UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DISN NIPRNet IPVS firewall (EBC) is NOT configured to drop (and not process) all packets except those that are authenticated as being from an authorized source within the DISN IPVS network.


Overview

Finding ID Version Rule ID IA Controls Severity
V-19667 VVoIP 6310 (DISN-IPVS) SV-21808r1_rule Medium
Description
We previously discussed the reasons why a special firewall function is needed to protect the enclave if VVoIP is to traverse the boundary (see VVoIP 1005 under VVoIP policy). This requirement addresses the function of the EBC which authenticates the AS-SIP-TLS signaling messages as being from an authorized source. DoD policy dictates that authentication be performed using DoD PKI certificates. This also applies to network hosts and elements. AS-SIP (and SIP on which it is based) is not a secure protocol. The information passed during call/session setup and teardown is in human readable plain text. To secure AS-SIP and SIP, TLS is used. TLS is PKI certificate based and is used for AS-SIP message encryption, authentication, and integrity validation. NOTE: Authentication is provided by validating the sending appliance’s public PKI certificate used to establish the TLS session. AS-SIP messages are not sent until the authenticated TLS session is established. NOTE: the methods used will be in accordance with the UCR.
STIG Date
Voice/Video over Internet Protocol (VVoIP) STIG 2017-01-04

Details

Check Text ( C-24042r1_chk )
Interview the IAO to confirm compliance with the following requirement:

Ensure the DISN NIPRNet IPVS firewall (EBC) is configured to drop (and not process) all packets except those that are authenticated as being from an authorized source as follows:
> Authenticate outbound AS-SIP-TLS messages (packets) as being from the primary or backup LSC (or the site’s MFSS and is backup LSC) within the enclave.
> Authenticate inbound AS-SIP-TLS messages (packets) as being from the EBC at the enclave’s assigned primary and secondary (backup) MFSS sites.

NOTE: Authentication is provided by validating the sending appliance’s public PKI certificate used to establish the TLS session. AS-SIP messages are not sent until the authenticated TLS session is established.

This is a finding in the event the EBC does not use DoD PKI to authenticate the source of AS-SIP-TLS packets.

Fix Text (F-20373r1_fix)
Ensure the DISN NIPRNet IPVS firewall (EBC) is configured to drop (and not process) all packets except those that are authenticated as being from an authorized source as follows:
> Authenticate outbound AS-SIP-TLS messages (packets) as being from the primary or backup LSC (or the site’s MFSS and is backup LSC) within the enclave.
> Authenticate inbound AS-SIP-TLS messages (packets) as being from the EBC at the enclave’s assigned primary and secondary (backup) MFSS sites.

NOTE: Authentication is provided by validating the sending appliance’s public PKI certificate used to establish the TLS session. AS-SIP messages are not sent until the authenticated TLS session is established.