The data network perimeter protection (data firewall function) is NOT configured to protect the VVoIP VLANS by blocking all but specifically permitted traffic destined to or sourced from the Voice VLAN IP Address space and VLANs

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19661	VVoIP 6200 (DISN-IPVS)	SV-21802r1_rule	EBBD-1 EBBD-2 EBBD-3 ECSC-1	High

Description
See the discussion regarding the design of the enclave boundary when using VVoIP within the enclave. The following is a summary: The typical data firewall does not adequately protect the enclave when permitting VVoIP to traverse the boundary. Furthermore this firewall breaks VVoIP call completion, particularly if NAT/NAPT is implemented. To properly protect the enclave when implementing VVoIP across the boundary, there are a specific set of processes and protections required as discussed earlier. For the purpose of this document, this set of processes and protections is referred to as the VVoIP firewall function. These are different from the data firewall processes and protections which are referred to as the data firewall function. These sets of processes and protections are defined as functions and not as discrete devices. This is primarily because as firewall platforms and their computing processors become faster and more robust, we do not want to limit the DoD from implementing a vendor’s product that can effectively support both sets of functions on the same platform. The data firewall function plays a part in the protection of the VVoIP sub-enclave within the LAN while the VVoIP firewall function protects the entire enclave while permitting the VVoIP system to function properly. As such data firewall function must bock all traffic to/from the VVoIP VLANs and/or address space except as follows: • Signaling, media, registration protocols, UC protocols, etc to/from a remote endpoint entering the enclave via a properly authenticated VPN tunnel. In this case, such traffic is blocked from the data VLAN(s) and routed to the VVoIP VLANs unless there is an EBC (VoIP firewall) in which case session traffic must be routed through the EBC. • Management traffic to/from a remote NOC destined for the VVoIP management VLAN address space. In this case, the data firewall and IDS inspects this traffic before it is routed to the VVoIP management VLAN. Such routing must block all traffic from the data VLAN/subnets and the general data network management VLAN(s). • Protected LSC to LSC communications (e.g., database replication) between LSCs that are clustered across the WAN • The enclave is connected to a limited access / closed WAN (e.g., a classified WAN) AND the WAN has a dedicated address space for VVoIP (e.g., SIPRNet). In this case the VVoIP traffic may pass through the data firewall providing the permitted traffic is limited to/from the dedicated WAN address space and then routed to the internal VVoIP VLANs.

Description

See the discussion regarding the design of the enclave boundary when using VVoIP within the enclave. The following is a summary: The typical data firewall does not adequately protect the enclave when permitting VVoIP to traverse the boundary. Furthermore this firewall breaks VVoIP call completion, particularly if NAT/NAPT is implemented. To properly protect the enclave when implementing VVoIP across the boundary, there are a specific set of processes and protections required as discussed earlier. For the purpose of this document, this set of processes and protections is referred to as the VVoIP firewall function. These are different from the data firewall processes and protections which are referred to as the data firewall function. These sets of processes and protections are defined as functions and not as discrete devices. This is primarily because as firewall platforms and their computing processors become faster and more robust, we do not want to limit the DoD from implementing a vendor’s product that can effectively support both sets of functions on the same platform. The data firewall function plays a part in the protection of the VVoIP sub-enclave within the LAN while the VVoIP firewall function protects the entire enclave while permitting the VVoIP system to function properly. As such data firewall function must bock all traffic to/from the VVoIP VLANs and/or address space except as follows: • Signaling, media, registration protocols, UC protocols, etc to/from a remote endpoint entering the enclave via a properly authenticated VPN tunnel. In this case, such traffic is blocked from the data VLAN(s) and routed to the VVoIP VLANs unless there is an EBC (VoIP firewall) in which case session traffic must be routed through the EBC. • Management traffic to/from a remote NOC destined for the VVoIP management VLAN address space. In this case, the data firewall and IDS inspects this traffic before it is routed to the VVoIP management VLAN. Such routing must block all traffic from the data VLAN/subnets and the general data network management VLAN(s). • Protected LSC to LSC communications (e.g., database replication) between LSCs that are clustered across the WAN • The enclave is connected to a limited access / closed WAN (e.g., a classified WAN) AND the WAN has a dedicated address space for VVoIP (e.g., SIPRNet). In this case the VVoIP traffic may pass through the data firewall providing the permitted traffic is limited to/from the dedicated WAN address space and then routed to the internal VVoIP VLANs.

STIG	Date
Voice/Video over Internet Protocol STIG	2015-01-05

Details

Check Text ( C-24027r1_chk )
Interview the IAO to confirm compliance with the following requirement: Ensure the data network perimeter protection (data firewall function) is configured to block all traffic to/from the VVoIP VLANs and/or address space except as follows: • Signaling, media, registration protocols, UC protocols, etc to/from a remote endpoint entering the enclave via a properly authenticated VPN tunnel. In this case, such traffic is blocked from the data VLAN(s) and routed to the VVoIP VLANs unless there is an EBC (VoIP firewall) in which case session traffic must be routed through the EBC. • Management traffic to/from a remote NOC destined for the VVoIP management VLAN address space. In this case, the data firewall and IDS inspects this traffic before it is routed to the VVoIP management VLAN. Such routing must block all traffic from the data VLAN/subnets and the general data network management VLAN(s). • Protected LSC to LSC communications (e.g., database replication) between LSCs that are clustered across the WAN • The enclave is connected to a limited access / closed WAN (e.g., a classified WAN) AND the WAN has a dedicated address space for VVoIP (e.g., SIPRNet). In this case the VVoIP traffic may pass through the data firewall providing the permitted traffic is limited to/from the dedicated WAN address space and then routed to the internal VVoIP VLANs.

Check Text ( C-24027r1_chk )

Interview the IAO to confirm compliance with the following requirement:

Ensure the data network perimeter protection (data firewall function) is configured to block all traffic to/from the VVoIP VLANs and/or address space except as follows:
• Signaling, media, registration protocols, UC protocols, etc to/from a remote endpoint entering the enclave via a properly authenticated VPN tunnel. In this case, such traffic is blocked from the data VLAN(s) and routed to the VVoIP VLANs unless there is an EBC (VoIP firewall) in which case session traffic must be routed through the EBC.
• Management traffic to/from a remote NOC destined for the VVoIP management VLAN address space. In this case, the data firewall and IDS inspects this traffic before it is routed to the VVoIP management VLAN. Such routing must block all traffic from the data VLAN/subnets and the general data network management VLAN(s).
• Protected LSC to LSC communications (e.g., database replication) between LSCs that are clustered across the WAN
• The enclave is connected to a limited access / closed WAN (e.g., a classified WAN) AND the WAN has a dedicated address space for VVoIP (e.g., SIPRNet). In this case the VVoIP traffic may pass through the data firewall providing the permitted traffic is limited to/from the dedicated WAN address space and then routed to the internal VVoIP VLANs.

Fix Text (F-20366r1_fix)
Ensure the data network perimeter protection (data firewall function) is configured to block all traffic to/from the VVoIP VLANs and/or address space except as follows: • Signaling, media, registration protocols, UC protocols, etc., to/from a remote endpoint entering the enclave via a properly authenticated VPN tunnel. In this case, such traffic is blocked from the data VLAN(s) and routed to the VVoIP VLANs unless there is an EBC (VoIP firewall) in which case session traffic must be routed through the EBC. • Management traffic to/from a remote NOC destined for the VVoIP management VLAN address space. In this case, the data firewall and IDS inspects this traffic before it is routed to the VVoIP management VLAN. Such routing must block all traffic from the data VLAN/subnets and the general data network management VLAN(s). • Protected LSC to LSC communications (e.g., database replication) between LSCs that are clustered across the WAN • The enclave is connected to a limited access / closed WAN (e.g., a classified WAN) AND the WAN has a dedicated address space for VVoIP (e.g., SIPRNet). In this case the VVoIP traffic may pass through the data firewall providing the permitted traffic is limited to/from the dedicated WAN address space and then routed to the internal VVoIP VLANs.

Fix Text (F-20366r1_fix)

Ensure the data network perimeter protection (data firewall function) is configured to block all traffic to/from the VVoIP VLANs and/or address space except as follows:
• Signaling, media, registration protocols, UC protocols, etc., to/from a remote endpoint entering the enclave via a properly authenticated VPN tunnel. In this case, such traffic is blocked from the data VLAN(s) and routed to the VVoIP VLANs unless there is an EBC (VoIP firewall) in which case session traffic must be routed through the EBC.
• Management traffic to/from a remote NOC destined for the VVoIP management VLAN address space. In this case, the data firewall and IDS inspects this traffic before it is routed to the VVoIP management VLAN. Such routing must block all traffic from the data VLAN/subnets and the general data network management VLAN(s).
• Protected LSC to LSC communications (e.g., database replication) between LSCs that are clustered across the WAN
• The enclave is connected to a limited access / closed WAN (e.g., a classified WAN) AND the WAN has a dedicated address space for VVoIP (e.g., SIPRNet). In this case the VVoIP traffic may pass through the data firewall providing the permitted traffic is limited to/from the dedicated WAN address space and then routed to the internal VVoIP VLANs.