Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-259932 | SRG-VOIP-000520 | SV-259932r948778_rule | Medium |
Description |
---|
DISN NIPRNet IPVS PMO and the Unified Capabilities Requirements (UCR) require all session signaling across the DISN WAN and between the Local Session Controller (LSC) and EBC to be secured with TLS. The standard IANA assigned IP port for SIP protected by TLS (SIP-TLS) is 5061. DOD PPSM requires that protocols traversing the DISN and DOD enclave boundaries use the standard IP ports for the specific protocol. Because AS-SIP is a standardized extension of the SIP protocol and AS-SIP must be protected by TLS, AS-SIP-TLS must use IP port 5061. The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated using TLS on port 443 from cloud service providers. |
STIG | Date |
---|---|
Enterprise Voice, Video, and Messaging Policy Security Requirements Guide | 2024-03-12 |
Check Text ( C-63663r946715_chk ) |
---|
Verify the DISN NIPRNet IPVS SBC is configured to drop the following signaling packets: - SIP packets arriving on IP port 5060 or 5061. - SIP packets arriving on IP port 443 not secured with TLS. - AS-SIP packets arriving on IP port 5060. - AS-SIP packets arriving on IP port 5061 not secured with TLS. If all SIP and AS-SIP packets are not dropped, except AS-SIP packets secured with TLS arriving on IP Port 5061 and SIP packets secured with TLS arriving on IP Port 443 secured with TLS, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers. |
Fix Text (F-63570r946716_fix) |
---|
Ensure the DISN NIPRNet IPVS SBC is configured to drop the following signaling packets: - SIP packets arriving on IP port 5060 or 5061. - SIP packets arriving on IP port 443 not secured with TLS. - AS-SIP packets arriving on IP port 5060. - AS-SIP packets arriving on IP port 5061 not secured with TLS. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud service providers. |