Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-19597 | VVoIP 6120 (DISN-IPVS) | SV-21738r1_rule | Medium |
Description |
---|
DISA has developed the DISN IPVS to support C2 Assured Service reliability and availability. As such, the worldwide availability and effectiveness of this service is dependant upon the components of the overall system that are located in each interconnected enclave. These components must be interoperable and support the needed quality of service. Therefore, if the VVoIP system in an enclave is to utilize the DISN IPVS to communicate with other enclaves across the NIPRNet, the system must be designed with equipment that has specific capabilities. Additionally, the implementation of VVoIP across the enclave boundary must not degrade the security or protection of the enclave. Use of the DISN IPVS network requires the following equipment such that interoperability is assured across the DISN service: > One or more DOD APL listed Customer Edge Routers (CERs) on which the DISN access circuits are terminated. The CER is robust/reliable and provides QOS features / capabilities as required by the UCR for the specific type of site. NOTE: The CER is the enclave’s perimeter or premise router as designated by the Network Infrastructure and Enclave STIGs. > One or more DOD APL listed Local Session Controller’s (LSCs) or Multi-Function Soft Switch (MFSS) within the enclave for session control. These are the system control and signaling agents of the system. The LSC and MFSS are robust/reliable and provide admission control, and QOS features / capabilities as required by the UCR. The LSC (one or more per site) manages local endpoint registration and calls established to/from local endpoints and facilities. Also manages calls into and out of the enclave. The MFSS (typically one per site) performs LSC functions for its site and provides signaling management for a regional set of LSCs. > Each LSC or MFSS and CER will be separated by a firewall or session border controller having specific functionality as defined in the UCR. This DoD specific device is called an Edge Boundary Controller (EBC). This may be a dedicated device or may be a functional part of the required data firewall. The use of these devices is critical to the success of the DISN IPVS’s mission. |
STIG | Date |
---|---|
Voice Video Services Policy STIG | 2017-12-21 |
Check Text ( C-23870r1_chk ) |
---|
Interview the IAO to confirm compliance with the following requirement: In the event the VVoIP system is subscribed to the DISN NIPRNet IP Voice Services (IPVS) network, ensure a DoD APL listed Edge Boundary Controller (EBC) is implemented at the enclave boundary between the CER and LSC/MFSS to maintain the required enclave boundary protection while permitting DISN IPVS traffic to pass. NOTE: This may be a dedicated device or may be part of the required data firewall. NOTE: In the future this requirement may be applicable (with some modification) to the DISN SIPRNet IPVS (VoSIP) network when the PMO adopts the DISN NIPRNet IPVS architecture. NOTE: The EBC functionality may be combined in one device with the required data firewall functionality. Determine, through interview and/or physical inspection, the specific make, model, and OS version of the EBC. |
Fix Text (F-20296r1_fix) |
---|
Ensure a DOD APL listed Edge Border Controller (EBC) is implemented at the enclave boundary between the CER and LSC/MFSS to maintain the required enclave boundary protection while permitting DISN IPVS traffic to pass. NOTE: The EBC functionality may be combined in one device with the required data firewall functionality. APL listed devices and software loads can be found at Access the DoD APL web site at http://jitc.fhu.disa.mil/tssi/apl.html. |