The EBC is NOT configured to terminate and decrypt inbound and outbound AS-SIP-TLS sessions (messages) such that it can properly manage the transition of the SRTP/SRTCP streams

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19666	VVoIP 6305 (DISN-IPVS)	SV-21807r1_rule	ECSC-1	Medium

Description
We previously discussed the reasons why a special firewall function is needed to protect the enclave if VVoIP is to traverse the boundary (see VVoIP 1005 (GENERAL) under VVoIP policy). This requirement addresses the function of the EBC which manages the AS-SIP-TLS signaling messages. In order to perform its proper function in the enclave boundary, the EBC must decrypt and decode or understand the contents of AS-SIP-TLS messages. Doing so supports the requirements that are to follow. Additionally, the EBC can perform message validity checks and determine of an attack is being attempted. NOTE: The EBC acts as an application level proxy and firewall for the signaling AS-SIP-TLS messages.

Description

We previously discussed the reasons why a special firewall function is needed to protect the enclave if VVoIP is to traverse the boundary (see VVoIP 1005 (GENERAL) under VVoIP policy). This requirement addresses the function of the EBC which manages the AS-SIP-TLS signaling messages. In order to perform its proper function in the enclave boundary, the EBC must decrypt and decode or understand the contents of AS-SIP-TLS messages. Doing so supports the requirements that are to follow. Additionally, the EBC can perform message validity checks and determine of an attack is being attempted. NOTE: The EBC acts as an application level proxy and firewall for the signaling AS-SIP-TLS messages.

STIG	Date
Voice/Video over Internet Protocol (VVoIP) STIG	2015-07-01

Details

Check Text ( C-24040r1_chk )
Interview the IAO to confirm compliance with the following requirement: Ensure the DISN NIPRNet IPVS firewall (EBC) is configured to terminate AS-SIP-TLS sessions (messages) (both inbound and outbound) and decrypt the packets to determine the information needed to properly manage the transition of SRTP/SRTCP streams across the boundary. Additionally ensure the EBC establishes a new AS-SIP-TLS session for the “next hop” to the internal LSC or the far end EBC that fronts the destination MFSS.

Check Text ( C-24040r1_chk )

Interview the IAO to confirm compliance with the following requirement:

Ensure the DISN NIPRNet IPVS firewall (EBC) is configured to terminate AS-SIP-TLS sessions (messages) (both inbound and outbound) and decrypt the packets to determine the information needed to properly manage the transition of SRTP/SRTCP streams across the boundary. Additionally ensure the EBC establishes a new AS-SIP-TLS session for the “next hop” to the internal LSC or the far end EBC that fronts the destination MFSS.

Fix Text (F-20372r1_fix)
Ensure the DISN NIPRNet IPVS firewall (EBC) is configured to terminate AS-SIP-TLS sessions (messages) (both inbound and outbound) and decrypt the packets to determine the information needed to properly manage the transition of SRTP/SRTCP streams across the boundary. Additionally ensure the EBC establishes a new AS-SIP-TLS session for the “next hop” to the internal LSC or the far end EBC that fronts the destination LSC or MFSS.

Fix Text (F-20372r1_fix)

Ensure the DISN NIPRNet IPVS firewall (EBC) is configured to terminate AS-SIP-TLS sessions (messages) (both inbound and outbound) and decrypt the packets to determine the information needed to properly manage the transition of SRTP/SRTCP streams across the boundary. Additionally ensure the EBC establishes a new AS-SIP-TLS session for the “next hop” to the internal LSC or the far end EBC that fronts the destination LSC or MFSS.