The Session Border Controller (SBC) must be configured to notify system administrators and the information system security officer (ISSO) when attempts to cause a denial of service (DoS) or other suspicious events are detected.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-259936 | SRG-VOIP-000560 | SV-259936r948782_rule | CCI-001548 | medium |
| Description | ||||
| Action cannot be taken to thwart an attempted DOS or compromise if the system administrators responsible for the operation of the SBC and/or the network defense operators are not alerted to the occurrence in real time. | ||||
| STIG | Date | |||
| Enterprise Voice, Video, and Messaging Policy Security Requirements Guide | 2025-05-29 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
AC-4
1.00
- DISA · 1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.1.3
1.00
- DISA · 1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-001548
1.00
- DISA · 1 · disa_xccdf · related
Details
Check Text (C-259936r948782_chk)
Verify the DISN NIPRNet IPVS SBC is configured to notify system administrators and the ISSO when the following conditions occur:
- Any number of malformed SIP, AS-SIP, or SRTP/SRTCP messages are received that could indicate an attempt to compromise the SBC.
- Excessive numbers of SIP or AS-SIP messages are received from any given IP address that could indicate an attempt to cause a DoS.
- Excessive numbers of messages are dropped due to authentication or integrity check failures, potentially indicating an attempt to cause a DoS or effect a man-in-the-middle attack.
If the SBC does not notify system administrators and the ISSO when attempts to cause a DoS or other suspicious events are detected, this is a finding.
NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.
Fix Text (F-63574r946728_fix)
Ensure the DISN NIPRNet IPVS SBC is configured to notify system administrators and the ISSO when the following conditions occur:
- Any number of malformed SIP, AS-SIP, or SRTP/SRTCP messages are received that could indicate an attempt to compromise the SBC.
- Excessive numbers of SIP or AS-SIP messages are received from any given IP address that could indicate an attempt to cause a DoS.
- Excessive numbers of messages are dropped due to authentication or integrity check failures, potentially indicating an attempt to cause a DoS or an attempt to effect a man-in-the-middle attack.
NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.