UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DISN NIPRNet IPVS firewall (EBC) is NOT configured to drop any packet (inbound or outbound) that is not validated as being part of an established and known call/session through stateful packet inspection or packet authentication.


Overview

Finding ID Version Rule ID IA Controls Severity
V-19673 VVoIP 6340 (DISN-IPVS) SV-21814r1_rule ECSC-1 High
Description
Once a pinhole is opened in the enclave boundary for a known call/session the packets that are permitted to pass must be managed. If they are not properly managed, packets that are not part of a known session could traverse the pinhole thereby giving unauthorized access to the enclave’s LAN or connected hosts. One method for managing these packets is called stateful packet inspection. This inspection minimally validates that the permitted packets are part of a known session. This is a relatively weak but somewhat effective firewall function. A better method is to authenticate the source of the packet as coming from a known and authorized source.
STIG Date
Voice/Video over Internet Protocol STIG 2015-01-05

Details

Check Text ( C-24054r1_chk )
Interview the IAO to confirm compliance with the following requirement:

Ensure the DISN NIPRNet IPVS firewall (EBC) is configured to drop any packet attempting to traverse the enclave boundary (inbound or outbound) through the IP port pinholes that have been opened for known call/sessions that is not validated as being part of an established and known call/session.
NOTE: This requires a stateful inspection of the packets passed through the IP port pinholes or the authentication of the source of those packets.

This is a finding in the event packets that are not part of an established and known call/session can pass through the EBC.


Fix Text (F-20379r1_fix)
Ensure the DISN NIPRNet IPVS firewall (EBC) is configured to drop any packet attempting to traverse the enclave boundary (inbound or outbound) through the IP port pinholes that have been opened for known call/sessions that is not validated as being part of an established and known call/session.
NOTE: This requires a stateful inspection of the packets passed through the IP port pinholes or the authentication of the source of those packets.