UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DISN NIPRNet IPVS firewall (EBC) is NOT configured to drop (and not process) all signaling packets except those whose integrity is validated.


Overview

Finding ID Version Rule ID IA Controls Severity
V-19668 VVoIP 6315 (DISN-IPVS) SV-21809r1_rule Medium
Description
The validation of signaling packet integrity is required to ensure the packet has not been altered in transit. Packets can be altered in a couple of ways. The first is modification by uncontrollable network events such as bit errors and packet truncation that would cause the packet to contain erroneous information. Packets containing detectable errors must not be processed since the effect of doing so is unknown and most likely not good. The second could be modification by a man-in-the-middle. NOTE: The USR mandates the packets be hashed upon transmission and receipt using HMAC-SHA1-160 with 160 bit keys and the validation of the hash of the received packet against the transmitted hash.
STIG Date
Voice/Video over Internet Protocol (VVoIP) STIG 2017-01-04

Details

Check Text ( C-24044r1_chk )
Interview the IAO to confirm compliance with the following requirement:

Ensure the DISN NIPRNet IPVS firewall (EBC) is configured to drop (and not process) all signaling packets except those whose integrity is validated.

This is a finding in the event the EBC does not validate the integrity of the received signaling packets.

Fix Text (F-20374r1_fix)
Ensure the DISN NIPRNet IPVS firewall (EBC) is configured to drop (and not process) all signaling packets except those whose integrity is validated.
NOTE: HMAC-SHA1-160 with 160 bit keys is used for this purpose as directed by the UCR.