UCF STIG Viewer Logo

A deny-by-default ACL is not implemented on the VVoIP Edge Boundary Controller (EBC) VLAN interface(s) on the VVoIP routing device(s) supporting the VVoIP system core (as defined in the VVoIP system ACL design) to properly control VVoIP LSC access and traffic flow.


Overview

Finding ID Version Rule ID IA Controls Severity
V-19640 VVoIP 5625 (LAN) SV-21781r1_rule ECSC-1 Medium
Description
Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general the defined ACLs are designed in a deny-by-default manner such that only the protocols and traffic that needs to reach the device or devices in the VLAN receive the packets. The ACLs filter on VLAN, IP address / subnet, protocol type, and associated standard IP port for the protocol. In general the ACLs mentioned are egress filters (referenced the router core) on the VLAN interfaces. Additionally, the routing devices should log and alarm on inappropriate traffic. An example of this is an HTTP request sourced from the data VLAN(s) to the endpoint or media gateway VLAN(s). The primary purpose of ACL on all VVoIP VLAN interface(s) is to block traffic to/from the data VLAN interface(s). Similar restrictions are placed on a dedicated VTC VLAN interface, however, VVoIP media and signaling is permitted in the event a VTC unit needs to communicate with the UC system
STIG Date
Voice/Video over Internet Protocol STIG 2015-01-05

Details

Check Text ( C-23976r1_chk )
Interview the IAO to obtain the required information (VVoIP system ACL Design) to determine compliance with the requirement in the next step adjusted for the actual system design.

NOTE: This requirement addresses the following VLANs at all routing devices supporting the VVoIP system core:
EBC > DoD WAN access VVoIP firewall (EBC or other).


Fix Text (F-20344r1_fix)
Ensure a deny-by-default ACL is implemented on the VVoIP Edge Boundary Controller (EBC) VLAN or firewall VLAN interface(s) on the VVoIP routing devices supporting the VVoIP system core equipment directly to control traffic as follows:
> Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the endpoint VLAN interface(s) (VLAN/subnet(s)).
> Permit (only as required for proper functionality) the specific system required signaling protocol(s) used by the LSC ((e.g., H.323, SIP, AS-SIP) to/from the VVoIP core control equipment VLAN interface(s) (VLAN/subnet(s)).
> Deny all other traffic. End the ACL with a “deny all” statement.

This is a finding in the event an ACL is not implemented generally as defined above, but which may be or is adjusted, for the specific VVoIP system design and protocols used.