ECVI-1

ECVI-1 Voice-over-IP (VoIP) Protection

Overview

Voice over Internet Protocol (VoIP) traffic to and from workstation IP telephony clients that are independently configured by end users for personal use is prohibited within DoD information systems. Both inbound and outbound individually configured voice over IP traffic is blocked at the enclave boundary. Note: This does not include VoIP services that are configured by a DoD AIS application or enclave to perform an authorized and official function.

MAC / CONF	Impact	Subject Area
MACI MACII MACIII	Medium	Enclave Computing Environment

Details

Threat
VoIP technology improves productivity through enhanced voice services for the DOD, but these services increase the risk in exposing government information systems to security vulnerabilities especially if configured independently by end users. VoIP vulnerabilities are mitigated when authorized personnel configure the services.

Guidance
1. The VoIP supported network must be designed, implemented, and operated in a secure manner, providing end-to-end security from the VoIP terminal device to the VoIP applications required for operation, including applicable host platforms and associated support software. 2. The IAO shall ensure that VoIP systems are approved by the DAA before they are installed and/or used to store, process, or transmit DOD information. 3. The IAO shall ensure that VoIP systems are compliant with overall network security architecture and appropriate enclave security requirements. 4. The IAO shall ensure that VoIP devices are added to site System Security Authorization Agreements.

Guidance

1. The VoIP supported network must be designed, implemented, and operated in a secure manner, providing end-to-end security from the VoIP terminal device to the VoIP applications required for operation, including applicable host platforms and associated support software.
2. The IAO shall ensure that VoIP systems are approved by the DAA before they are installed and/or used to store, process, or transmit DOD information.
3. The IAO shall ensure that VoIP systems are compliant with overall network security architecture and appropriate enclave security requirements.
4. The IAO shall ensure that VoIP devices are added to site System Security Authorization Agreements.

References

CJCSM 6510.10, Defense-In-Depth: Information Assurance (IA) and Computer Network Defense (CND), 15 March 2002
CJCSI - Policy for Department of Defense (DOD) Voice Networks With Real Time Services
DISA Instruction 630-230-19, Security Requirements for Automated Information Systems, 09 July 1996
DISA Computer Services Security Handbook, Version 3. 1 December 2000
DISA, Voice Over Internet Protocol (VOIP), STIG, Version 1, Release 1, 13 January 2004
DISA Defense Switched Network STIG, Version 1, Release 1, 12 March 2003
DISA Network Infrastructure STIG, Version 5, Release 2, 29 September 2003
Addendum to the NSA Guide to Securing Microsoft Windows NT Networks and NSA Guides to Securing Windows 2000, Version 43 (to match NSA Guide), Release 1, 26 November 2002
DISA Unix STIG, Version 4, Release 4, 15 September 2003
DISA Enclave Security STIG, Version 1, Release 1, 30 March 2001
Army Regulation 380-19, Information Systems Security, 27 February 1998
Air Force Instruction 33-111, Telephone Systems Management, 01 June 2001
Secretary of the Navy Instruction 5239.3, Department of the Navy Automated Information Systems Security Program, 14 July 1995
Navy Staff Office Publication 5239-15, Controlled Access Protection Guidebook, August 1992
NIST Security Considerations for Voice Over IP Systems, January 2003. NSTISSP 101, National Policy on Securing Voice Communications, 14 September 1999