The voice/video system management network must provide bidirectional enclave boundary protection between the local management network and the DISN voice services management network.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19547	VVoIP 5405	SV-21610r2_rule	EBBD-2 ECSC-1	Medium

Description
VVoIP core system devices and TDM based telecom switches can be and in many cases are connected to multiple management networks. Such is the case when the system is managed by local SAs and systems via the local management VLAN or dedicated OOB management network and other SAs or systems manage or monitor the system via another network such as a remote MILDEP NOC, the DSN’s ADIMSS network, the RTS EMS, or the DISN DCN. A similar situation occurs in the DRSN with the ARDIMSS network. In some cases, these networks are interconnected such that both management networks have access to the same devices via a single management port on each. Each of these management networks is in reality a different enclave and as such access and traffic between them must be filtered thus protecting each of the enclaves from compromise from one of the others. Enclaves are defined as a collection of computing environments connected by one or more internal networks under the control of a single authority and security policy, including personnel and physical security. Based on this definition, the local LAN enclave, remote MILDEP NOC, the DSN’s ADIMSS network, the RTS EMS, and the DISN DCN are different enclaves. Therefore minimally a firewall is required where these enclaves meet.

Description

VVoIP core system devices and TDM based telecom switches can be and in many cases are connected to multiple management networks. Such is the case when the system is managed by local SAs and systems via the local management VLAN or dedicated OOB management network and other SAs or systems manage or monitor the system via another network such as a remote MILDEP NOC, the DSN’s ADIMSS network, the RTS EMS, or the DISN DCN. A similar situation occurs in the DRSN with the ARDIMSS network. In some cases, these networks are interconnected such that both management networks have access to the same devices via a single management port on each. Each of these management networks is in reality a different enclave and as such access and traffic between them must be filtered thus protecting each of the enclaves from compromise from one of the others. Enclaves are defined as a collection of computing environments connected by one or more internal networks under the control of a single authority and security policy, including personnel and physical security. Based on this definition, the local LAN enclave, remote MILDEP NOC, the DSN’s ADIMSS network, the RTS EMS, and the DISN DCN are different enclaves. Therefore minimally a firewall is required where these enclaves meet.

STIG	Date
Voice / Video Services Policy STIG	2015-07-01

Details

Check Text ( C-23797r3_chk )
Review site documentation to confirm the voice/video system management network provides bidirectional enclave boundary protection between the local management network and the DISN voice services management network. This requirement is applicable to VVoIP core system devices and TDM based telecom switches managed via multiple networks and those managed via a single physical Ethernet/IP interface. As an example, when the ADIMSS and local SAs both manage a VVoIP system or device via a common pathway such as the local management VLAN or OOB management network, a firewall is required between the local network and the ADIMSS network. Determine who owns and is responsible for the enclave boundary protection device configuration and management. This device may be owned and operated by the DISN management network or the local network. Two such devices may be owned and operated by each entity. If there is a single boundary protection device, additionally determine if there is a MOA regarding the operation of the device such that the owner implements a configuration that not only protects the owner’s network but also protects the other’s network. Further validate that both parties have agreed to or signed the MOA. If there is no such MOA, the respective owners may need to implement their own devices. Enclave boundary protection must be implemented at the entry point of the DISN management network to Inspect the ACLs on the boundary protection devices to ensure a deny-by-default posture allowing only specifically required protocol traffic between specific pairs of IP addresses across the boundary. The inbound ACL must include: - Permit the specifically authorized and required protocol sourced from the IP address of the specifically authorized device on the DISN management network to reach the specific IP address of the managed device or required local management server. - Additional statements for each protocol and IP address pair. -Deny all other traffic. The outbound ACL must include: - Permit the specifically authorized and required protocol sourced from the specific IP address of the managed device or any required local management server to reach the specific IP address of the specifically authorized device on the DISN management network. - Additional statements for each protocol and IP address pair. - Deny all other traffic. Validate the effectiveness of the boundary protection ACLs by performing network vulnerability scans as follows: - Scan the entire DISN management network (e.g., RTS EMS, ADIMSS, ARDIMSS, or DCN), address space from an unused randomly selected IP address on the local management network. - Scan the entire local management network address space from an unused randomly selected IP address on the DISN management network. If the voice/video system management network does not provide bidirectional enclave boundary protection between the local management network and the DISN voice services management network, this is a finding. If an MOA is not in effect when the boundary is protected by a single device, this is a finding. If the inbound ACL or outbound ACL do not permit only specific traffic and deny all other traffic, this is a finding. If the network vulnerability scan receives a response from any host on either network, this is a finding.

Check Text ( C-23797r3_chk )

Review site documentation to confirm the voice/video system management network provides bidirectional enclave boundary protection between the local management network and the DISN voice services management network. This requirement is applicable to VVoIP core system devices and TDM based telecom switches managed via multiple networks and those managed via a single physical Ethernet/IP interface. As an example, when the ADIMSS and local SAs both manage a VVoIP system or device via a common pathway such as the local management VLAN or OOB management network, a firewall is required between the local network and the ADIMSS network.

Determine who owns and is responsible for the enclave boundary protection device configuration and management. This device may be owned and operated by the DISN management network or the local network. Two such devices may be owned and operated by each entity.

If there is a single boundary protection device, additionally determine if there is a MOA regarding the operation of the device such that the owner implements a configuration that not only protects the owner’s network but also protects the other’s network. Further validate that both parties have agreed to or signed the MOA. If there is no such MOA, the respective owners may need to implement their own devices. Enclave boundary protection must be implemented at the entry point of the DISN management network to Inspect the ACLs on the boundary protection devices to ensure a deny-by-default posture allowing only specifically required protocol traffic between specific pairs of IP addresses across the boundary. The inbound ACL must include:
- Permit the specifically authorized and required protocol sourced from the IP address of the specifically authorized device on the DISN management network to reach the specific IP address of the managed device or required local management server.
- Additional statements for each protocol and IP address pair.
-Deny all other traffic.

The outbound ACL must include:
- Permit the specifically authorized and required protocol sourced from the specific IP address of the managed device or any required local management server to reach the specific IP address of the specifically authorized device on the DISN management network.
- Additional statements for each protocol and IP address pair.
- Deny all other traffic.

Validate the effectiveness of the boundary protection ACLs by performing network vulnerability scans as follows:
- Scan the entire DISN management network (e.g., RTS EMS, ADIMSS, ARDIMSS, or DCN), address space from an unused randomly selected IP address on the local management network.
- Scan the entire local management network address space from an unused randomly selected IP address on the DISN management network.

If the voice/video system management network does not provide bidirectional enclave boundary protection between the local management network and the DISN voice services management network, this is a finding. If an MOA is not in effect when the boundary is protected by a single device, this is a finding. If the inbound ACL or outbound ACL do not permit only specific traffic and deny all other traffic, this is a finding. If the network vulnerability scan receives a response from any host on either network, this is a finding.

Fix Text (F-20249r2_fix)
Implement the voice/video system management network to provide bidirectional enclave boundary protection between the local management network and the DISN voice services management network. Implement an MOA when the boundary is protected by a single device. Implement both an inbound ACL and an outbound ACL to permit only specific traffic and deny all other traffic. Validate the effectiveness of the boundary protection on an annual basis.

Fix Text (F-20249r2_fix)

Implement the voice/video system management network to provide bidirectional enclave boundary protection between the local management network and the DISN voice services management network. Implement an MOA when the boundary is protected by a single device. Implement both an inbound ACL and an outbound ACL to permit only specific traffic and deny all other traffic. Validate the effectiveness of the boundary protection on an annual basis.