UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The EBC is NOT configured to terminate and decrypt inbound and outbound AS-SIP-TLS sessions (messages) such that it can properly manage the transition of the SRTP/SRTCP streams


Overview

Finding ID Version Rule ID IA Controls Severity
V-19666 VVoIP 6305 (DISN-IPVS) SV-21807r1_rule Medium
Description
We previously discussed the reasons why a special firewall function is needed to protect the enclave if VVoIP is to traverse the boundary (see VVoIP 1005 (GENERAL) under VVoIP policy). This requirement addresses the function of the EBC which manages the AS-SIP-TLS signaling messages. In order to perform its proper function in the enclave boundary, the EBC must decrypt and decode or understand the contents of AS-SIP-TLS messages. Doing so supports the requirements that are to follow. Additionally, the EBC can perform message validity checks and determine of an attack is being attempted. NOTE: The EBC acts as an application level proxy and firewall for the signaling AS-SIP-TLS messages.
STIG Date
Voice/Video over Internet Protocol (VVoIP) STIG 2017-04-05

Details

Check Text ( C-24040r1_chk )
Interview the IAO to confirm compliance with the following requirement:

Ensure the DISN NIPRNet IPVS firewall (EBC) is configured to terminate AS-SIP-TLS sessions (messages) (both inbound and outbound) and decrypt the packets to determine the information needed to properly manage the transition of SRTP/SRTCP streams across the boundary. Additionally ensure the EBC establishes a new AS-SIP-TLS session for the “next hop” to the internal LSC or the far end EBC that fronts the destination MFSS.

Fix Text (F-20372r1_fix)
Ensure the DISN NIPRNet IPVS firewall (EBC) is configured to terminate AS-SIP-TLS sessions (messages) (both inbound and outbound) and decrypt the packets to determine the information needed to properly manage the transition of SRTP/SRTCP streams across the boundary. Additionally ensure the EBC establishes a new AS-SIP-TLS session for the “next hop” to the internal LSC or the far end EBC that fronts the destination LSC or MFSS.