The Session Border Controller (SBC) must drop all SIP and AS-SIP packets except those secured with TLS.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19670	VVoIP 6325	SV-21811r3_rule		Medium

Description
DISN NIPRNet IPVS PMO and the UCR require all session signaling across the DISN WAN and between the LSC and EBC to be secured with TLS. The standard IANA assigned IP port for SIP protected by TLS (SIP-TLS) is 5061. DoD PPSM requires that protocols traversing the DISN and DoD enclave boundaries use the standard IP ports for the specific protocol. Since AS-SIP is a standardized extension of the SIP protocol and since AS-SIP must be protected by TLS, AS-SIP-TLS must use IP port 5061. The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated using TLS on port 443 from Cloud Service Providers.

Description

DISN NIPRNet IPVS PMO and the UCR require all session signaling across the DISN WAN and between the LSC and EBC to be secured with TLS. The standard IANA assigned IP port for SIP protected by TLS (SIP-TLS) is 5061. DoD PPSM requires that protocols traversing the DISN and DoD enclave boundaries use the standard IP ports for the specific protocol. Since AS-SIP is a standardized extension of the SIP protocol and since AS-SIP must be protected by TLS, AS-SIP-TLS must use IP port 5061. The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated using TLS on port 443 from Cloud Service Providers.

STIG	Date
Voice/Video over Internet Protocol (VVoIP) STIG	2019-03-18

Details

Check Text ( C-24049r2_chk )
Interview the ISSO to confirm compliance with the following requirement: Ensure the DISN NIPRNet IPVS SBC is configured to drop the following signaling packets: - SIP packets arriving on IP port 5060 or 5061 - SIP packets arriving on IP port 443 not secured with TLS - AS-SIP packets arriving on IP port 5060 - AS-SIP packets arriving on IP port 5061 not secured with TLS If all SIP and AS-SIP packets are not dropped except AS-SIP packets secured with TLS arriving on IP Port 5061 and SIP packets secured with TLS arriving on IP Port 443 secured with TLS, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

Check Text ( C-24049r2_chk )

Interview the ISSO to confirm compliance with the following requirement:

Ensure the DISN NIPRNet IPVS SBC is configured to drop the following signaling packets:
- SIP packets arriving on IP port 5060 or 5061
- SIP packets arriving on IP port 443 not secured with TLS
- AS-SIP packets arriving on IP port 5060
- AS-SIP packets arriving on IP port 5061 not secured with TLS

If all SIP and AS-SIP packets are not dropped except AS-SIP packets secured with TLS arriving on IP Port 5061 and SIP packets secured with TLS arriving on IP Port 443 secured with TLS, this is a finding.

NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

Fix Text (F-20376r2_fix)
Ensure the DISN NIPRNet IPVS SBC is configured to drop the following signaling packets: - SIP packets arriving on IP port 5060 or 5061 - SIP packets arriving on IP port 443 not secured with TLS - AS-SIP packets arriving on IP port 5060 - AS-SIP packets arriving on IP port 5061 not secured with TLS NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

Fix Text (F-20376r2_fix)

Ensure the DISN NIPRNet IPVS SBC is configured to drop the following signaling packets:
- SIP packets arriving on IP port 5060 or 5061
- SIP packets arriving on IP port 443 not secured with TLS
- AS-SIP packets arriving on IP port 5060
- AS-SIP packets arriving on IP port 5061 not secured with TLS

NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.