Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-259927 | SRG-VOIP-000470 | SV-259927r948773_rule | Medium |
Description |
---|
The SBC is in the VVoIP signaling between the LSC and MFSS. To limit exposure to compromise and denial of service, the SBC must only exchange signaling messages using the designated protocol (AS-SIP-TLS) with the LSC(s) within the enclave and the SBC fronting the MFSS (and its backup) to which the LSC is assigned. Similarly, an SBC fronting an MFSS must only exchange signaling messages with the MFSS and LSC(s) within the enclave and the SBCs fronting other MFSSs and the LSCs assigned to it. While the SBC is also required to authenticate the source and integrity of the signaling packets it receives, filtering on source IP address adds a layer of protection for the MFSS. This is also a backup measure in the event this filtering is not done on the CE-R. Internal to the enclave, filtering signaling traffic based on the IP address(es) of the LSC(s) within the enclave limits the ability of rogue Voice Video Endpoints attempting to establish calls or cause a denial of service. |
STIG | Date |
---|---|
Enterprise Voice, Video, and Messaging Policy Security Requirements Guide | 2024-03-12 |
Check Text ( C-63658r946700_chk ) |
---|
Verify the DISN NIPRNet IPVS SBC is configured to only communicate as follows: - Within the enclave, verify the SBC only establishes SIP and AS-SIP sessions with the primary or backup LSC or the MFSS and its backup LSC within the enclave. - If the SBC is at a site without a MFSS: External to the enclave (across the WAN), verify the SBC only establishes SIP and AS-SIP sessions with the SBC at the enclave's assigned primary and secondary (backup) MFSS sites. - If the SBC is at a MFSS site: External to the enclave (across the WAN), verify the SBC only establishes SIP and AS-SIP sessions with SBCs located at other MFSS sites and the LSC sites assigned to it. Determine the following: - If the enclave contains LSCs, determine the IP address of SBCs fronting the primary and backup MFSSs to which the enclave is assigned or with which the LSC is to exchange signaling messages. - If the enclave contains a MFSS, determine the IP addresses of the SBCs fronting the LSCs with which it is to signal. Also determine the IP addresses of the SBCs fronting the other MFSSs. If the SBC does not filter inbound SIP and AS-SIP traffic based on the IP addresses of the SBCs fronting authorized ESCs, LSCs, and MFSSs, this is a finding. Alternatively, if the SBC does not filter SIP and AS-SIP traffic based on the IP addresses of the ESCs and LSCs within the enclave, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers. |
Fix Text (F-63565r946701_fix) |
---|
Ensure the DISN NIPRNet IPVS SBC is configured to only communicate as follows: - Within the enclave, ensure the SBC only establishes SIP and AS-SIP sessions with the primary or backup LSC or the MFSS and its backup LSC within the enclave. - If the SBC is at a site without a MFSS: External to the enclave (across the WAN), ensure the SBC only establishes SIP and AS-SIP sessions with the SBC at the enclave's assigned primary and secondary (backup) MFSS sites. - If the SBC is at a MFSS site: External to the enclave (across the WAN), ensure the SBC only establishes SIP and AS-SIP sessions with SBCs located at other MFSS sites and the LSC sites assigned to it. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers. |