UCF STIG Viewer Logo

The DISN NIPRNet IPVS firewall (EBC) is NOT configured to manage IP port pinholes for the SRTP/SRTCP bearer streams based on the information in the AS-SIP-TLS messages.


Overview

Finding ID Version Rule ID IA Controls Severity
V-19671 VVoIP 6330 (DISN-IPVS) SV-21812r1_rule ECSC-1 Medium
Description
We previously discussed the reasons why a special firewall is needed to protect the enclave if VVoIP is to traverse the boundary. (see VVoIP 1005 (GENERAL) under VVoIP policy) This requirement addresses the function of the EBC which manages the SRTP/SRTCP bearer streams. NOTE: The DISN IPVS PMO has determined that the EBC will pass the negotiated and encrypted SRTP/SRTCP bearer streams without decryption and inspection. This is because doing so will not provide a significant security benefit but would cause a significant delay with a resulting decrease in the quality of the communications. Encoded audio and video is difficult to impossible to determine if an attack is being perpetrated or if sensitive information is being improperly disclosed without reconstituting the analog audio and video signals and having a person listen and watch each communication. Due to the volume of communications, to do so would be nearly impossible.
STIG Date
Voice/Video over Internet Protocol STIG 2015-01-05

Details

Check Text ( C-24050r1_chk )
Interview the IAO to confirm compliance with the following requirement:

Ensure the DISN NIPRNet IPVS firewall (EBC) is configured to manage IP port pinholes for the SRTP/SRTCP bearer streams based on the information in the AS-SIP-TLS messages as follows:
> Opens specific IP port pinholes on a per session basis for the SRTP/SRTCP bearer streams as negotiated by the communicating endpoints through the LSC and MFSS.
> Closes the specifically opened IP port pinholes when the session is to be torn down.
NOTE: “Opens specific IP port pinholes” means the EBC permits the flow of SRTP/SRTCP packets that have the specific IP port tags negotiated by the communicating endpoints through the LSC and MFSS and found in the AS-SIP-TLS messages. “Closes” means that once the session is signaled as completed, the EBC again denies all packets tagged with the IP ports previously opened.

Fix Text (F-20377r1_fix)
Ensure the DISN NIPRNet IPVS firewall (EBC) is configured to manage IP port pinholes for the SRTP/SRTCP bearer streams based on the information in the AS-SIP-TLS messages as follows:
> Opens specific IP port pinholes on a per session basis for the SRTP/SRTCP bearer streams as negotiated by the communicating endpoints through the LSC and MFSS.
> Closes the specifically opened IP port pinholes when the session is to be torn down.
NOTE: “Opens specific IP port pinholes” means the EBC permits the flow of SRTP/SRTCP packets that have the specific IP port tags negotiated by the communicating endpoints through the LSC and MFSS and found in the AS-SIP-TLS messages. “Closes” means that once the session is signaled as completed, the EBC again denies all packets tagged with the IP ports previously opened.