Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-8227 | VVoIP 5200 (LAN) | SV-8713r2_rule | DCBP-1 DCPA-1 ECSC-1 | Medium |
Description |
---|
VVoIP networks increasingly represent high-value targets for attacks and represent a greater risk to network security than most other network applications; hence, it is imperative that the voice network and supporting data networks be secured as tightly as possible to reduce the impact that an attack can have on either network. Segregating voice traffic from data traffic greatly enhances the security and availability of all services. Further subdivision of the voice and data networks can further enhance security. Achieving the ideal security posture for voice and data would require two physically separate and distinct networks (including cable plant), much as is the case with traditional voice and data technologies. Although this might be considered for the most demanding security environments, it works against the idea of convergence and the associated cost savings expected by having one network (and cable plant). Logical segregation of VoIP components and data components can be accomplished at both layer 2 using Virtual Local Area Networks (VLANs) and layer 3 using IP addressing. While these methods, in themselves, are not designed as security mechanisms, they do provide a derived security benefit by easing management of filtering rules and obfuscating or hiding addresses and information that an attacker could use to facilitate an attack. Separation may also prevent an attack on one network from impacting the other. These methods make it harder for an attacker to be successful and help to provide a layered approach to VoIP and network security. Segregating data from telephony by placing VoIP servers and subscriber terminals on logically separate IP networks and logically separate Ethernet networks while controlling access to these VoIP components through filters will help to ensure security and aid in protecting the VoIP environment from external threats. In addition, further subdivision of those components is necessary to protect the telephony applications which are running across the infrastructure. Layer 3 address segregation is the first layer in our layered defense approach to VoIP security. It allows the use of switches, routers, and firewalls with their associated access lists and other processes, to control traffic between the components on the network. To provide address segregation, best practices dictate that all like components will be placed in like address ranges. Therefore VoIP components (i.e., Gatekeepers, Call Managers, voice mail systems, IP Subscriber Terminals etc.) will be deployed within their own, separate private IP network, logical sub-network, or networks. The combination of logical data and voice segmentation via addressing and VLANs coupled with a switched and routed infrastructure strongly mitigates call eavesdropping and other attacks. In addition, limiting logical access to VoIP components is necessary for protecting telephony applications running across the infrastructure. Segregating data from telephony by placing VoIP servers and subscriber terminals on logically separate IP networks while controlling access to these VoIP components through IP filters will help to ensure security and aid in protecting the VoIP environment. |
STIG | Date |
---|---|
Voice / Video Services Policy STIG | 2015-01-05 |
Check Text ( C-23790r2_chk ) |
---|
Ensure a dedicated address block is defined for the VVoIP system within the LAN separate from the address blocks used by non-VVoIP system devices thus allowing traffic and access control using firewalls and router ACLs. If the LAN under review is a closed unclassified LAN, an unclassified LAN connected to an unclassified WAN (such as the NIPRNet or Internet), a closed classified LAN, or a classified LAN connected to a classified WAN (such as the SIPRNet), this requirement is applicable. In the case of a classified WAN where network wide address based accountability or traceability is required by the network PMO, the PMO must provide segregated, network wide address blocks so that the attached classified LANs meet this requirement. Affected devices include VVoIP session controllers, adjunct UC systems, session border controller (SBC) internal and external interfaces, customer edge (premise) router internal interface to the VVoIP VLANs, and VVoIP hardware endpoints. NOTE: VVoIP Core components must be statically addressed. DHCP may only be used for endpoint address assignment/configuration. If a dedicated LAN address space has not been designated for the VVoIP system that is segregated from the address space used for the general LAN and management VLANs, this is a finding. Note the defined address ranges for use when reviewing the devices themselves. |
Fix Text (F-20236r2_fix) |
---|
Implement VVoIP systems and components on a logically segregated and dedicated VVoIP network. Ensure dedicated address blocks or ranges are defined for the VVoIP system within the LAN separate from the address blocks used for non-VVoIP system devices thus allowing traffic and access control using firewalls and router ACLs. This requirement applies to the following: - A closed unclassified LAN. - An unclassified LAN connected to an unclassified WAN (such as the NIPRNet or Internet). - A closed classified LAN. - A classified LAN connected to a classified WAN (such as the SIPRNet). |