The DISN NIPRNet IPVS firewall (EBC) is NOT configured to drop any packet (inbound or outbound) that is not validated as being part of an established and known call/session through stateful packet inspection or packet authentication.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19673	VVoIP 6340 (DISN-IPVS)	SV-21814r1_rule	ECSC-1	High

Description
Once a pinhole is opened in the enclave boundary for a known call/session the packets that are permitted to pass must be managed. If they are not properly managed, packets that are not part of a known session could traverse the pinhole thereby giving unauthorized access to the enclave’s LAN or connected hosts. One method for managing these packets is called stateful packet inspection. This inspection minimally validates that the permitted packets are part of a known session. This is a relatively weak but somewhat effective firewall function. A better method is to authenticate the source of the packet as coming from a known and authorized source.

Description

Once a pinhole is opened in the enclave boundary for a known call/session the packets that are permitted to pass must be managed. If they are not properly managed, packets that are not part of a known session could traverse the pinhole thereby giving unauthorized access to the enclave’s LAN or connected hosts. One method for managing these packets is called stateful packet inspection. This inspection minimally validates that the permitted packets are part of a known session. This is a relatively weak but somewhat effective firewall function. A better method is to authenticate the source of the packet as coming from a known and authorized source.

STIG	Date
Voice/Video over Internet Protocol STIG	2015-01-05

Details

Check Text ( C-24054r1_chk )
Interview the IAO to confirm compliance with the following requirement: Ensure the DISN NIPRNet IPVS firewall (EBC) is configured to drop any packet attempting to traverse the enclave boundary (inbound or outbound) through the IP port pinholes that have been opened for known call/sessions that is not validated as being part of an established and known call/session. NOTE: This requires a stateful inspection of the packets passed through the IP port pinholes or the authentication of the source of those packets. This is a finding in the event packets that are not part of an established and known call/session can pass through the EBC.

Check Text ( C-24054r1_chk )

Interview the IAO to confirm compliance with the following requirement:

Ensure the DISN NIPRNet IPVS firewall (EBC) is configured to drop any packet attempting to traverse the enclave boundary (inbound or outbound) through the IP port pinholes that have been opened for known call/sessions that is not validated as being part of an established and known call/session.
NOTE: This requires a stateful inspection of the packets passed through the IP port pinholes or the authentication of the source of those packets.

This is a finding in the event packets that are not part of an established and known call/session can pass through the EBC.

Fix Text (F-20379r1_fix)
Ensure the DISN NIPRNet IPVS firewall (EBC) is configured to drop any packet attempting to traverse the enclave boundary (inbound or outbound) through the IP port pinholes that have been opened for known call/sessions that is not validated as being part of an established and known call/session. NOTE: This requires a stateful inspection of the packets passed through the IP port pinholes or the authentication of the source of those packets.

Fix Text (F-20379r1_fix)

Ensure the DISN NIPRNet IPVS firewall (EBC) is configured to drop any packet attempting to traverse the enclave boundary (inbound or outbound) through the IP port pinholes that have been opened for known call/sessions that is not validated as being part of an established and known call/session.
NOTE: This requires a stateful inspection of the packets passed through the IP port pinholes or the authentication of the source of those packets.