UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Remote access VoIP must be routed to the VoIP VLAN.


Overview

Finding ID Version Rule ID IA Controls Severity
V-19627 VVoIP 1800 (REMOTE) SV-21768r2_rule DCBP-1 ECSC-1 Medium
Description
In addition to complying with the STIGs and VPN requirements for remotely connected PCs, there is an additional requirement for Unified Capabilities (UC) soft client and UC applications using the VPN. UC soft client and UC application traffic which must interact or communicate with systems and devices in the voice VLAN/protection zone must be routed to that zone while the other data and communications traffic is routed to the data zone. This is to be accomplished without degrading the separation of these two zones, or bridging them together. This can be accomplished in a number of ways depending upon the LAN and its boundary/VPN architecture.
STIG Date
Voice/Video over Internet Protocol (VVoIP) STIG 2017-01-04

Details

Check Text ( C-23920r2_chk )
Interview the ISSO to validate compliance with the following requirement:

Ensure traffic from a Unified Capabilities (UC) soft client, operated in a remote access scenario and using an encrypted VPN as required, is routed to the VoIP VLAN such that the separation of the voice and data zones is not degraded while all other traffic is routed to the data zone.

Inspect network diagrams to determine if the boundary and remote access VLAN architecture properly routes VoIP traffic from the VPN to the voice VLANs while maintaining proper flow control and access between the data VLANs and the voice VLANs. If the boundary and remote access VLAN architecture does not properly route VoIP traffic from the VPN to the voice VLANs while maintaining proper flow control and access between the data VLANs and the voice VLANs, this is a finding.
Fix Text (F-20331r2_fix)
Ensure traffic from a Unified Capabilities (UC) soft client, operated in a remote access scenario and using an encrypted VPN as required, is routed to the VoIP VLAN such that the separation of the voice and data zones is not degraded while all other traffic is routed to the data zone.

Configure the enclave boundary and remote access VLAN architecture to properly route VoIP traffic from the VPN to the voice VLANs and maintain proper flow control and access between the data VLANs and the voice VLANs.