The DISN NIPRNet IPVS firewall (EBC) is NOT configured to transmit a meaningful alarm message to the local EMS and DISN IPVS management system in the event of attempts to cause a denial-of-service or compromise the EBC or enclave.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19675	VVoIP 6350 (DISN-IPVS)	SV-21816r1_rule		Medium

Description
Action cannot be taken to thwart an attempted denial-of-service or compromise if the SAs responsible for the operation of the EBC and/or the network defense operators are not alerted to the occurrence in real time.

STIG	Date
VOICE and VIDEO over INTERNET PROTOCOL (VVoIP) POLICY SECURITY TECHNICAL IMPLEMENTATION GUIDE	2010-08-17

Details

Check Text ( C-24058r1_chk )
Interview the IAO to confirm compliance with the following requirement: In addition to the alarm messages required of any firewall by the NI STIG, ensure the DISN NIPRNet IPVS firewall (EBC) is configured to transmit a meaningful alarm message to the local EMS and DISN IPVS management system in the event of the following conditions: > Any number of malformed AS-SIP or SRTP/SRTCP messages are received that could indicate an attempt to compromise the EBC. > Excessive numbers of AS-SIP messages are received from any given IP address that could indicate an attempt to cause a denial-of-service. > Excessive numbers of messages that are dropped due to authentication or integrity check failures that might indicate an attempt to cause a denial-of-service or an attempt to effect a man in the middle attack. > Potentially others. This is a finding in the event the EBC does not generate and send alarms based on attempts to cause a denial-of-service or compromise the EBC or enclave.

Check Text ( C-24058r1_chk )

Interview the IAO to confirm compliance with the following requirement:

In addition to the alarm messages required of any firewall by the NI STIG, ensure the DISN NIPRNet IPVS firewall (EBC) is configured to transmit a meaningful alarm message to the local EMS and DISN IPVS management system in the event of the following conditions:
> Any number of malformed AS-SIP or SRTP/SRTCP messages are received that could indicate an attempt to compromise the EBC.
> Excessive numbers of AS-SIP messages are received from any given IP address that could indicate an attempt to cause a denial-of-service.
> Excessive numbers of messages that are dropped due to authentication or integrity check failures that might indicate an attempt to cause a denial-of-service or an attempt to effect a man in the middle attack.
> Potentially others.

This is a finding in the event the EBC does not generate and send alarms based on attempts to cause a denial-of-service or compromise the EBC or enclave.

Fix Text (F-20381r1_fix)
Ensure the DISN NIPRNet IPVS firewall (EBC) is configured to transmit meaningful alarm messages as required of any firewall by the NI STIG. Ensure the DISN NIPRNet IPVS firewall (EBC) is configured to transmit a meaningful alarm message to the local EMS and DISN IPVS management system in the event of the following conditions: > Any number of malformed AS-SIP or SRTP/SRTCP messages are received that could indicate an attempt to compromise the EBC. > Excessive numbers of AS-SIP messages are received from any given IP address that could indicate an attempt to cause a denial of service. > Excessive numbers of messages that are dropped due to authentication or integrity check failures that might indicate an attempt to cause a denial of service or an attempt to effect a man in the middle attack. > Potentially others.

Fix Text (F-20381r1_fix)

Ensure the DISN NIPRNet IPVS firewall (EBC) is configured to transmit meaningful alarm messages as required of any firewall by the NI STIG.

Ensure the DISN NIPRNet IPVS firewall (EBC) is configured to transmit a meaningful alarm message to the local EMS and DISN IPVS management system in the event of the following conditions:
> Any number of malformed AS-SIP or SRTP/SRTCP messages are received that could indicate an attempt to compromise the EBC.
> Excessive numbers of AS-SIP messages are received from any given IP address that could indicate an attempt to cause a denial of service.
> Excessive numbers of messages that are dropped due to authentication or integrity check failures that might indicate an attempt to cause a denial of service or an attempt to effect a man in the middle attack.
> Potentially others.