UCF STIG Viewer Logo

The DISN NIPRNet IPVS firewall (EBC) is NOT configured to drop any packet attempting to traverse the enclave boundary (inbound or outbound) through the IP port pinholes that have been opened for known call/sessions that is not a RTP/RTCP or SRTP/SRTCP packet or other protocol / flow established by the signaling messages..


Overview

Finding ID Version Rule ID IA Controls Severity
V-19674 VVoIP 6345 (DISN-IPVS) SV-21815r1_rule High
Description
Once a pinhole is opened in the enclave boundary for a known call/session the packets that are permitted to pass must be managed. If they are not properly managed, packets that are not part of a known session could traverse the pinhole thereby giving unauthorized access to the enclave’s LAN or connected hosts. Another method for managing packets through a pinhole opened for a VVoIP call/session is to only permit packets to pass that match the expected protocol type. In this case RTP/RTCP or SRTP/SRTCP. If only RTP/RTCP or SRTP/SRTCP packets are permitted to pass, this reduces the exposure presented to the enclave by the open pinhole. NOTE: Additional flows or protocols may be permitted if specifically required for an approved function and their establishment is signaled or controlled by the signaling protocol in use by the system. An example of this would be the transmission of H.281 far end camera control (FECC) messages for a VTC session. Using AS-SIP for signaling, a UDP-based 6.4kbps H.224 over RTP control channel over which the H.281 far end camera control messages are transmitted might be established along with the media streams. This additional flow would require additional pinholes.
STIG Date
VOICE and VIDEO over INTERNET PROTOCOL (VVoIP) POLICY SECURITY TECHNICAL IMPLEMENTATION GUIDE 2010-08-17

Details

Check Text ( C-24056r1_chk )
Interview the IAO to confirm compliance with the following requirement:

Ensure the DISN NIPRNet IPVS firewall (EBC) is configured to drop any packet attempting to traverse the enclave boundary (inbound or outbound) through the IP port pinholes that have been opened for known call/sessions that is not a RTP/RTCP or SRTP/SRTCP packet or other approved protocol / flow established by the signaling messages.
NOTE: This requires filtering on protocol type.

This is a finding in the event packets that are not RTP/RTCP or SRTP/SRTCP (or other approved packet type as established in the signaling messages) protocol packets can pass through the EBC.

NOTE: Additional flows or protocols may be permitted if specifically required for an approved function and their establishment is signaled or controlled by the signaling protocol in use by the system. An example of this would be the transmission of H.281 far end camera control (FECC) messages for a VTC session. Using AS-SIP for signaling, a UDP-based 6.4kbps H.224 over RTP control channel over which the H.281 far end camera control messages are transmitted might be established along with the media streams. This additional flow would require additional pinholes.

Fix Text (F-20380r1_fix)
Ensure the DISN NIPRNet IPVS firewall (EBC) is configured to drop any packet attempting to traverse the enclave boundary (inbound or outbound) through the IP port pinholes that have been opened for known call/sessions that is not a RTP/RTCP or SRTP/SRTCP packet or other approved protocol / flow established by the signaling messages.
NOTE: This requires filtering on protocol type.

NOTE: Additional flows or protocols may be permitted if specifically required for an approved function and their establishment is signaled or controlled by the signaling protocol in use by the system. An example of this would be the transmission of H.281 far end camera control (FECC) messages for a VTC session. Using AS-SIP for signaling, a UDP-based 6.4kbps H.224 over RTP control channel over which the H.281 far end camera control messages are transmitted might be established along with the media streams. This additional flow would require additional pinholes.