Logical or physical interfaces (VLAN/subnets or direct connect physical interfaces with discrete subnets) have not been established/configured on the VVoIP core routing devices for the VVoIP core equipment in support of access and traffic control for the VVoIP system components.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19632	VVoIP 5520 (LAN)	SV-21773r1_rule		Medium

Description
VLAN and IP address segmentation enables access and traffic control for the VVoIP system components. Only the required protocols are to reach a given VVoIP device thereby protecting it from non-essential protocols. This protection is afforded on the LAN by implementing ACLs based on VLAN/subnet, protocol and in some instances specific IP addresses. While a firewall placed between the core equipment and endpoint VLANs might provide better protection for the core equipment as a whole, a router is best suited to control the varying traffic patterns between the various devices.

Description

VLAN and IP address segmentation enables access and traffic control for the VVoIP system components. Only the required protocols are to reach a given VVoIP device thereby protecting it from non-essential protocols. This protection is afforded on the LAN by implementing ACLs based on VLAN/subnet, protocol and in some instances specific IP addresses. While a firewall placed between the core equipment and endpoint VLANs might provide better protection for the core equipment as a whole, a router is best suited to control the varying traffic patterns between the various devices.

STIG	Date
VOICE and VIDEO over INTERNET PROTOCOL (VVoIP) POLICY SECURITY TECHNICAL IMPLEMENTATION GUIDE	2010-08-17

Details

Check Text ( C-23958r1_chk )
Inspect the configurations of the VVoIP core routing devices to determine compliance with the following requirement: Ensure logical or physical interfaces (VLAN/subnets or direct connect physical interfaces with discrete subnets) are established/configured on the VVoIP core routing devices for the VVoIP core equipment (that exists in the LAN) as follows: > VVoIP system core control equipment containing the LSC, endpoint configuration server, and DHCP server if used, etc. > VVoIP system management VLAN which is separate from the general LAN management VLAN. > Media gateways to the DSN and PSTN. > Signaling gateways (SG) to the DSN. > DoD WAN access VVoIP firewall (EBC or other). > Voicemail / Unified Messaging Servers. These may need to be accessible from both the voice and data VLANs. > UC servers such as those supporting IM/presence, “web” browser based conferencing, and directory services. These may need to be accessible from both the voice and data VLANs. Alternately, ensure the VVoIP core equipment employs direct connections with discrete subnets to the VVoIP core routing device(s) so that the ACLs may be implemented on the physical interface to the device instead of the logical interface to the VLAN. NOTE: If the device for which a VLAN/subnet is designated does not exist in the system, the VLAN is not required. NOTE: These devices may be (and typically will be) the core routing devices for the data LAN as well. This is a finding in the event the logical or physical interface(s) with discrete subnets have not been implemented against which the ACLs can be applied.

Check Text ( C-23958r1_chk )

Inspect the configurations of the VVoIP core routing devices to determine compliance with the following requirement:

Ensure logical or physical interfaces (VLAN/subnets or direct connect physical interfaces with discrete subnets) are established/configured on the VVoIP core routing devices for the VVoIP core equipment (that exists in the LAN) as follows:
> VVoIP system core control equipment containing the LSC, endpoint configuration server, and DHCP server if used, etc.
> VVoIP system management VLAN which is separate from the general LAN management VLAN.
> Media gateways to the DSN and PSTN.
> Signaling gateways (SG) to the DSN.
> DoD WAN access VVoIP firewall (EBC or other).
> Voicemail / Unified Messaging Servers. These may need to be accessible from both the voice and data VLANs.
> UC servers such as those supporting IM/presence, “web” browser based conferencing, and directory services. These may need to be accessible from both the voice and data VLANs.
Alternately, ensure the VVoIP core equipment employs direct connections with discrete subnets to the VVoIP core routing device(s) so that the ACLs may be implemented on the physical interface to the device instead of the logical interface to the VLAN.
NOTE: If the device for which a VLAN/subnet is designated does not exist in the system, the VLAN is not required.
NOTE: These devices may be (and typically will be) the core routing devices for the data LAN as well.

This is a finding in the event the logical or physical interface(s) with discrete subnets have not been implemented against which the ACLs can be applied.

Fix Text (F-20336r1_fix)
Ensure logical or physical interfaces (VLAN/subnets or direct connect physical interfaces with discrete subnets) are established/configured on the VVoIP core routing devices for the VVoIP core equipment as follows: > VVoIP system core control equipment containing the LSC, endpoint configuration server, and DHCP server if used, etc. > VVoIP system management VLAN which is separate from the general LAN management VLAN. > Media gateways to the DSN and PSTN. > Signaling gateways (SG) to the DSN. > DoD WAN access VVoIP firewall (EBC or other). > Voicemail / Unified Messaging Servers. These may need to be accessible from both the voice and data VLANs. > UC servers such as those supporting IM/presence, “web” browser based conferencing, and directory services. These may need to be accessible from both the voice and data VLANs. Alternately, ensure the VVoIP core equipment employs direct connections with discrete subnets to the VVoIP core routing device(s) so that the ACLs may be implemented on the physical interface to the device instead of the logical interface to the VLAN. NOTE: If the device for which a VLAN/subnet is designated does not exist in the system, the VLAN is not required. NOTE: These devices may be (and typically will be) the core routing devices for the data LAN as well.

Fix Text (F-20336r1_fix)

Ensure logical or physical interfaces (VLAN/subnets or direct connect physical interfaces with discrete subnets) are established/configured on the VVoIP core routing devices for the VVoIP core equipment as follows:
> VVoIP system core control equipment containing the LSC, endpoint configuration server, and DHCP server if used, etc.
> VVoIP system management VLAN which is separate from the general LAN management VLAN.
> Media gateways to the DSN and PSTN.
> Signaling gateways (SG) to the DSN.
> DoD WAN access VVoIP firewall (EBC or other).
> Voicemail / Unified Messaging Servers. These may need to be accessible from both the voice and data VLANs.
> UC servers such as those supporting IM/presence, “web” browser based conferencing, and directory services. These may need to be accessible from both the voice and data VLANs.
Alternately, ensure the VVoIP core equipment employs direct connections with discrete subnets to the VVoIP core routing device(s) so that the ACLs may be implemented on the physical interface to the device instead of the logical interface to the VLAN.
NOTE: If the device for which a VLAN/subnet is designated does not exist in the system, the VLAN is not required.
NOTE: These devices may be (and typically will be) the core routing devices for the data LAN as well.