A deny-by-default ACL is not implemented on the VVoIP system management VLAN interface(s) on the VVoIP routing device(s) supporting the VVoIP system core (as defined in the VVoIP system ACL design) to properly control VVoIP LSC access and traffic flow.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19644	VVoIP 5645 (LAN)	SV-21785r1_rule	ECSC-1	Medium

Description
Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general, the defined ACLs are designed in a deny-by-default manner such that only the protocols and traffic that needs to reach the device or devices in the VLAN receive the packets. The ACLs filter on VLAN, IP address / subnet, protocol type, and associated standard IP port for the protocol. In general, the ACLs mentioned are egress filters (referenced the router core) on the VLAN interfaces. Additionally, the routing devices should log and alarm on inappropriate traffic. An example of this is an HTTP request sourced from the data VLAN(s) to the endpoint or media gateway VLAN(s). The primary purpose of ACL on all VVoIP VLAN interface(s) is to block traffic to/from the data VLAN interface(s). Similar restrictions are placed on a dedicated VTC VLAN interface, however, VVoIP media and signaling is permitted in the event a VTC unit needs to communicate with the UC system.

Description

Router ACLs are required to control access and the flow of traffic to and from VVoIP system devices and their VLANs as a protection mechanism. In general, the defined ACLs are designed in a deny-by-default manner such that only the protocols and traffic that needs to reach the device or devices in the VLAN receive the packets. The ACLs filter on VLAN, IP address / subnet, protocol type, and associated standard IP port for the protocol. In general, the ACLs mentioned are egress filters (referenced the router core) on the VLAN interfaces. Additionally, the routing devices should log and alarm on inappropriate traffic. An example of this is an HTTP request sourced from the data VLAN(s) to the endpoint or media gateway VLAN(s). The primary purpose of ACL on all VVoIP VLAN interface(s) is to block traffic to/from the data VLAN interface(s). Similar restrictions are placed on a dedicated VTC VLAN interface, however, VVoIP media and signaling is permitted in the event a VTC unit needs to communicate with the UC system.

STIG	Date
Voice/Video over Internet Protocol STIG	2015-01-05

Details

Check Text ( C-23988r1_chk )
Interview the IAO to obtain the required information (VVoIP system ACL Design) to determine compliance with the requirement in the next step adjusted for the actual system design. NOTE: This requirement addresses the following VLANs at all routing devices supporting the VVoIP system core: Management: > VVoIP system management VLAN which is separate from the general LAN management VLAN.

Fix Text (F-20348r1_fix)
Ensure a deny-by-default ACL is implemented on the VVoIP system management VLAN interface(s) on the VVoIP routing devices supporting the VVoIP system core equipment directly to control traffic as follows: > Deny access to the VVoIP system management VLAN from the VVoIP endpoint and core equipment production VLANs > Deny access to the VVoIP system management VLAN from the general data production VLANs > Deny general access to the VVoIP system management VLAN from the general LAN management VLAN and any other management VLAN > Permit access to the VVoIP system management VLAN from other management VLANs, NOC VPNs, and enterprise management/monitoring networks as specifically required to meet mission and NETOPS requirements. Such permissions will be based on the specific IP addresses (or limited address ranges) requiring access > Permit only those ports and protocols specifically required to meet mission and NETOPS requirements This is a finding in the event an ACL is not implemented generally as defined above but which may be or is adjusted for the specific VVoIP system design and protocols used.

Fix Text (F-20348r1_fix)

Ensure a deny-by-default ACL is implemented on the VVoIP system management VLAN interface(s) on the VVoIP routing devices supporting the VVoIP system core equipment directly to control traffic as follows:
> Deny access to the VVoIP system management VLAN from the VVoIP endpoint and core equipment production VLANs
> Deny access to the VVoIP system management VLAN from the general data production VLANs
> Deny general access to the VVoIP system management VLAN from the general LAN management VLAN and any other management VLAN
> Permit access to the VVoIP system management VLAN from other management VLANs, NOC VPNs, and enterprise management/monitoring networks as specifically required to meet mission and NETOPS requirements. Such permissions will be based on the specific IP addresses (or limited address ranges) requiring access
> Permit only those ports and protocols specifically required to meet mission and NETOPS requirements

This is a finding in the event an ACL is not implemented generally as defined above but which may be or is adjusted for the specific VVoIP system design and protocols used.