Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-259904 | SRG-VOIP-000240 | SV-259904r948748_rule | Low |
Description |
---|
Ensure different, dedicated, address blocks or ranges are defined for the VVoIP system within the LAN (Enclave) that are separate from the address blocks/ranges used by the rest of the LAN for non-VVoIP system devices, thus allowing traffic and access control using firewalls and router ACLs. NOTE: This is applicable to a classified LAN connected to a classified WAN (such as the SIPRNet). In the case of a classified WAN where networkwide address-based accountability or traceability is required by the network PMO, the PMO must provide segregated, networkwide address block(s) so the attached classified LANs can meet this requirement. DISA provides a worldwide VoIP-based voice communications service called the DISN Voice over Secret IP (VoSIP). This service is managed by the DRSN PMO. This service also provides gateways into the DRSN. In support of the above requirement, the SIPRNet PMO has designated specific dedicated address ranges for use by the DISN VoSIP service and assigned these address blocks to the DRSN/VoSIP PMO for VoSIP address management and assignment. The VoSIP service provides VoIP-based communications between VoIP systems within the customer's classified LANs (C-LANs) operating at the secret level while using the SIPRNet WAN for the inter-enclave (inter-LAN) transport. Additionally, the SIPRNet PMO requires networkwide address-based accountability or traceability based on assigned IP address. The customer's SIPRNet-connected secret C-LANs use addresses assigned by the SIPRNet PMO. Therefore, customers of the DISN VoSIP service must use IP addresses assigned to them by the DRSN/VoSIP PMO when addressing the VoIP controllers and endpoints within their C-LANs. This is to maintain the segregation of the voice and data environments on the customer's secret C-LANs as required by this SRG. This also facilitates proper routing and flow control over the traffic between VoSIP addresses. The DISN service is designated DISN Voice over Secret IP but uses an acronym (VoSIP), which also means Voice over Secure IP. Voice over Secure IP relates to any VoIP-based service on a secure or classified IP network. While the DISN VoSIP service is the preferred means to interconnect SIPRNet-connected secret C-LANs for VoIP service, there may be a need for an organization to implement a VoIP-based voice or video communications system within their organization or with close partners. If such a system has no need or potential need to communicate with other enclaves that use the DISN VoSIP service, they must use their own dedicated IP address space carved out of the address space assigned to their C-LANs by the SIPRNet PMO. |
STIG | Date |
---|---|
Enterprise Voice, Video, and Messaging Policy Security Requirements Guide | 2024-03-12 |
Check Text ( C-63635r946631_chk ) |
---|
Verify customers of the DISN VoSIP service use IP addresses assigned to them by the DRSN/VoSIP PMO when defining the required dedicated address space for the VoIP controllers and endpoints within their secret C-LANs. NOTES: - This is similarly applicable to other classified DISN services and customer's C-LANs. - This is not a requirement if a VoIP-based VVoIP communications system operated in a secret C-LAN has no need or potential need to use the worldwide DISN VoSIP service or to access the DRSN and communicate with other enclaves that do use the DISN service or have access to the DRSN. They must use their own dedicated IP address space carved out of the address space assigned to their C-LANs by the SIPRNet PMO. - This requirement does not directly apply to dedicated hardware-based IP - VTC systems using the C-LAN and SIPRNet for transport, although there may be similar requirements to address this technology in the future. Determine the following: - Is the organization's secret C-LAN connected to SIPRNet? - Does the organization's secret C-LAN support VVoIP communications (not dedicated IP-based VTC)? - Does organization's secret C-LAN VVoIP system interconnect with other enclaves using the DISN VoSIP service? - What address blocks are dedicated to the VVoIP system on the C-LAN? - Is there documented evidence that the DRSN/VoSIP PMO assigned these addresses to the organization, or can such assignment be validated by other means? If the organization's secret C-LAN supports VVoIP communications (not dedicated IP-based VTC) AND is connected to SIPRNet AND uses the DISN VoSIP service BUT DOES NOT use the DRSN/VoSIP PMO assigned address blocks when addressing all of the VVoIP system components, this is a finding. |
Fix Text (F-63542r946632_fix) |
---|
Ensure customers of the DISN VoSIP service use IP addresses assigned to them by the DRSN/VoSIP PMO when defining the required dedicated address space for the VoIP controllers and endpoints within their secret C-LANs. NOTES: - This is similarly applicable to other classified DISN services and customer's C-LANs. - This is not a requirement if a VoIP-based VVoIP communications system operated in a secret C-LAN has no need or potential need to use the worldwide DISN VoSIP service or to access the DRSN and communicate with other enclaves that do use the DISN service or have access to the DRSN. They must use their own dedicated IP address space carved out of the address space assigned to their C-LANs by the SIPRNet PMO. - This requirement does not directly apply to dedicated hardware-based IP - VTC systems using the C-LAN and SIPRNet for transport, although there may be similar requirements to address this technology in the future. Obtain and assign IP addresses as provided by the DRSN PMO-VoSIP department when defining the required dedicated address space on the LAN. |