UCF STIG Viewer Logo

VOICE and VIDEO over INTERNET PROTOCOL (VVoIP) POLICY SECURITY TECHNICAL IMPLEMENTATION GUIDE



Findings (MAC II - Mission Support Sensitive)

Finding ID Severity Title
V-19661 High The data network perimeter protection (data firewall function) is NOT configured to protect the VVoIP VLANS by blocking all but specifically permitted traffic destined to or sourced from the Voice VLAN IP Address space and VLANs
V-19673 High The DISN NIPRNet IPVS firewall (EBC) is NOT configured to drop any packet (inbound or outbound) that is not validated as being part of an established and known call/session through stateful packet inspection or packet authentication.
V-19674 High The DISN NIPRNet IPVS firewall (EBC) is NOT configured to drop any packet attempting to traverse the enclave boundary (inbound or outbound) through the IP port pinholes that have been opened for known call/sessions that is not a RTP/RTCP or SRTP/SRTCP packet or other protocol / flow established by the signaling messages..
V-19444 Medium A unified messaging / mail, text-to-speech feature is enabled without providing proper CAC based authentication and access control to email and the sensitive information it contains.
V-19445 Medium The LSC permits the registration and operation of VoIP instruments that have not been previously configured and authorized. That is, auto-registration is not disabled if available
V-19446 Medium UN-authorized VVoIP instruments are registered with the LSC and are operational
V-19632 Medium Logical or physical interfaces (VLAN/subnets or direct connect physical interfaces with discrete subnets) have not been established/configured on the VVoIP core routing devices for the VVoIP core equipment in support of access and traffic control for the VVoIP system components.
V-19636 Medium A deny-by-default ACL is not implemented on all VVoIP endpoint (hardware and software) VLAN interface(s) on the VVoIP routing device(s) other than at the core (as defined in the VVoIP system ACL design) to properly control VVoIP endpoint access and traffic flow.
V-19642 Medium A deny-by-default ACL is not implemented on the VVoIP Voicemail / Unified Messaging Server(s) VLAN interface(s) on the VVoIP routing device(s) supporting the VVoIP system core (as defined in the VVoIP system ACL design) to properly control VVoIP LSC access and traffic flow.
V-19643 Medium A deny-by-default ACL is not implemented on the VVoIP Unified Communications Server(s) VLAN interface(s) on the VVoIP routing device(s) supporting the VVoIP system core (as defined in the VVoIP system ACL design) to properly control VVoIP LSC access and traffic flow.
V-19640 Medium A deny-by-default ACL is not implemented on the VVoIP Edge Boundary Controller (EBC) VLAN interface(s) on the VVoIP routing device(s) supporting the VVoIP system core (as defined in the VVoIP system ACL design) to properly control VVoIP LSC access and traffic flow.
V-19646 Medium The LAN Access switch port is NOT configured to place the VVoIP or VTC traffic in the proper VLAN (e.g., the port is NOT assigned to the proper VLAN) or the port does not assign the appropriate VLAN tag via some other method.
V-19647 Medium The LAN access switch (discrete NE or module in a larger NE) is NOT capable of, or is NOT configured to; maintain the required VLAN separation for traffic originating from supported endpoints and DOES NOT route voice, VTC, PC communications client, and data traffic to their respective VLANs on the LAN.
V-19644 Medium A deny-by-default ACL is not implemented on the VVoIP system management VLAN interface(s) on the VVoIP routing device(s) supporting the VVoIP system core (as defined in the VVoIP system ACL design) to properly control VVoIP LSC access and traffic flow.
V-19645 Medium The implementation of Unified Mail services degrades the separation between the voice and data protection zones (VLANs).
V-19633 Medium The required VVoIP endpoint VLANs are NOT configured on this network element
V-19648 Medium LAN access switchports supporting VVoIP or VTC endpoints containing a PC port are configured in trunk mode, NOT in access mode or “802.1Q tagged access mode.”
V-19649 Medium LAN access switchport supporting a VVoIP or VTC endpoint that does not, or is not configured to, apply 802.1Q VLAN tags to its traffic is NOT statically assigned to the appropriate local VVoIP or VTC VLAN.
V-19635 Medium A deny-by-default ACL is not implemented on all VVoIP endpoint (hardware and software) VLAN interface(s) on the VVoIP core routing device(s) (as defined in the VVoIP system ACL design) to properly control VVoIP endpoint access and traffic flow.
V-19624 Medium An Auto-answer feature is not properly disabled.
V-19625 Medium PC presentation or application sharing capabilities are not properly limited.
V-19626 Medium A PC Collaboration application does not identify all connected parties.
V-19627 Medium Remote access VoIP is not properly routed to the VoIP VLAN.
V-21520 Medium Activation/deactivation of and permission to use the extension mobility feature is not properly controlled.
V-21509 Medium The site’s private MLTS’s (VoIP or traditional), support/implementation for Fire and Emergency Services (F&ES) (life safety, security, fire, police, medical, etc) communications is deficient in that the originating telephone number of an F&ES call is not provided to the emergency services answering point or call center through a transfer of Automatic Number Identification (ANI) or Automatic Location Identification (ALI) information.
V-19662 Medium The CER (premise or perimeter) router is NOT capable of, or is NOT configured to, provide expedited forwarding of VVoIP packets based on DSCP packet marking in accordance with the DISN IPVS DSCP marking plan.
V-19663 Medium The CER (premise or perimeter) router is NOT configured to route all inbound traffic except AS-SIP-TLS and SRTP/SRTCP that is addressed to the VVoIP firewall (EBC) to the “data” firewall function.
V-19628 Medium VVoIP component(s) are NOT addressed using the defined dedicated VVoIP system addresses
V-19629 Medium VVoIP core components use random address assignment via DHCP and are not statically addressed
V-19666 Medium The EBC is NOT configured to terminate and decrypt inbound and outbound AS-SIP-TLS sessions (messages) such that it can properly manage the transition of the SRTP/SRTCP streams
V-19667 Medium The DISN NIPRNet IPVS firewall (EBC) is NOT configured to drop (and not process) all packets except those that are authenticated as being from an authorized source within the DISN IPVS network.
V-19638 Medium A deny-by-default ACL is not implemented on the VVoIP Media Gateway (MG) VLAN interface(s) on the VVoIP routing device(s) supporting the VVoIP system core (as defined in the VVoIP system ACL design) to properly control VVoIP LSC access and traffic flow.
V-19631 Medium A VVoIP core system/device or a traditional TDM based telecom switch is acting as a network router in that it does not block traffic between its attached management network interfaces(s) (one or more; logical or physical) and/or its production network interface(s) (logical or physical).
V-19630 Medium VVoIP endpoints receive improper IP address assignment/configuration information or receive it from a DHCP server that is NOT dedicated to the VVoIP system
V-19639 Medium A deny-by-default ACL is not implemented on the VVoIP Signaling Gateway (SG)VLAN interface(s) on the VVoIP routing device(s) supporting the VVoIP system core (as defined in the VVoIP system ACL design) to properly control VVoIP LSC access and traffic flow.
V-19672 Medium The DISN NIPRNet IPVS firewall (EBC) is NOT configured to apply the appropriate NAT translations on the SRTP/SRTCP packets flowing across the enclave boundary between communicating endpoints based on the information contained in the AS-SIP messages that initiated the call.
V-19634 Medium VLANs established for the VVoIP system are NOT pruned from trunks and/or interfaces that are not required to carry the VVoIP traffic
V-19668 Medium The DISN NIPRNet IPVS firewall (EBC) is NOT configured to drop (and not process) all signaling packets except those whose integrity is validated.
V-19655 Medium LAN access control is implemented using 802.1x AND one or more VVoIP or VTC endpoints provide a PC port, however the PC port is NOT disabled; AND/OR the LAN access switchport is NOT configured as required to support a disabled PC port (i.e., having the “unused” VLAN configured for PC port traffic); OR the VVoIP or VTC endpoint (or LAN access switchport) does not extend 802.1x port activation/deactivation to the PC port.
V-19654 Medium The 802.1x authentication server does not configure the LAN access switchport to place the VVoIP or VTC traffic (and data traffic if applicable) in the correct VLAN when authorizing LAN access for VVoIP or VTC endpoints OR the LAN access switchport is NOT configured to do so by default.
V-19657 Medium The VVoIP endpoint’s configuration and/or configuration-display PIN/passwords DO NOT authenticate remotely to the Local session Controller (LSC) or minimally are not centrally controlled by the LSC.
V-19651 Medium A LAN access switchport supporting a VVoIP or VTC endpoint containing a PC port that is required to be disabled is not configured such that the switch’s “unused” VLAN is assigned as the endpoint’s “default data” VLAN.
V-19650 Medium A LAN access switchport supports a VVoIP or VTC endpoint containing a PC port but is not configured with a default “data” VLAN to handle untagged PC port traffic and assign a secondary VVoIP or VTC VLAN to handle the tagged VVoIP or VTC traffic.
V-19653 Medium VVoIP or VTC endpoints are NOT integrated into the implemented 802.1x LAN access control system.
V-19652 Medium The appropriate number of pre-authorized MAC addresses are not statically assigned on a LAN access switchport for the pre-authorized VVoIP or VTC endpoints and their daisy chained devices OR the correct maximum number of MAC addresses that can be dynamically learned on a given switch port is NOT limited to the minimum number that is required to support the devices that are authorized to connect.
V-19659 Medium A VVoIP or VTC hardware endpoint possessing a “PC Port” does not tag its communications traffic using 802.1Q VLAN tagging or the PC port is not disabled.
V-19658 Medium A VVoIP or VTC hardware endpoint possessing a “PC Port” is not configured to block access to the endpoint configuration and communications traffic from the attached PC
V-19665 Medium The EBC is NOT configured to filter inbound AS-SIP-TLS traffic based on the IP addresses of the internal LSC(s) (or MFSS) OR the IP addresses of the EBCs fronting its authorized signaling partners as part of a layered defense.
V-19637 Medium A deny-by-default ACL is not implemented on the VVoIP Local Session Controller (LSC) VLAN interface(s) on the VVoIP routing device(s) supporting the VVoIP system core (as defined in the VVoIP system ACL design) to properly control VVoIP LSC access and traffic flow.
V-21510 Medium The site’s private Multi-Line Telephone System’s (MLTS) (VoIP or traditional), support/implementation for Fire and Emergency Services (F&ES) (life safety, security, fire, police, medical, etc.) communications is deficient in that the direct callback telephone number and physical location of an F&ES caller is not provided to, or accessible by, the emergency services answering point or call center through a transfer of Automatic Number Identification (ANI) and extended Automatic Location Identification (ALI) information or access to an extended ALI database.
V-21513 Medium Devices and applications using SIP or AS-SIP signaling are vulnerable to a cross site scripting attack.
V-21512 Medium The site’s private Multi-Line Telephone System’s (MLTS) (VoIP or traditional) support/implementation for Fire and Emergency Services (F&ES) (life safety, security, fire, police, medical, etc.) communications is deficient in that such emergency calls are not routed as a priority call in a non-blocking manner.
V-21515 Medium Hardware based VVoIP or IP-VTC endpoint contains a web server, the access to which is not restricted OR which is NOT disabled.
V-21514 Medium Hardware based VVoIP or VTC endpoint web browser capabilities that permit the endpoint to browse the internet or intranet are NOT disabled.
V-21517 Medium The LAN hardware asset does not provide the required redundancy to support the availability/reliability needs of the C2 and Special C2 users of VVoIP services for command and control communications.
V-21516 Medium Sufficient backup power is not provided for the LAN Infrastructure, WAN boundary, VVoIP infrastructure, and/or VVoIP endpoints as required in support of special-C2 and C2 users system availability needs during a power outage OR sufficient backup power is not provided to C2-R or non-C2/admin user accessible endpoints, minimally in support of emergency life-safety and security calls.
V-21518 Medium LAN NEs supporting VV0IP services are NOT interconnected with redundant uplinks following physically diverse paths to physically diverse NEs in the layer above OR each uplink can NOT support the full bandwidth handled by the NE AND/OR the appropriate routing protocol is NOT configured to affect the failover from one uplink to the other in the event of the failure of one.
V-19671 Medium The DISN NIPRNet IPVS firewall (EBC) is NOT configured to manage IP port pinholes for the SRTP/SRTCP bearer streams based on the information in the AS-SIP-TLS messages.
V-19670 Medium All SIP and AS-SIP packets are not dropped by the DISN NIPRNet IPVS firewall (EBC) except those AS-SIP packets arriving on IP Port 5061 that are secured with TLS.
V-19677 Medium The MFSS is NOT configured to synchronize minimally with a paired MFSS and/or others such that each may serve as a backup for the other when signaling with its assigned LSCs, thus reducing the reliability and survivability of the DISN IPVS network.
V-19676 Medium The VVoIP system connects with a DISN IPVS (NPRNET or SIPRNet) but the LSC(s) is not configured to signal with a backup MFSS (or SS) in the event the primary cannot be reached.
V-19675 Medium The DISN NIPRNet IPVS firewall (EBC) is NOT configured to transmit a meaningful alarm message to the local EMS and DISN IPVS management system in the event of attempts to cause a denial-of-service or compromise the EBC or enclave.
V-19669 Low The DISN NIPRNet IPVS firewall (EBC) is NOT configured to validate the structure and validity of AS-SIP messages such that malformed messages or messages containing errors are dropped before action is taken on the contents.
V-19660 Low A VVoIP or VTC endpoint that provides a PC data Port is not configured to disable the PC port (or the port is not physically blocked from use) if a PC or other device is not normally attached
V-19656 Low VVoIP endpoints or instruments permit the display of network IP configuration information and/or permit adjustment of network settings without the use of a non-default PIN/password.
V-19664 Low The CER is NOT configured to filter inbound AS-SIP-TLS traffic addressed to the local EBC based on the source address of the signaling messages as part of a layered defense.