A deny-by-default ACL is not implemented on the VVoIP Local Session Controller (LSC) VLAN interface(s) on the VVoIP routing device(s) supporting the VVoIP system core (as defined in the VVoIP system ACL design) to properly control VVoIP LSC access and traffic flow.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19637	VVoIP 5610 (LAN)	SV-21778r1_rule	ECSC-1	Medium

Description
Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general, the defined ACLs are designed in a deny-by-default manner such that only the protocols and traffic that needs to reach the device or devices in the VLAN receive the packets. The ACLs filter on VLAN, IP address / subnet, protocol type, and associated standard IP port for the protocol. In general, the ACLs mentioned are egress filters (referenced the router core) on the VLAN interfaces. Additionally, the routing devices should send an alarm in response to inappropriate traffic and log the occurrence. An example of this is an HTTP request sourced from the data VLAN(s) to the endpoint or media gateway VLAN(s). The primary purpose of ACL on all VVoIP VLAN interface(s) is to block traffic to/from the data VLAN interface(s). Similar restrictions are placed on a dedicated VTC VLAN interface, however, VVoIP media and signaling is permitted in the event a VTC unit needs to communicate with the UC system.

Description

Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general, the defined ACLs are designed in a deny-by-default manner such that only the protocols and traffic that needs to reach the device or devices in the VLAN receive the packets. The ACLs filter on VLAN, IP address / subnet, protocol type, and associated standard IP port for the protocol. In general, the ACLs mentioned are egress filters (referenced the router core) on the VLAN interfaces. Additionally, the routing devices should send an alarm in response to inappropriate traffic and log the occurrence. An example of this is an HTTP request sourced from the data VLAN(s) to the endpoint or media gateway VLAN(s). The primary purpose of ACL on all VVoIP VLAN interface(s) is to block traffic to/from the data VLAN interface(s). Similar restrictions are placed on a dedicated VTC VLAN interface, however, VVoIP media and signaling is permitted in the event a VTC unit needs to communicate with the UC system.

STIG	Date
Voice/Video over Internet Protocol STIG	2015-01-05

Details

Check Text ( C-23967r1_chk )
Interview the IAO to obtain the required information (VVoIP system ACL Design) to determine compliance with the requirement in the next step adjusted for the actual system design. NOTE: This requirement addresses the following VLANs at all routing devices supporting the VVoIP system core: LSC etc > VVoIP system core control equipment containing the LSC, endpoint configuration server, and DHCP server if used, etc.

Check Text ( C-23967r1_chk )

Interview the IAO to obtain the required information (VVoIP system ACL Design) to determine compliance with the requirement in the next step adjusted for the actual system design.

NOTE: This requirement addresses the following VLANs at all routing devices supporting the VVoIP system core:
LSC etc > VVoIP system core control equipment containing the LSC, endpoint configuration server, and DHCP server if used, etc.

Fix Text (F-20341r1_fix)
Ensure a deny-by-default ACL is implemented on the VVoIP Local Session Controller (LSC) VLAN interface(s) on the VVoIP routing devices supporting the VVoIP system core equipment directly to control traffic as follows: EI CONF > Permit (only as required for proper functionality) the specific system required endpoint registration / configuration protocols/traffic (e.g., DHCP, BootP, TFTP, FTP, HTTP, DNS, etc) to/from the endpoint VLAN interface(s) (VLAN/subnet(s)). EI SIG > Permit (only as required for proper functionality) the specific system required endpoint signaling protocols/traffic (e.g., AS-SIP, H.323, vendor proprietary such as SCCP, UniStim, etc) to/from the endpoint VLAN interface(s) (VLAN/subnet(s)). EI DIR > Permit (only as required for proper functionality) the specific system required endpoint directory access protocols (e.g., HTTP and/or potentially others) to/from the endpoint VLAN interface(s). MG > Permit (only as required for proper functionality) the specific system required signaling protocol(s) used by the media gateway (e.g., MGCP, H.248, H.323, AS-SIP) to/from the VVoIP media gateway VLAN interface(s) (VLAN/subnet(s)). SG > Permit (only as required for proper functionality and the VLAN exists) the specific system required signaling protocol(s) used by the signaling gateway (e.g., MGCP, H.248, H.323, AS-SIP) to/from the VVoIP signaling gateway VLAN interface(s) (VLAN/subnet(s)) EBC > Permit (only as required for proper functionality and the VLAN exists) the specific signaling protocol(s) used by the Edge Boundary Controller (AS-SIP) to/from the VVoIP EBC VLAN interface(s) (VLAN(s) / subnet). CER > Permit (only as required for proper functionality) the specific signaling or management protocol(s) used to communicate with the Customer Edge (Premises / enclave perimeter) Router for NETOPS etc (e.g., SNMP and potentially others) to/from the VVoIP data mgmt VLAN interface(s), OOB management LAN, or data network VLAN interface(s) (VLAN(s) / subnet) via data mgmt VLAN, OOB management LAN, or data network. UM > Permit the specific signaling protocol(s) used by the Voicemail/Unified Messaging server(s) (e.g., AS-SIP, H.323, vendor proprietary such as SCCP, UniStim, etc) to/from the VVoIP Voicemail or Unified Messaging server VLAN interface(s) (VLAN(s) / subnet). UC > Permit (only as required for proper functionality and the VLAN exists) the specific signaling protocol(s) used by any unified communications server(s) (e.g., AS-SIP, H.323, vendor proprietary such as SCCP, UniStim, etc) to/from the VVoIP UC server VLAN interface(s) (VLAN(s) / subnet). ONLY IF REQUIRED > Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the endpoint VLAN interface(s) (VLAN/subnet(s)). > Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the Media Gateway VLAN interface(s) (VLAN/subnet(s)). > Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the Voicemail/Unified Messaging VLAN interface(s) (VLAN/subnet(s)). NOTE: Call control equipment does not typically process media therefore there is typically no need to permit this traffic and thereby provide a potential attack vector. > Permit only those other protocols/traffic between specific VLANs, subnets, and devices as required for the system to properly function. > Deny all other traffic. End the ACL with a “deny all” statement. NOTE: The ACLs must mirror the ACLs imposed for access to/from each of the mating VLAN(s) based on the protocols that VLAN accepts. This is a finding in the event an ACL is not implemented generally as defined above but which may be or is adjusted for the specific VVoIP system design and protocols used.

Fix Text (F-20341r1_fix)

Ensure a deny-by-default ACL is implemented on the VVoIP Local Session Controller (LSC) VLAN interface(s) on the VVoIP routing devices supporting the VVoIP system core equipment directly to control traffic as follows:
EI CONF > Permit (only as required for proper functionality) the specific system required endpoint registration / configuration protocols/traffic (e.g., DHCP, BootP, TFTP, FTP, HTTP, DNS, etc) to/from the endpoint VLAN interface(s) (VLAN/subnet(s)).
EI SIG > Permit (only as required for proper functionality) the specific system required endpoint signaling protocols/traffic (e.g., AS-SIP, H.323, vendor proprietary such as SCCP, UniStim, etc) to/from the endpoint VLAN interface(s) (VLAN/subnet(s)).
EI DIR > Permit (only as required for proper functionality) the specific system required endpoint directory access protocols (e.g., HTTP and/or potentially others) to/from the endpoint VLAN interface(s).
MG > Permit (only as required for proper functionality) the specific system required signaling protocol(s) used by the media gateway (e.g., MGCP, H.248, H.323, AS-SIP) to/from the VVoIP media gateway VLAN interface(s) (VLAN/subnet(s)).
SG > Permit (only as required for proper functionality and the VLAN exists) the specific system required signaling protocol(s) used by the signaling gateway (e.g., MGCP, H.248, H.323, AS-SIP) to/from the VVoIP signaling gateway VLAN interface(s) (VLAN/subnet(s))
EBC > Permit (only as required for proper functionality and the VLAN exists) the specific signaling protocol(s) used by the Edge Boundary Controller (AS-SIP) to/from the VVoIP EBC VLAN interface(s) (VLAN(s) / subnet).
CER > Permit (only as required for proper functionality) the specific signaling or management protocol(s) used to communicate with the Customer Edge (Premises / enclave perimeter) Router for NETOPS etc (e.g., SNMP and potentially others) to/from the VVoIP data mgmt VLAN interface(s), OOB management LAN, or data network VLAN interface(s) (VLAN(s) / subnet) via data mgmt VLAN, OOB management LAN, or data network.
UM > Permit the specific signaling protocol(s) used by the Voicemail/Unified Messaging server(s) (e.g., AS-SIP, H.323, vendor proprietary such as SCCP, UniStim, etc) to/from the VVoIP Voicemail or Unified Messaging server VLAN interface(s) (VLAN(s) / subnet).
UC > Permit (only as required for proper functionality and the VLAN exists) the specific signaling protocol(s) used by any unified communications server(s) (e.g., AS-SIP, H.323, vendor proprietary such as SCCP, UniStim, etc) to/from the VVoIP UC server VLAN interface(s) (VLAN(s) / subnet).
ONLY IF REQUIRED
> Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the endpoint VLAN interface(s) (VLAN/subnet(s)).
> Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the Media Gateway VLAN interface(s) (VLAN/subnet(s)).
> Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the Voicemail/Unified Messaging VLAN interface(s) (VLAN/subnet(s)).
NOTE: Call control equipment does not typically process media therefore there is typically no need to permit this traffic and thereby provide a potential attack vector.
> Permit only those other protocols/traffic between specific VLANs, subnets, and devices as required for the system to properly function.
> Deny all other traffic. End the ACL with a “deny all” statement.
NOTE: The ACLs must mirror the ACLs imposed for access to/from each of the mating VLAN(s) based on the protocols that VLAN accepts.

This is a finding in the event an ACL is not implemented generally as defined above but which may be or is adjusted for the specific VVoIP system design and protocols used.