A deny-by-default ACL is not implemented on all VVoIP endpoint (hardware and software) VLAN interface(s) on the VVoIP core routing device(s) (as defined in the VVoIP system ACL design) to properly control VVoIP endpoint access and traffic flow.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19635	VVoIP 5600 (LAN)	SV-21776r1_rule	ECSC-1	Medium

Description
Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general the defined ACLs are designed in a deny-by-default manner such that only the protocols and traffic that needs to reach the device or devices in the VLAN receive the packets. The ACLs filter on VLAN, IP address / subnet, protocol type, and associated standard IP port for the protocol. In general the ACLs mentioned are egress filters (referenced the router core) on the VLAN interfaces. Additionally, the routing devices should log and alarm on inappropriate traffic. An example of this is an HTTP request sourced from the data VLAN(s) to the endpoint or media gateway VLAN(s). The primary purpose of ACL on all VVoIP VLAN interface(s) is to block traffic to/from the data VLAN interface(s). Similar restrictions are placed on a dedicated VTC VLAN interface, however, VVoIP media and signaling is permitted in the event a VTC unit needs to communicate with the UC system

Description

Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general the defined ACLs are designed in a deny-by-default manner such that only the protocols and traffic that needs to reach the device or devices in the VLAN receive the packets. The ACLs filter on VLAN, IP address / subnet, protocol type, and associated standard IP port for the protocol. In general the ACLs mentioned are egress filters (referenced the router core) on the VLAN interfaces. Additionally, the routing devices should log and alarm on inappropriate traffic. An example of this is an HTTP request sourced from the data VLAN(s) to the endpoint or media gateway VLAN(s). The primary purpose of ACL on all VVoIP VLAN interface(s) is to block traffic to/from the data VLAN interface(s). Similar restrictions are placed on a dedicated VTC VLAN interface, however, VVoIP media and signaling is permitted in the event a VTC unit needs to communicate with the UC system

STIG	Date
Voice/Video over Internet Protocol STIG	2015-01-05

Details

Check Text ( C-23961r1_chk )
Interview the IAO to obtain the required information (VVoIP system ACL Design) to determine compliance with the requirement in the next step adjusted for the actual system design. NOTE: This requirement addresses the following VLANs at the VVoIP system core: Hardware Endpoints (End Instruments (EI)): multiple VLANs generally in parallel with data LAN VLANs the number of which is dependant on the size of the LAN and as required for the reduction of broadcast domains per good LAN design. For small networks there will be a minimum of one. > Software endpoints on workstations: multiples as with hardware endpoints.

Check Text ( C-23961r1_chk )

Interview the IAO to obtain the required information (VVoIP system ACL Design) to determine compliance with the requirement in the next step adjusted for the actual system design.

NOTE: This requirement addresses the following VLANs at the VVoIP system core:
Hardware Endpoints (End Instruments (EI)): multiple VLANs generally in parallel with data LAN VLANs the number of which is dependant on the size of the LAN and as required for the reduction of broadcast domains per good LAN design. For small networks there will be a minimum of one.
> Software endpoints on workstations: multiples as with hardware endpoints.

Fix Text (F-20339r1_fix)
Ensure a deny-by-default ACL is implemented on all VVoIP endpoint (hardware and software) VLAN interface(s) at the VVoIP core routing device (as defined in the VVoIP system ACL design) to control traffic as follows: > EI Config / registration - Permit (only as required for proper functionality) the specific system required endpoint registration / configuration protocols/traffic (e.g., DHCP, BootP, TFTP, FTP, HTTP, DNS, etc) to/from the core control equipment VLAN interface(s) (VLAN/subnet). > EI Signaling - Permit (only as required for proper functionality) the specific system required endpoint signaling protocols/traffic (e.g., AS-SIP, H.323, vendor proprietary such as SCCP, UniStim, etc) to/from the core control equipment VLAN interface(s) (VLAN/subnet(s)). > EI Directory - Permit (only as required for proper functionality) the specific system required endpoint directory access protocols (e.g., HTTP and/or potentially others) to/from the core control equipment VLAN interface(s). > EI Media - Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the Media Gateway VLAN interface(s) (VLAN/subnet(s)). > EI Media - Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the Voicemail/Unified Messaging VLAN interface(s) (VLAN/subnet(s)). > EI Media - Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from other endpoint VLAN interface(s) (VLAN/subnet(s)) wherever they intersect. > Deny all other traffic. End the ACL with a “deny all” statement. This is a finding in the event an ACL is not implemented generally as defined above but which may be or is adjusted for the specific VVoIP system design and protocols used.

Fix Text (F-20339r1_fix)

Ensure a deny-by-default ACL is implemented on all VVoIP endpoint (hardware and software) VLAN interface(s) at the VVoIP core routing device (as defined in the VVoIP system ACL design) to control traffic as follows:
> EI Config / registration - Permit (only as required for proper functionality) the specific system required endpoint registration / configuration protocols/traffic (e.g., DHCP, BootP, TFTP, FTP, HTTP, DNS, etc) to/from the core control equipment VLAN interface(s) (VLAN/subnet).
> EI Signaling - Permit (only as required for proper functionality) the specific system required endpoint signaling protocols/traffic (e.g., AS-SIP, H.323, vendor proprietary such as SCCP, UniStim, etc) to/from the core control equipment VLAN interface(s) (VLAN/subnet(s)).
> EI Directory - Permit (only as required for proper functionality) the specific system required endpoint directory access protocols (e.g., HTTP and/or potentially others) to/from the core control equipment VLAN interface(s).
> EI Media - Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the Media Gateway VLAN interface(s) (VLAN/subnet(s)).
> EI Media - Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the Voicemail/Unified Messaging VLAN interface(s) (VLAN/subnet(s)).
> EI Media - Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from other endpoint VLAN interface(s) (VLAN/subnet(s)) wherever they intersect.
> Deny all other traffic. End the ACL with a “deny all” statement.

This is a finding in the event an ACL is not implemented generally as defined above but which may be or is adjusted for the specific VVoIP system design and protocols used.