The CER (premise or perimeter) router is NOT configured to route all inbound traffic except AS-SIP-TLS and SRTP/SRTCP that is addressed to the VVoIP firewall (EBC) to the “data” firewall function.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19663	VVoIP 6210 (DISN-IPVS)	SV-21804r1_rule	ECSC-1	Medium

Description
The CER (premise or perimeter) router is the first line of defense at the gateway to the enclave or LAN. The data and VVoIP firewall (EBC) functions are the second line of defense. Since the VVoIP firewall function only processes VVoIP traffic in the form of AS-SIP-TLS and SRTP/SRTCP packets, the CER should only forward these packets to the VVoIP firewall such that it is better protected from being overloaded causing a denial of service. This is part of a layered defense.

Description

The CER (premise or perimeter) router is the first line of defense at the gateway to the enclave or LAN. The data and VVoIP firewall (EBC) functions are the second line of defense. Since the VVoIP firewall function only processes VVoIP traffic in the form of AS-SIP-TLS and SRTP/SRTCP packets, the CER should only forward these packets to the VVoIP firewall such that it is better protected from being overloaded causing a denial of service. This is part of a layered defense.

STIG	Date
Voice/Video over Internet Protocol STIG	2014-04-07

Details

Check Text ( C-24032r1_chk )
Interview the IAO to confirm compliance with the following requirement: In the event the VVoIP system connects to the DISN WAN for VVoIP transport between enclaves AND the system is intended to provide assured service communications to any level of C2 user (Special C2, C2, C2(R)) ensure the required CER is configured to route all inbound traffic except AS-SIP-TLS and SRTP/SRTCP that is addressed to the VVoIP firewall (EBC) to the “data” firewall function. NOTE: This is not applicable if the VVoIP firewall function and the “data” firewall function are on the same device and accessed via a single IP address. This is applicable if these functions are on the same device but accessed via different IP addresses.

Check Text ( C-24032r1_chk )

Interview the IAO to confirm compliance with the following requirement:

In the event the VVoIP system connects to the DISN WAN for VVoIP transport between enclaves AND the system is intended to provide assured service communications to any level of C2 user (Special C2, C2, C2(R)) ensure the required CER is configured to route all inbound traffic except AS-SIP-TLS and SRTP/SRTCP that is addressed to the VVoIP firewall (EBC) to the “data” firewall function.

NOTE: This is not applicable if the VVoIP firewall function and the “data” firewall function are on the same device and accessed via a single IP address. This is applicable if these functions are on the same device but accessed via different IP addresses.

Fix Text (F-20368r1_fix)
Ensure the required CER is configured to route all inbound traffic except AS-SIP-TLS and SRTP/SRTCP that is addressed to the VVoIP firewall (EBC) to the “data” firewall function.