V-19661 | High | The data network perimeter protection (data firewall function) is NOT configured to protect the VVoIP VLANS by blocking all but specifically permitted traffic destined to or sourced from the Voice VLAN IP Address space and VLANs | See the discussion regarding the design of the enclave boundary when using VVoIP within the enclave. The following is a summary:
The typical data firewall does not adequately protect the enclave... |
V-19673 | High | The DISN NIPRNet IPVS firewall (EBC) is NOT configured to drop any packet (inbound or outbound) that is not validated as being part of an established and known call/session through stateful packet inspection or packet authentication. | Once a pinhole is opened in the enclave boundary for a known call/session the packets that are permitted to pass must be managed. If they are not properly managed, packets that are not part of a... |
V-19674 | High | The DISN NIPRNet IPVS firewall (EBC) is NOT configured to drop any packet attempting to traverse the enclave boundary (inbound or outbound) through the IP port pinholes that have been opened for known call/sessions that is not a RTP/RTCP or SRTP/SRTCP packet or other protocol / flow established by the signaling messages.. | Once a pinhole is opened in the enclave boundary for a known call/session the packets that are permitted to pass must be managed. If they are not properly managed, packets that are not part of a... |
V-19665 | Medium | The EBC is NOT configured to filter inbound AS-SIP-TLS traffic based on the IP addresses of the internal LSC(s) (or MFSS) OR the IP addresses of the EBCs fronting its authorized signaling partners as part of a layered defense. | The EBC is in the VVoIP signaling between the LSC and MFSS. To limit its exposure to compromise and DOS, it must only exchange signaling messages using the designated protocol (AS-SIP-TLS) with... |
V-19670 | Medium | All SIP and AS-SIP packets are not dropped by the DISN NIPRNet IPVS firewall (EBC) except those AS-SIP packets arriving on IP Port 5061 that are secured with TLS.
| DISN NIPRNet IPVS PMO and the UCR require all session signaling across the DISN WAN and between the LSC and EBC to be secured with TLS. The standard IANA assigned IP port for SIP protected by TLS... |
V-19444 | Medium | Unified messaging and email text-to-speech features must be disabled because there is no PKI authentication and no access control to email. | Unified messaging and email systems provide the capability to receive voicemails via email and in some cases, have emails read to the user via a text-to-speech feature when accessing the system... |
V-19445 | Medium | The LSC permits the registration and operation of VoIP instruments that have not been previously configured and authorized. That is, auto-registration is not disabled if available | Traditional telephone systems require physical wiring and/or switch configuration changes to add an instrument to the system. This makes it difficult for someone to add an unauthorized digital... |
V-19446 | Medium | UN-authorized VVoIP instruments are registered with the LSC and are operational | It is critical to the security of the system that all IPT / VoIP end instruments be authorized to connect to and use the system. Only authorized instruments should be configured in the system... |
V-19632 | Medium | Logical or physical interfaces must be configured on the VVoIP core routing devices for the VVoIP core equipment to support access and traffic control for the VVoIP system components. | VLAN and IP address segmentation enables access and traffic control for the VVoIP system components. Only the required protocols are to reach a given VVoIP device thereby protecting it from... |
V-19636 | Medium | A deny-by-default ACL is not implemented on all VVoIP endpoint (hardware and software) VLAN interface(s) on the VVoIP routing device(s) other than at the core (as defined in the VVoIP system ACL design) to properly control VVoIP endpoint access and traffic flow. | Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general, the defined ACLs are designed in a... |
V-19642 | Medium | A deny-by-default ACL is not implemented on the VVoIP Voicemail / Unified Messaging Server(s) VLAN interface(s) on the VVoIP routing device(s) supporting the VVoIP system core (as defined in the VVoIP system ACL design) to properly control VVoIP LSC access and traffic flow. | Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general, the defined ACLs are designed in a... |
V-19643 | Medium | A deny-by-default ACL is not implemented on the VVoIP Unified Communications Server(s) VLAN interface(s) on the VVoIP routing device(s) supporting the VVoIP system core (as defined in the VVoIP system ACL design) to properly control VVoIP LSC access and traffic flow. | Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general, the defined ACLs are designed in a... |
V-19640 | Medium | A deny-by-default ACL is not implemented on the VVoIP Edge Boundary Controller (EBC) VLAN interface(s) on the VVoIP routing device(s) supporting the VVoIP system core (as defined in the VVoIP system ACL design) to properly control VVoIP LSC access and traffic flow. | Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general the defined ACLs are designed in a... |
V-19646 | Medium | The LAN Access switch port is NOT configured to place the VVoIP or VTC traffic in the proper VLAN (e.g., the port is NOT assigned to the proper VLAN) or the port does not assign the appropriate VLAN tag via some other method. | Some VVoIP hardware endpoints and hardware based VTC endpoints contain a multi-port Ethernet switch to provide a connection on the endpoint for external devices such as a workstation (i.e., PC... |
V-19647 | Medium | The LAN access switch (discrete NE or module in a larger NE) is NOT capable of, or is NOT configured to; maintain the required VLAN separation for traffic originating from supported endpoints and DOES NOT route voice, VTC, PC communications client, and data traffic to their respective VLANs on the LAN. | Some VVoIP hardware endpoints and hardware based VTC endpoints contain a multi-port Ethernet switch to provide a connection on the endpoint for external devices such as a workstation (i.e., PC... |
V-19644 | Medium | A deny-by-default ACL is not implemented on the VVoIP system management VLAN interface(s) on the VVoIP routing device(s) supporting the VVoIP system core (as defined in the VVoIP system ACL design) to properly control VVoIP LSC access and traffic flow. | Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general, the defined ACLs are designed in a... |
V-19645 | Medium | The implementation of Unified Mail services degrades the separation between the voice and data protection zones (VLANs). | Voice mail services in a VoIP environment are available in several different configurations. A legacy voice mail platform can connect to a VoIP environment to provide voice mail services for VoIP... |
V-19633 | Medium | VVoIP VLANs must be implemented on this VVoIP hardware endpoints. | VLAN and IP address segmentation enables access and traffic control for the VVoIP system components. Only the required protocols are to reach a given VVoIP device thereby protecting it from... |
V-19648 | Medium | LAN access switchports supporting VVoIP or VTC endpoints containing a PC port are configured in trunk mode, NOT in access mode or “802.1Q tagged access mode.” | Policy regarding LAN access switchport mode has been established in the Network Infrastructure STIG by NET1416 which states “ensure trunking is disabled on all access ports (do not configure trunk... |
V-19649 | Medium | LAN access switchport supporting a VVoIP or VTC endpoint that does not, or is not configured to, apply 802.1Q VLAN tags to its traffic is NOT statically assigned to the appropriate local VVoIP or VTC VLAN. | VVoIP or VTC endpoints that are not configured to or cannot provide a 802.1Q VLAN tag to its VVoIP traffic have no control over what VLAN their traffic ends up in, if any. Therefore the... |
V-19635 | Medium | A deny-by-default ACL is not implemented on all VVoIP endpoint (hardware and software) VLAN interface(s) on the VVoIP core routing device(s) (as defined in the VVoIP system ACL design) to properly control VVoIP endpoint access and traffic flow. | Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general the defined ACLs are designed in a... |
V-19624 | Medium | An Auto-answer feature is not properly disabled. | The VTC STIG discusses the possibility of undesired or improper viewing of and/or listening to activities and conversations in the vicinity of a hardware based VTC endpoint, whether it is a... |
V-19625 | Medium | PC presentation or application sharing capabilities are not properly limited. | Visual collaboration often requires the sharing or display of presentations, open documents, and white board information to one or more communicating endpoints. While the technology for doing this... |
V-19626 | Medium | A PC Collaboration application does not identify all connected parties. | Visual collaboration often requires the sharing or display of presentations, open documents, and white board information to one or more communicating endpoints. While the technology for doing this... |
V-19627 | Medium | Remote access VoIP must be routed to the VoIP VLAN. | In addition to complying with the STIGs and VPN requirements for remotely connected PCs, there is an additional requirement for Unified Capabilities (UC) soft client and UC applications using the... |
V-21520 | Medium | Activation/deactivation of and permission to use the extension mobility feature is not properly controlled. | Extension mobility is a feature of a VVoIP system that permits a person to transfer their phone number extension and phone features (or configuration) to a phone that is not in their normal... |
V-21509 | Medium | The Fire and Emergency Services (FES) communications over a sites private Multi-Line Telephone Systems (MLTS) must provide the originating telephone number to the emergency services answering point or call center through a transfer of Automatic Number Identification (ANI) or Automatic Location Identification (ALI) information. | The implementation of Enhanced F&ES telecommunications services requires that the emergency services answering point or call center be able to automatically locate the calling party in the event... |
V-19662 | Medium | The CER (premise or perimeter) router is NOT capable of, or is NOT configured to, provide expedited forwarding of VVoIP packets based on DSCP packet marking in accordance with the DISN IPVS DSCP marking plan. | The typical perimeter or premise router (as designated by the NI and Enclave STIGs) will most likely not be capable of supporting the needs of VVoIP entering the DISN WAN. This is because only... |
V-19663 | Medium | The CER (premise or perimeter) router is NOT configured to route all inbound traffic except AS-SIP-TLS and SRTP/SRTCP that is addressed to the VVoIP firewall (EBC) to the “data” firewall function. | The CER (premise or perimeter) router is the first line of defense at the gateway to the enclave or LAN. The data and VVoIP firewall (EBC) functions are the second line of defense. Since the VVoIP... |
V-19628 | Medium | VVoIP component(s) are NOT addressed using the defined dedicated VVoIP system addresses | The protection of the VVoIP system is enhanced by ensuring all VVoIP systems and components within the LAN (Enclave) are deployed using separate address blocks from the normal data address... |
V-19629 | Medium | VVoIP core components use random address assignment via DHCP and are not statically addressed | Assigning static addresses to core VVoIP devices permits tighter control using ACLs on firewalls and routers to help in the protection of these devices.
NOTE: In the event DHCP is used for... |
V-19666 | Medium | The EBC is NOT configured to terminate and decrypt inbound and outbound AS-SIP-TLS sessions (messages) such that it can properly manage the transition of the SRTP/SRTCP streams | We previously discussed the reasons why a special firewall function is needed to protect the enclave if VVoIP is to traverse the boundary (see VVoIP 1005 (GENERAL) under VVoIP policy). This... |
V-19638 | Medium | A deny-by-default ACL is not implemented on the VVoIP Media Gateway (MG) VLAN interface(s) on the VVoIP routing device(s) supporting the VVoIP system core (as defined in the VVoIP system ACL design) to properly control VVoIP LSC access and traffic flow. | Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general, the defined ACLs are designed in a... |
V-19631 | Medium | A VVoIP core system/device or a traditional TDM based telecom switch is acting as a network router in that it does not block traffic between its attached management network interfaces(s) (one or more; logical or physical) and/or its production network interface(s) (logical or physical). | Based on a previously stated requirement, a VVoIP system must have one or more production VLANs containing the VVoIP endpoints and a separate OOB management network or virtual management network... |
V-19630 | Medium | VVoIP endpoints must receive IP address assignment and configuration information from a DHCP server dedicated to the VVoIP system. | When using Dynamic Host Configuration Protocol (DHCP) for address assignment and host configuration, different DHCP scopes (different address space, subnets, and VLANs) must be used for voice... |
V-19639 | Medium | A deny-by-default ACL is not implemented on the VVoIP Signaling Gateway (SG)VLAN interface(s) on the VVoIP routing device(s) supporting the VVoIP system core (as defined in the VVoIP system ACL design) to properly control VVoIP LSC access and traffic flow. | Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general, the defined ACLs are designed in a... |
V-19672 | Medium | The DISN NIPRNet IPVS firewall (EBC) is NOT configured to apply the appropriate NAT translations on the SRTP/SRTCP packets flowing across the enclave boundary between communicating endpoints based on the information contained in the AS-SIP messages that initiated the call. | The DISN NIPRNet IPVS utilizes SRTP/SRTCP bearer streams for the transport of voice and video information within and between enclaves during a VVoIP session. Additionally, the VVoIP system devices... |
V-19634 | Medium | VLANs established for the VVoIP system are NOT pruned from trunks and/or interfaces that are not required to carry the VVoIP traffic | While VLANs facilitate access and traffic control for the VVoIP system components and enhanced QoS, they should only be implemented on the network elements that are needed to carry the traffic... |
V-19668 | Medium | The DISN NIPRNet IPVS firewall (EBC) is NOT configured to drop (and not process) all signaling packets except those whose integrity is validated. | The validation of signaling packet integrity is required to ensure the packet has not been altered in transit. Packets can be altered in a couple of ways. The first is modification by... |
V-19655 | Medium | LAN access control is implemented using 802.1x AND one or more VVoIP or VTC endpoints provide a PC port, however the PC port is NOT disabled; AND/OR the LAN access switchport is NOT configured as required to support a disabled PC port (i.e., having the “unused” VLAN configured for PC port traffic); OR the VVoIP or VTC endpoint (or LAN access switchport) does not extend 802.1x port activation/deactivation to the PC port. | A VVoIP or VTC endpoint that provides a PC port typically breaks 802.1x LAN access control mechanisms. The reason is that the LAN access switchport is turned on or authorized (and configured) when... |
V-19654 | Medium | The 802.1x authentication server does not configure the LAN access switchport to place the VVoIP or VTC traffic (and data traffic if applicable) in the correct VLAN when authorizing LAN access for VVoIP or VTC endpoints OR the LAN access switchport is NOT configured to do so by default. | 802.1x has the capability of configuring the LAN access switchport to assign a VLAN or apply filtering rules based upon the device that was just authenticated. This is done via the “success”... |
V-19657 | Medium | The VVoIP endpoint’s configuration and/or configuration-display PIN/passwords DO NOT authenticate remotely to the Local session Controller (LSC) or minimally are not centrally controlled by the LSC. | Many VVoIP endpoints have the capability of setting and/or displaying configuration settings in the instrument itself. While this makes it convenient to configure and troubleshoot at the desktop,... |
V-19651 | Medium | A LAN access switchport supporting a VVoIP or VTC endpoint containing a PC port that is required to be disabled is not configured such that the switch’s “unused” VLAN is assigned as the endpoint’s “default data” VLAN. | A PC port on a VVoIP or VTC endpoint that is not intended for regular use is required to be disabled. Unused LAN access switchports and LAN drops are also to be disabled per the Network... |
V-19650 | Medium | A LAN access switchport supports a VVoIP or VTC endpoint containing a PC port but is not configured with a default “data” VLAN to handle untagged PC port traffic and assign a secondary VVoIP or VTC VLAN to handle the tagged VVoIP or VTC traffic. | Many VVoIP and VTC endpoints provide a PC port on the device. Doing so permits a PC to share the same LAN drop as a VoIP phone or desktop VTC endpoint. The net effect is reduced installation and... |
V-19653 | Medium | VVoIP or VTC endpoints are NOT integrated into the implemented 802.1x LAN access control system. | IEEE 802.1x is a protocol that is used to control access to LAN services via a LAN access switchport or wireless access point. It requires a device or user (supplicant) to authenticate to the... |
V-19652 | Medium | The appropriate number of pre-authorized MAC addresses are not statically assigned on a LAN access switchport for the pre-authorized VVoIP or VTC endpoints and their daisy chained devices OR the correct maximum number of MAC addresses that can be dynamically learned on a given switch port is NOT limited to the minimum number that is required to support the devices that are authorized to connect. | The Network Infrastructure (NI) STIG provides DoD policy for the use of “port security” or LAN access control on LAN access switchports. One of the methods is MAC based port security which limits... |
V-19659 | Medium | A VVoIP or VTC hardware endpoint possessing a “PC Port” does not tag its communications traffic using 802.1Q VLAN tagging or the PC port is not disabled. | NOTE: the switch or endpoint will typically utilize 802.1Q trunking (VLAN tagging) but may use some other means to separate voice and data traffic. Typically when 802.1Q VLAN tagging is used, the... |
V-19658 | Medium | A VVoIP or VTC hardware endpoint possessing a “PC Port” is not configured to block access to the endpoint configuration and communications traffic from the attached PC | VVoIP or VTC hardware endpoint possessing a “PC Port” can provide an easy avenue to access and compromise the endpoint configuration and communications traffic. Through such unauthorized access an... |
V-57951 | Medium | Two hours of backup power must be provided for LAN Infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints to support Immediate or Priority precedence C2 users. | Unified Capabilities (UC) users require different levels of capability depending upon command and control needs. Special-C2 decision makers requiring Flash or Flash Override precedence must have... |
V-19637 | Medium | A deny-by-default ACL is not implemented on the VVoIP Local Session Controller (LSC) VLAN interface(s) on the VVoIP routing device(s) supporting the VVoIP system core (as defined in the VVoIP system ACL design) to properly control VVoIP LSC access and traffic flow. | Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general, the defined ACLs are designed in a... |
V-21510 | Medium | The Fire and Emergency Services (FES) communications over a sites private Multi-Line Telephone Systems (MLTS) must provide a direct callback telephone number and physical location of an FES caller to the emergency services answering point or call center through a transfer of Automatic Number Identification (ANI) and extended Automatic Location Identification (ALI) information or access to an extended ALI database. | Under FCC rules and the laws of some states, the implementation of Enhanced F&ES telecommunications services requires that the emergency services answering point or call center must be... |
V-21513 | Medium | Devices and applications using SIP or AS-SIP signaling are vulnerable to a cross site scripting attack. | A cross site scripting vulnerability has been demonstrated in at least one SIP based IP phone. The vulnerability was demonstrated by adding scripting code to the From: field in the SIP invite.... |
V-21512 | Medium | The Fire and Emergency Services (FES) communications over a sites private Multi-Line Telephone Systems (MLTS) must route emergency calls as a priority call in a non-blocking manner. | When calling the designated F&ES telephone number, the call must go through no matter what the state of other calls in the system. As such, emergency calls must be treated as a priority call by... |
V-21515 | Medium | Hardware based VVoIP or IP-VTC endpoint contains a web server, the access to which is not restricted OR which is NOT disabled. | Hardware based VVoIP and IP-VTC endpoints sometimes contain a web server for the implementation of various functions and features. In many cases these are used to configure the network settings or... |
V-21514 | Medium | Hardware based VVoIP or VTC endpoint web browser capabilities that permit the endpoint to browse the internet or intranet are NOT disabled. | Permitting hardware based VVoIP or VTC endpoints to browse the internet or enterprise intranet freely opens the endpoint to the possibility of inadvertently downloading malicious code to the... |
V-21517 | Medium | The LAN hardware asset does not provide the required redundancy to support the availability/reliability needs of the C2 and Special C2 users of VVoIP services for command and control communications. | Policy sets the minimum requirements for the availability and reliability of VVoIP systems and the supporting LAN with emphasis on C2 communications. The high availability and reliability required... |
V-21516 | Medium | Eight hours of backup power must be provided for LAN Infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints to support special-C2 users. | Unified Capabilities (UC) users require different levels of capability depending upon command and control needs. Special-C2 decision makers requiring Flash or Flash Override precedence must have... |
V-21518 | Medium | LAN NEs supporting VV0IP services are NOT interconnected with redundant uplinks following physically diverse paths to physically diverse NEs in the layer above OR each uplink can NOT support the full bandwidth handled by the NE AND/OR the appropriate routing protocol is NOT configured to affect the failover from one uplink to the other in the event of the failure of one. | Policy sets the minimum requirements for the availability and reliability of VVoIP systems and the supporting LAN with emphasis on C2 communications. The high availability and reliability required... |
V-19671 | Medium | The DISN NIPRNet IPVS firewall (EBC) is NOT configured to manage IP port pinholes for the SRTP/SRTCP bearer streams based on the information in the AS-SIP-TLS messages. | We previously discussed the reasons why a special firewall is needed to protect the enclave if VVoIP is to traverse the boundary. (see VVoIP 1005 (GENERAL) under VVoIP policy) This requirement... |
V-19667 | Medium | The DISN NIPRNet IPVS firewall (EBC) is NOT configured to drop (and not process) all packets except those that are authenticated as being from an authorized source within the DISN IPVS network. | We previously discussed the reasons why a special firewall function is needed to protect the enclave if VVoIP is to traverse the boundary (see VVoIP 1005 under VVoIP policy). This requirement... |
V-19677 | Medium | The MFSS is NOT configured to synchronize minimally with a paired MFSS and/or others such that each may serve as a backup for the other when signaling with its assigned LSCs, thus reducing the reliability and survivability of the DISN IPVS network. | MFSSs are critical to the operation of the DISN NIPRNet IPVS network. They broker the establishment of calls between enclaves. A MFSS provides the following functions:
> Receives AS-SIP-TLS... |
V-19676 | Medium | The VVoIP system connects with a DISN IPVS (NPRNET or SIPRNet) but the LSC(s) is not configured to signal with a backup MFSS (or SS) in the event the primary cannot be reached. | Redundancy of equipment and associations is used in and IP network to increase the availability of a system. Multiple MFSSs in the DISN NIPRNet IPVS network and multiple SSs in the DISN SIPRNet... |
V-19675 | Medium | The DISN NIPRNet IPVS firewall (EBC) is NOT configured to transmit a meaningful alarm message to the local EMS and DISN IPVS management system in the event of attempts to cause a denial-of-service or compromise the EBC or enclave. | Action cannot be taken to thwart an attempted denial-of-service or compromise if the SAs responsible for the operation of the EBC and/or the network defense operators are not alerted to the... |
V-19669 | Low | The DISN NIPRNet IPVS firewall (EBC) is NOT configured to validate the structure and validity of AS-SIP messages such that malformed messages or messages containing errors are dropped before action is taken on the contents. | Malformed AS_SIP messages as well as messages containing errors could be an indication that an adversary is attempting some form of attack or denial-of-service. Such an attack is called fuzzing.... |
V-19660 | Low | A VVoIP or VTC endpoint that provides a PC data Port is not configured to disable the PC port (or the port is not physically blocked from use) if a PC or other device is not normally attached | Many IP hardware phones provide a separate data port for the connection of a PC to the phone so that only a single cable is required to provide data and voice connectivity to the end users... |
V-57953 | Low | Sufficient backup power must be provided for LAN Infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints to support non-C2 user accessible endpoints for emergency life-safety and security calls. | Unified Capabilities (UC) users require different levels of capability depending upon command and control needs. Special-C2 decision makers requiring Flash or Flash Override precedence must have... |
V-19656 | Low | VVoIP endpoints or instruments permit the display of network IP configuration information and/or permit adjustment of network settings without the use of a non-default PIN/password. | Many VVoIP endpoints have the capability of setting and/or displaying configuration settings in the instrument itself. While this makes it convenient to configure and troubleshoot at the desktop,... |
V-19664 | Low | The CER is NOT configured to filter inbound AS-SIP-TLS traffic addressed to the local EBC based on the source address of the signaling messages as part of a layered defense. | The CER (premise or perimeter) router is the first line of defense at the gateway to the enclave or LAN. The data and VVoIP firewall (EBC) functions are the second line of defense. Since the VVoIP... |