UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Unencrypted and unsigned VVoIP endpoint configuration files traversing the DISN must be protected within a VPN between enclaves.


Overview

Finding ID Version Rule ID IA Controls Severity
V-47753 VVoIP 1415 (GENERAL) SV-60629r1_rule ECSC-1 Medium
Description
When VVoIP configuration files traverse a network in an unencrypted state, system information may be used by an adversary, which in the aggregate, may reveal sensitive data. When VVoIP traffic is passed in the clear it is open to sniffing attacks. This vulnerability exists whether the traffic is on a LAN or a WAN. Unencrypted and unsigned configuration files must be wrapped within an encrypted VPN to mitigate this risk. DoD-to-DoD voice communications are generally considered to contain sensitive information. Local DoD enclaves connect to a DISN SDN via an access circuit. Unless the site is a host to a SDN, or close enough to it to be served by DoD owned facilities, some portion of the access circuit will utilize leased commercial facilities. Additionally, the DISN core network itself may traverse commercial services and facilities. Therefore, DoD voice and data traffic crossing the unclassified DISN must be encrypted.
STIG Date
Voice Video Services Policy Security Technical Implementation Guide 2019-01-09

Details

Check Text ( C-50235r1_chk )
Interview the IAO to confirm compliance with the following requirement:
Verify VVoIP endpoint configuration files traversing the DISN must be protected within a VPN secured using FIPS 140-2 or NSA approved encryption between enclaves. The reviewer may downgrade to CAT 3 when vendor provided PKI or x.509 certs are used rather than DoD PKI certificates.

NOTE: This requirement is not applicable to systems that use Cisco TFTP.
Fix Text (F-51379r1_fix)
Configure the VVoIP endpoint configuration files traversing the DISN to be protected within a VPN secured using FIPS 140-2 or NSA approved encryption between enclaves.