The CER is NOT configured to filter inbound AS-SIP-TLS traffic addressed to the local EBC based on the source address of the signaling messages as part of a layered defense.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19664	VVoIP 6215 (DISN-IPVS)	SV-21805r1_rule	ECSC-1	Low

Description
The CER (premise or perimeter) router is the first line of defense at the gateway to the enclave or LAN. The data and VVoIP firewall (EBC) functions are the second line of defense. Since the VVoIP firewall function only processes VVoIP traffic in the form of AS-SIP-TLS and SRTP/SRTCP packets, the CER should only forward these packets to the VVoIP firewall such that it is better protected from being overloaded causing a denial-of-service. An additional filter that can be performed by the CER to help prevent a denial-of-service is to filter the AS-SIP-TLS packets based on their source address. Within the DISN IPVS network, LSCs are only to signal with their assigned MFSS and its backup. On the other hand, MFSSs are only to signal with their assigned LSCs, for which they are primary or backup, and other MFSSs. To support this, the EBC is required to authenticate the source of, and validate the integrity of, the signaling packets it receives and only process authenticated and valid packets, thereby, only signaling with the appropriate devices. Even though this is the case, the EBC could be flooded and overloaded with too many unauthenticated or invalid signaling packets. A situation that could cause a DOS. The CER can help prevent this by preventing signaling packets that are not sourced from authorized devices from ever reaching the EBC. This is part of a layered defense.

Description

The CER (premise or perimeter) router is the first line of defense at the gateway to the enclave or LAN. The data and VVoIP firewall (EBC) functions are the second line of defense. Since the VVoIP firewall function only processes VVoIP traffic in the form of AS-SIP-TLS and SRTP/SRTCP packets, the CER should only forward these packets to the VVoIP firewall such that it is better protected from being overloaded causing a denial-of-service. An additional filter that can be performed by the CER to help prevent a denial-of-service is to filter the AS-SIP-TLS packets based on their source address. Within the DISN IPVS network, LSCs are only to signal with their assigned MFSS and its backup. On the other hand, MFSSs are only to signal with their assigned LSCs, for which they are primary or backup, and other MFSSs. To support this, the EBC is required to authenticate the source of, and validate the integrity of, the signaling packets it receives and only process authenticated and valid packets, thereby, only signaling with the appropriate devices. Even though this is the case, the EBC could be flooded and overloaded with too many unauthenticated or invalid signaling packets. A situation that could cause a DOS. The CER can help prevent this by preventing signaling packets that are not sourced from authorized devices from ever reaching the EBC. This is part of a layered defense.

STIG	Date
Voice/Video over Internet Protocol STIG	2015-01-05

Details

Check Text ( C-24034r1_chk )
Interview the IAO to confirm compliance with the following requirement: In the event the VVoIP system connects to the DISN WAN for VVoIP transport between enclaves AND the system is intended to provide assured service communications to any level of C2 user (Special C2, C2, C2(R)) ensure the required CER is configured to filter inbound AS-SIP-TLS traffic addressed to the local EBC based on the source address of the signaling messages. Permit inbound, only those signaling messages sourced as follows: > In the event the enclave contains one or more LSCs, filter on the IP addresses of the EBCs fronting the primary MFSS and secondary (backup) MFSSs with which the enclave is associated. > In the event the enclave contains a MFSS, filter on the IP addresses of all of the EBCs fronting the LSCs that are associated with the given MFSS. Determine the following: > If the enclave contains LSCs, determine the IP address of EBCs fronting the primary and backup MFSSs to which the enclave is assigned or with which the LSC is to exchange signaling messages. > If the enclave contains a MFSS, determine the IP addresses of the EBCs fronting the LSCs with which it is to signal. Additionally determine the IP addresses of the EBCs fronting the other MFSSs.

Check Text ( C-24034r1_chk )

Interview the IAO to confirm compliance with the following requirement:

In the event the VVoIP system connects to the DISN WAN for VVoIP transport between enclaves AND the system is intended to provide assured service communications to any level of C2 user (Special C2, C2, C2(R)) ensure the required CER is configured to filter inbound AS-SIP-TLS traffic addressed to the local EBC based on the source address of the signaling messages. Permit inbound, only those signaling messages sourced as follows:
> In the event the enclave contains one or more LSCs, filter on the IP addresses of the EBCs fronting the primary MFSS and secondary (backup) MFSSs with which the enclave is associated.
> In the event the enclave contains a MFSS, filter on the IP addresses of all of the EBCs fronting the LSCs that are associated with the given MFSS.

Determine the following:
> If the enclave contains LSCs, determine the IP address of EBCs fronting the primary and backup MFSSs to which the enclave is assigned or with which the LSC is to exchange signaling messages.
> If the enclave contains a MFSS, determine the IP addresses of the EBCs fronting the LSCs with which it is to signal. Additionally determine the IP addresses of the EBCs fronting the other MFSSs.

Fix Text (F-20370r1_fix)
Ensure the required CER is configured to filter AS-SIP-TLS traffic addressed to the local EBC based on the source address of the signaling messages. Permit inbound, only those signaling messages sourced as follows: > In the event the enclave contains one or more LSCs, filter on the IP addresses of the primary MFSS and secondary (backup) MFSSs with which the enclave is associated. > In the event the enclave contains a MFSS, filter on the IP addresses of all of the LSCs that are associated with the given MFSS.

Fix Text (F-20370r1_fix)

Ensure the required CER is configured to filter AS-SIP-TLS traffic addressed to the local EBC based on the source address of the signaling messages. Permit inbound, only those signaling messages sourced as follows:
> In the event the enclave contains one or more LSCs, filter on the IP addresses of the primary MFSS and secondary (backup) MFSSs with which the enclave is associated.
> In the event the enclave contains a MFSS, filter on the IP addresses of all of the LSCs that are associated with the given MFSS.