No DAA approval for permitting limited numbers of soft-phones to operate in LAN.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-16096	VVoIP 1720 (GENERAL)	SV-17084r1_rule	DCBP-1 ECSC-1	Medium

Description
This use case addresses situations whereby the soft-phone/UC application and PC is not the primary voice communications “device” in the work area. This means that there is a validated mission need and the number of PC soft-phones permitted to operate inside the LAN will be less than the number of hardware based phones in the LAN. This number should be limited to those soft-phones required to meet specific mission requirements. UC applications that are ubiquitous in the LAN are addressed later, however, typically these work in association with a hardware based phone system, not in place of it. There are three possible scenarios for the use of limited numbers of soft-phones in the strategic LAN. We will discuss the first two in this section and the third in the next section. The first of these scenarios is providing support for soft-phones associated with a VoIP system in another enclave. This is a remote access scenario and must operate as they would in a normal telework/remote access use case. We will discuss this use case later, however, if this scenario is approved, special accommodations must be made in the local LAN to support users from a remote LAN and permit them to connect to their home enclave. This could include segregating them on a separate dedicated LAN with its own boundary protection or by implementing a dedicated VLAN protection zone while opening the enclave boundary to permit the remote connection. NOTE: Approval for this scenario would also require approval for specific foreign (non-local) PC attachment to the local LAN. These topics are beyond the scope of this document. The second of these scenarios is providing support for soft-phones associated with a local VoIP system. It is preferred that PC soft-phones associated with the local VoIP system not be used in the LAN, at all, due to the difficulties they present to the protection of the local hardware based VoIP infrastructure. Under normal circumstances, due to the separation of the VoIP and data VLANs a PC soft-phone application (associated with the local VoIP system) should not be able to register with the VoIP controller and function when the PC is connected to the LAN. This is because the PC connects to a LAN access port assigned to the data VLAN(s) and traffic between the voice and data VLANs is blocked. Similarly, if the PC was to be connected to a LAN access port assigned to the VoIP VLAN(s), the soft-phone might work but the PC would not have its normal data connectivity or services. If PC soft-phones are to be used in the strategic LAN, except as noted in the section on discrete instrument replacement, their numbers should be limited to those that are essential to the mission and additional protections, as discussed later in this section, must be added to the LAN to maintain the protection of the VoIP infrastructure. Implementations of limited numbers of PC soft-phones along with the protections afforded them and the local VoIP infrastructure must be approved by the responsible DAA.

Description

This use case addresses situations whereby the soft-phone/UC application and PC is not the primary voice communications “device” in the work area. This means that there is a validated mission need and the number of PC soft-phones permitted to operate inside the LAN will be less than the number of hardware based phones in the LAN. This number should be limited to those soft-phones required to meet specific mission requirements. UC applications that are ubiquitous in the LAN are addressed later, however, typically these work in association with a hardware based phone system, not in place of it. There are three possible scenarios for the use of limited numbers of soft-phones in the strategic LAN. We will discuss the first two in this section and the third in the next section. The first of these scenarios is providing support for soft-phones associated with a VoIP system in another enclave. This is a remote access scenario and must operate as they would in a normal telework/remote access use case. We will discuss this use case later, however, if this scenario is approved, special accommodations must be made in the local LAN to support users from a remote LAN and permit them to connect to their home enclave. This could include segregating them on a separate dedicated LAN with its own boundary protection or by implementing a dedicated VLAN protection zone while opening the enclave boundary to permit the remote connection. NOTE: Approval for this scenario would also require approval for specific foreign (non-local) PC attachment to the local LAN. These topics are beyond the scope of this document. The second of these scenarios is providing support for soft-phones associated with a local VoIP system. It is preferred that PC soft-phones associated with the local VoIP system not be used in the LAN, at all, due to the difficulties they present to the protection of the local hardware based VoIP infrastructure. Under normal circumstances, due to the separation of the VoIP and data VLANs a PC soft-phone application (associated with the local VoIP system) should not be able to register with the VoIP controller and function when the PC is connected to the LAN. This is because the PC connects to a LAN access port assigned to the data VLAN(s) and traffic between the voice and data VLANs is blocked. Similarly, if the PC was to be connected to a LAN access port assigned to the VoIP VLAN(s), the soft-phone might work but the PC would not have its normal data connectivity or services. If PC soft-phones are to be used in the strategic LAN, except as noted in the section on discrete instrument replacement, their numbers should be limited to those that are essential to the mission and additional protections, as discussed later in this section, must be added to the LAN to maintain the protection of the VoIP infrastructure. Implementations of limited numbers of PC soft-phones along with the protections afforded them and the local VoIP infrastructure must be approved by the responsible DAA.

STIG	Date
Voice/Video Services Policy STIG	2014-04-07

Details

Check Text ( C-17140r1_chk )
In the event that limited numbers of PC soft-phones are implemented in the strategic LAN, Interview the IAO to validate compliance with the following requirement: Ensure the responsible DAA approves the use of PC soft-phones in the strategic LAN along with the measures implemented to protect these soft-phones and the local VoIP and/or data infrastructure. Approval will be provided in writing and will be maintained by the IAO for inspection by IA reviewers or auditors. If limited numbers of PC soft-phones associated with the local VoIP system are to be implemented in the strategic LAN, a separate protection zone or VLAN structure must be implemented for them. The purpose of this VLAN is to provide a means whereby the PC can access the services it requires in both the data and VoIP VLANs while protecting the VoIP infrastructure and enhancing soft-phone reliability, performance, and security. Implementation of such a VLAN must not provide an access path as in a bridge, between the VoIP and data VLANs. Traffic must be filtered such that the soft-phone’s VoIP traffic is routed to the VoIP VLAN while all other traffic is routed to the data VLAN. This should happen at only one location such as a core router or firewall, however, the PC might be capable of this itself. NOTE: Limited numbers in this scenario means as few as possible, but may mean 25 or 30 percent of the overall PCs on the LAN. Beyond this percentage, the protections afforded by this implementation become limited or negated because of the large number of PCs in the soft-phone VLAN. NOTE: Methods for permitting the necessary PC traffic to, from, and between the voice and data zones while protecting the voice zone will be discussed next in this document. Determine if limited numbers of PC soft-phones are permitted to operate or are implemented in the strategic LAN. If so, review the written DAA approval for the implementation/permission. This is a finding in the event limited numbers of PC soft-phones are to be implemented in the strategic LAN and there is no written DAA approval for the implementation and the measures implemented to protect these soft-phones and the local VoIP and/or data infrastructure.

Check Text ( C-17140r1_chk )

In the event that limited numbers of PC soft-phones are implemented in the strategic LAN, Interview the IAO to validate compliance with the following requirement:

Ensure the responsible DAA approves the use of PC soft-phones in the strategic LAN along with the measures implemented to protect these soft-phones and the local VoIP and/or data infrastructure. Approval will be provided in writing and will be maintained by the IAO for inspection by IA reviewers or auditors.

If limited numbers of PC soft-phones associated with the local VoIP system are to be implemented in the strategic LAN, a separate protection zone or VLAN structure must be implemented for them. The purpose of this VLAN is to provide a means whereby the PC can access the services it requires in both the data and VoIP VLANs while protecting the VoIP infrastructure and enhancing soft-phone reliability, performance, and security. Implementation of such a VLAN must not provide an access path as in a bridge, between the VoIP and data VLANs. Traffic must be filtered such that the soft-phone’s VoIP traffic is routed to the VoIP VLAN while all other traffic is routed to the data VLAN. This should happen at only one location such as a core router or firewall, however, the PC might be capable of this itself.

NOTE: Limited numbers in this scenario means as few as possible, but may mean 25 or 30 percent of the overall PCs on the LAN. Beyond this percentage, the protections afforded by this implementation become limited or negated because of the large number of PCs in the soft-phone VLAN.

NOTE: Methods for permitting the necessary PC traffic to, from, and between the voice and data zones while protecting the voice zone will be discussed next in this document.

Determine if limited numbers of PC soft-phones are permitted to operate or are implemented in the strategic LAN. If so, review the written DAA approval for the implementation/permission.

This is a finding in the event limited numbers of PC soft-phones are to be implemented in the strategic LAN and there is no written DAA approval for the implementation and the measures implemented to protect these soft-phones and the local VoIP and/or data infrastructure.

Fix Text (F-16201r1_fix)
Ensure the responsible DAA approves the use of PC soft-phones in the strategic LAN along with the measures implemented to protect these soft-phones and the local VoIP and/or data infrastructure. Approval will be provided in writing and will be maintained by the IAO for inspection by IA reviewers or auditors. In the event that limited numbers of PC soft-phones are to be implemented in the strategic LAN, obtain written approval from the responsible DAA along with approval for the measures implemented to protect these soft-phones and the local VoIP and/or data infrastructure. Alternately remove the PC soft-phones and/or UC applications from the LAN.

Fix Text (F-16201r1_fix)

Ensure the responsible DAA approves the use of PC soft-phones in the strategic LAN along with the measures implemented to protect these soft-phones and the local VoIP and/or data infrastructure. Approval will be provided in writing and will be maintained by the IAO for inspection by IA reviewers or auditors.

In the event that limited numbers of PC soft-phones are to be implemented in the strategic LAN, obtain written approval from the responsible DAA along with approval for the measures implemented to protect these soft-phones and the local VoIP and/or data infrastructure. Alternately remove the PC soft-phones and/or UC applications from the LAN.