requirement... |
V-19638 | Medium | A deny-by-default ACL for media gateway VLAN interfaces must be implemented on VVoIP core routing devices as defined in the VVoIP system ACL design. | Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general, the defined ACLs are designed in a... |
V-19631 | Medium | A VVoIP core system/device or a traditional TDM based telecom switch is acting as a network router in that it does not block traffic between its attached management network interfaces(s) (one or more; logical or physical) and/or its production network interface(s) (logical or physical). | Based on a previously stated requirement, a VVoIP system must have one or more production VLANs containing the VVoIP endpoints and a separate OOB management network or virtual management network... |
V-19639 | Medium | A deny-by-default ACL for signaling gateway VLAN interfaces must be implemented on VVoIP core routing devices as defined in the VVoIP system ACL design. | Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general, the defined ACLs are designed in a... |
V-19650 | Medium | A LAN access switchport supports a VVoIP or VTC endpoint containing a PC port but is not configured with a default “data” VLAN to handle untagged PC port traffic and assign a secondary VVoIP or VTC VLAN to handle the tagged VVoIP or VTC traffic. | Many VVoIP and VTC endpoints provide a PC port on the device. Doing so permits a PC to share the same LAN drop as a VoIP phone or desktop VTC endpoint. The net effect is reduced installation and... |
V-19665 | Medium | The EBC is NOT configured to filter inbound AS-SIP-TLS traffic based on the IP addresses of the internal LSC(s) (or MFSS) OR the IP addresses of the EBCs fronting its authorized signaling partners as part of a layered defense. | The EBC is in the VVoIP signaling between the LSC and MFSS. To limit its exposure to compromise and DOS, it must only exchange signaling messages using the designated protocol (AS-SIP-TLS) with... |
V-19637 | Medium | A deny-by-default ACL for session manager VLAN interfaces must be implemented on VVoIP core routing devices as defined in the VVoIP system ACL design. | Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general, the defined ACLs are designed in a... |
V-19636 | Medium | A deny-by-default ACL for all VVoIP endpoint VLAN interfaces must be implemented on VVoIP non-core routing devices as defined in the VVoIP system ACL design. | Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general, the defined ACLs are designed in a... |
V-19635 | Medium | A deny-by-default ACL for VVoIP endpoint VLAN interfaces must be implemented on VVoIP core routing devices as defined in the VVoIP system ACL design. | Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general the defined ACLs are designed in a... |
V-19634 | Medium | VLANs established for the VVoIP system are NOT pruned from trunks and/or interfaces that are not required to carry the VVoIP traffic | While VLANs facilitate access and traffic control for the VVoIP system components and enhanced QoS, they should only be implemented on the network elements that are needed to carry the traffic... |
V-19632 | Medium | Logical or physical interfaces must be configured on the VVoIP core routing devices for the VVoIP core equipment to support access and traffic control for the VVoIP system components. | VLAN and IP address segmentation enables access and traffic control for the VVoIP system components. Only the required protocols are to reach a given VVoIP device thereby protecting it from... |
V-21517 | Medium | Network elements configuration supporting VoIP services must provide redundancy supporting command and control (C2) assured services and Fire and Emergency Services (FES) communications. | Policy sets the minimum requirements for the availability and reliability of VVoIP systems and the supporting LAN with emphasis on C2 communications. The high availability and reliability required... |
V-19630 | Medium | VVoIP endpoints must receive IP address assignment and configuration information from a DHCP server dedicated to the VVoIP system. | When using Dynamic Host Configuration Protocol (DHCP) for address assignment and host configuration, different DHCP scopes (different address space, subnets, and VLANs) must be used for voice... |
V-21518 | Medium | Network elements configuration supporting VoIP services must interconnect redundant uplinks following physically diverse paths to physically diverse network elements in the layer above with support for the full bandwidth handled by the network element using routing protocols facilitating failover. | Policy sets the minimum requirements for the availability and reliability of VoIP systems and the supporting LAN with emphasis on C2 communications. The high availability and reliability required... |
V-19671 | Medium | The DISN NIPRNet IPVS firewall (EBC) is NOT configured to manage IP port pinholes for the SRTP/SRTCP bearer streams based on the information in the AS-SIP-TLS messages. | We previously discussed the reasons why a special firewall is needed to protect the enclave if VVoIP is to traverse the boundary. (see VVoIP 1005 (GENERAL) under VVoIP policy) This requirement... |
V-19670 | Medium | All SIP and AS-SIP packets are not dropped by the DISN NIPRNet IPVS firewall (EBC) except those AS-SIP packets arriving on IP Port 5061 that are secured with TLS.
| DISN NIPRNet IPVS PMO and the UCR require all session signaling across the DISN WAN and between the LSC and EBC to be secured with TLS. The standard IANA assigned IP port for SIP protected by TLS... |
V-19677 | Medium | The MFSS is NOT configured to synchronize minimally with a paired MFSS and/or others such that each may serve as a backup for the other when signaling with its assigned LSCs, thus reducing the reliability and survivability of the DISN IPVS network. | MFSSs are critical to the operation of the DISN NIPRNet IPVS network. They broker the establishment of calls between enclaves. A MFSS provides the following functions:
> Receives AS-SIP-TLS... |
V-19676 | Medium | The VVoIP system connects with a DISN IPVS (NPRNET or SIPRNet) but the LSC(s) is not configured to signal with a backup MFSS (or SS) in the event the primary cannot be reached. | Redundancy of equipment and associations is used in and IP network to increase the availability of a system. Multiple MFSSs in the DISN NIPRNet IPVS network and multiple SSs in the DISN SIPRNet... |
V-19675 | Medium | The DISN NIPRNet IPVS firewall (EBC) is NOT configured to transmit a meaningful alarm message to the local EMS and DISN IPVS management system in the event of attempts to cause a denial-of-service or compromise the EBC or enclave. | Action cannot be taken to thwart an attempted denial-of-service or compromise if the SAs responsible for the operation of the EBC and/or the network defense operators are not alerted to the... |
V-19669 | Low | The DISN NIPRNet IPVS firewall (EBC) is NOT configured to validate the structure and validity of AS-SIP messages such that malformed messages or messages containing errors are dropped before action is taken on the contents. | Malformed AS_SIP messages as well as messages containing errors could be an indication that an adversary is attempting some form of attack or denial-of-service. Such an attack is called fuzzing.... |
V-19664 | Low | The Customer Edge Router (CER) must filter inbound AS-SIP-TLS traffic addressed to the local Session Border Controller (SBC) based on the source address of the signaling messages. | The CER (premise or perimeter) router is the first line of defense at the gateway to the enclave or LAN. The data firewall and SBC functions are the second line of defense. The SBC processes VVoIP... |