The DISN NIPRNet IPVS firewall (EBC) is NOT configured to drop (and not process) all packets except those that are authenticated as being from an authorized source within the DISN IPVS network.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19667	VVoIP 6310 (DISN-IPVS)	SV-21808r1_rule		Medium

Description
We previously discussed the reasons why a special firewall function is needed to protect the enclave if VVoIP is to traverse the boundary (see VVoIP 1005 under VVoIP policy). This requirement addresses the function of the EBC which authenticates the AS-SIP-TLS signaling messages as being from an authorized source. DoD policy dictates that authentication be performed using DoD PKI certificates. This also applies to network hosts and elements. AS-SIP (and SIP on which it is based) is not a secure protocol. The information passed during call/session setup and teardown is in human readable plain text. To secure AS-SIP and SIP, TLS is used. TLS is PKI certificate based and is used for AS-SIP message encryption, authentication, and integrity validation. NOTE: Authentication is provided by validating the sending appliance’s public PKI certificate used to establish the TLS session. AS-SIP messages are not sent until the authenticated TLS session is established. NOTE: the methods used will be in accordance with the UCR.

Description

We previously discussed the reasons why a special firewall function is needed to protect the enclave if VVoIP is to traverse the boundary (see VVoIP 1005 under VVoIP policy). This requirement addresses the function of the EBC which authenticates the AS-SIP-TLS signaling messages as being from an authorized source. DoD policy dictates that authentication be performed using DoD PKI certificates. This also applies to network hosts and elements. AS-SIP (and SIP on which it is based) is not a secure protocol. The information passed during call/session setup and teardown is in human readable plain text. To secure AS-SIP and SIP, TLS is used. TLS is PKI certificate based and is used for AS-SIP message encryption, authentication, and integrity validation. NOTE: Authentication is provided by validating the sending appliance’s public PKI certificate used to establish the TLS session. AS-SIP messages are not sent until the authenticated TLS session is established. NOTE: the methods used will be in accordance with the UCR.

STIG	Date
VOICE and VIDEO over INTERNET PROTOCOL (VVoIP) POLICY SECURITY TECHNICAL IMPLEMENTATION GUIDE	2010-08-17

Details

Check Text ( C-24042r1_chk )
Interview the IAO to confirm compliance with the following requirement: Ensure the DISN NIPRNet IPVS firewall (EBC) is configured to drop (and not process) all packets except those that are authenticated as being from an authorized source as follows: > Authenticate outbound AS-SIP-TLS messages (packets) as being from the primary or backup LSC (or the site’s MFSS and is backup LSC) within the enclave. > Authenticate inbound AS-SIP-TLS messages (packets) as being from the EBC at the enclave’s assigned primary and secondary (backup) MFSS sites. NOTE: Authentication is provided by validating the sending appliance’s public PKI certificate used to establish the TLS session. AS-SIP messages are not sent until the authenticated TLS session is established. This is a finding in the event the EBC does not use DoD PKI to authenticate the source of AS-SIP-TLS packets.

Check Text ( C-24042r1_chk )

Interview the IAO to confirm compliance with the following requirement:

Ensure the DISN NIPRNet IPVS firewall (EBC) is configured to drop (and not process) all packets except those that are authenticated as being from an authorized source as follows:
> Authenticate outbound AS-SIP-TLS messages (packets) as being from the primary or backup LSC (or the site’s MFSS and is backup LSC) within the enclave.
> Authenticate inbound AS-SIP-TLS messages (packets) as being from the EBC at the enclave’s assigned primary and secondary (backup) MFSS sites.

NOTE: Authentication is provided by validating the sending appliance’s public PKI certificate used to establish the TLS session. AS-SIP messages are not sent until the authenticated TLS session is established.

This is a finding in the event the EBC does not use DoD PKI to authenticate the source of AS-SIP-TLS packets.

Fix Text (F-20373r1_fix)
Ensure the DISN NIPRNet IPVS firewall (EBC) is configured to drop (and not process) all packets except those that are authenticated as being from an authorized source as follows: > Authenticate outbound AS-SIP-TLS messages (packets) as being from the primary or backup LSC (or the site’s MFSS and is backup LSC) within the enclave. > Authenticate inbound AS-SIP-TLS messages (packets) as being from the EBC at the enclave’s assigned primary and secondary (backup) MFSS sites. NOTE: Authentication is provided by validating the sending appliance’s public PKI certificate used to establish the TLS session. AS-SIP messages are not sent until the authenticated TLS session is established.

Fix Text (F-20373r1_fix)

Ensure the DISN NIPRNet IPVS firewall (EBC) is configured to drop (and not process) all packets except those that are authenticated as being from an authorized source as follows:
> Authenticate outbound AS-SIP-TLS messages (packets) as being from the primary or backup LSC (or the site’s MFSS and is backup LSC) within the enclave.
> Authenticate inbound AS-SIP-TLS messages (packets) as being from the EBC at the enclave’s assigned primary and secondary (backup) MFSS sites.

NOTE: Authentication is provided by validating the sending appliance’s public PKI certificate used to establish the TLS session. AS-SIP messages are not sent until the authenticated TLS session is established.