UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Session Border Controller (SBC) must be configured to manage IP port pinholes for the SRTP/SRTCP bearer streams based on the information in the SIP and AS-SIP messages.


Overview

Finding ID Version Rule ID IA Controls Severity
V-259933 SRG-VOIP-000530 SV-259933r948779_rule Medium
Description
The function of the SBC is to manage SIP and AS-SIP signaling messages. The SBC also manages the SRTP/SRTCP bearer streams. The DISN IPVS PMO has determined that the SBC will pass the negotiated and encrypted SRTP/SRTCP bearer streams without decryption and inspection. This is because doing so will not provide a significant security benefit but would cause a significant delay with a resulting decrease in the quality of the communications. Encoded audio and video is difficult to impossible to determine if an attack is being perpetrated or if sensitive information is being improperly disclosed without reconstituting the analog audio and video signals and having a person listen and watch each communication. Due to the volume of communications, to do so would be nearly impossible.
STIG Date
Enterprise Voice, Video, and Messaging Policy Security Requirements Guide 2024-03-12

Details

Check Text ( C-63664r946718_chk )
Verify the DISN NIPRNet IPVS SBC is configured to manage IP port pinholes for the SRTP/SRTCP bearer streams based on the information in the SIP and AS-SIP messages as follows:
- Opens specific IP port pinholes on a per session basis for the SRTP/SRTCP bearer streams as negotiated by the communicating endpoints through the Local Session Controller (LSC) and Multifunction Soft Switch (MFSS).
- Closes the specifically opened IP port pinholes when the session is to be torn down.

Inspect the configurations of the EBC to determine compliance with the requirement.

If the SBC is not configured to open the specifically negotiated IP ports for the SRTP/SRTCP bearer streams on an individual session basis, this is a finding.

If the SBC is not configured to close specifically negotiated IP ports for the SRTP/SRTCP bearer streams on an individual session basis, this is a finding.

NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.
Fix Text (F-63571r946719_fix)
Ensure the DISN NIPRNet IPVS SBC is configured to manage IP port pinholes for the SRTP/SRTCP bearer streams based on the information in the SIP and AS-SIP messages as follows:
- Opens specific IP port pinholes on a per session basis for the SRTP/SRTCP bearer streams as negotiated by the communicating endpoints through the LSC and MFSS.
- Closes the specifically opened IP port pinholes when the session is to be torn down.

NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.