Deficient protection for a Call Center (or CTI) system that uses soft-phones.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-16098	VVoIP 1025 (GENERAL)	SV-17086r1_rule	DCBP-1 ECSC-1	Medium

Description
The third scenario in which limited numbers of PC soft-phones might be used in a strategic LAN is when they are associated with or are actually part of a Computer Telephony Integration (CTI) application. Traditional computer telephony integration CTI encompasses the control of a telephone or telecommunications switch by a computer application. Interfaces have been developed to provide connection between the computer, typically a workstation, and the telephone or other terminal attached to the telephone switch, and possibly a special analog or TDM line going directly to the telephone switch. Applications are also developed to make use of these interfaces to integrate a data application with the telephone system. Sometimes the integration is as simple as being able to dial a number from the computer application or it could provide full control of the switch as in the case of an operator’s console. In these traditional scenarios, the voice stayed in a traditional telephone set and the data stayed on the computer with the exception of the control information. If the voice does enter the computer, it is sent directly to the sound card or converted to a sound file for storage and possible file transfer. The voice communication is not transmitted in real time via IP protocols. In contrast, modern day CTI is changing in that today the voice communications and control is being transmitted using IP protocols and the hardware interfaces and telephones are being replaced by computer applications. NOTE: the CTI systems discussed here are not unified communications applications although some of the features are similar. CTI systems generally have a special function and are not a general user application. These are typically Call Center or Help Desk applications. This type of CTI typically involves integration with a database application. In this scenario, where soft-phones are an integral part of the CTI system/application, implementation of separate voice and data zones could be detrimental to the proper functioning of the application. While separation requirements should be enforced if possible, they could be relaxed providing the general CTI requirement of treating the CTI system as an enclave is followed. A system such as this should have its own VoIP controller. If the system needs to communicate with systems outside the CTI system enclave, proper boundary protection must be provided. For example, since IP soft-phones are prevalent in today’s call center / helpdesk systems, such a system would require the ability to place and receive phone calls from outside the CTI enclave. Calls might leave and enter the enclave via VoIP or a TDM media gateway. The workstations and call center agents may also need to email and access the web. NOTE: we have established that a network supporting a CTI application must be segregated from the enclave general business LAN and that this can be accomplished by maintaining a closed network or a segregated and access controlled sub-enclave having appropriate boundary protection. This is in support of DoDI 8500.2 IA control DCSP-1 regarding “Security Design and Configuration / Security Support Structure Partitioning” which states “The security support structure maintains separate execution domains as in address spaces, for each executing process by means of partitions, domains, etc., including control of access to, and integrity of, hardware, software, and firmware that perform security functions.”

Description

The third scenario in which limited numbers of PC soft-phones might be used in a strategic LAN is when they are associated with or are actually part of a Computer Telephony Integration (CTI) application. Traditional computer telephony integration CTI encompasses the control of a telephone or telecommunications switch by a computer application. Interfaces have been developed to provide connection between the computer, typically a workstation, and the telephone or other terminal attached to the telephone switch, and possibly a special analog or TDM line going directly to the telephone switch. Applications are also developed to make use of these interfaces to integrate a data application with the telephone system. Sometimes the integration is as simple as being able to dial a number from the computer application or it could provide full control of the switch as in the case of an operator’s console. In these traditional scenarios, the voice stayed in a traditional telephone set and the data stayed on the computer with the exception of the control information. If the voice does enter the computer, it is sent directly to the sound card or converted to a sound file for storage and possible file transfer. The voice communication is not transmitted in real time via IP protocols. In contrast, modern day CTI is changing in that today the voice communications and control is being transmitted using IP protocols and the hardware interfaces and telephones are being replaced by computer applications. NOTE: the CTI systems discussed here are not unified communications applications although some of the features are similar. CTI systems generally have a special function and are not a general user application. These are typically Call Center or Help Desk applications. This type of CTI typically involves integration with a database application. In this scenario, where soft-phones are an integral part of the CTI system/application, implementation of separate voice and data zones could be detrimental to the proper functioning of the application. While separation requirements should be enforced if possible, they could be relaxed providing the general CTI requirement of treating the CTI system as an enclave is followed. A system such as this should have its own VoIP controller. If the system needs to communicate with systems outside the CTI system enclave, proper boundary protection must be provided. For example, since IP soft-phones are prevalent in today’s call center / helpdesk systems, such a system would require the ability to place and receive phone calls from outside the CTI enclave. Calls might leave and enter the enclave via VoIP or a TDM media gateway. The workstations and call center agents may also need to email and access the web. NOTE: we have established that a network supporting a CTI application must be segregated from the enclave general business LAN and that this can be accomplished by maintaining a closed network or a segregated and access controlled sub-enclave having appropriate boundary protection. This is in support of DoDI 8500.2 IA control DCSP-1 regarding “Security Design and Configuration / Security Support Structure Partitioning” which states “The security support structure maintains separate execution domains as in address spaces, for each executing process by means of partitions, domains, etc., including control of access to, and integrity of, hardware, software, and firmware that perform security functions.”

STIG	Date
Voice/Video Services Policy STIG	2014-04-07

Details

Check Text ( C-17142r1_chk )
Interview the IAO to validate compliance with the following requirement: In the event a Call Center / CTI system/application (e.g., call center, helpdesk, operators console, E911 system, etc.) utilizing or incorporating PC based soft-phones are approved for use in the strategic LAN, ensure the following: - The supporting network is configured as a closed environment (enclave) or a segregated and access controlled sub-enclave having appropriate boundary protection between it and the local general business LAN or external WAN. - In the event the CTI application accesses resources outside this enclave and there is the potential of the application being compromised from external sources, the supporting network is configured to provide separate voice and data zones and maintains separation of voice and data traffic per the VoIP STIG if technically feasible (i.e., such separation does not break the CTI application or there is another compelling reason). - The supporting network enclave and boundary protection is configured in substantial compliance with the Enclave, Network Infrastructure, and VoIP STIGs. - The CTI application/enclave (e.g., a call center application) is supported by a dedicated VoIP controller. Inspect network drawings and perform a scan from outside the CTI system enclave to determine what traffic is permitted to flow between the CTI system and external network or VLANs. This is a finding in the event unnecessary traffic can pass.

Check Text ( C-17142r1_chk )

Interview the IAO to validate compliance with the following requirement:

In the event a Call Center / CTI system/application (e.g., call center, helpdesk, operators console, E911 system, etc.) utilizing or incorporating PC based soft-phones are approved for use in the strategic LAN, ensure the following:
- The supporting network is configured as a closed environment (enclave) or a segregated and access controlled sub-enclave having appropriate boundary protection between it and the local general business LAN or external WAN.
- In the event the CTI application accesses resources outside this enclave and there is the potential of the application being compromised from external sources, the supporting network is configured to provide separate voice and data zones and maintains separation of voice and data traffic per the VoIP STIG if technically feasible (i.e., such separation does not break the CTI application or there is another compelling reason).
- The supporting network enclave and boundary protection is configured in substantial compliance with the Enclave, Network Infrastructure, and VoIP STIGs.
- The CTI application/enclave (e.g., a call center application) is supported by a dedicated VoIP controller.

Inspect network drawings and perform a scan from outside the CTI system enclave to determine what traffic is permitted to flow between the CTI system and external network or VLANs.

This is a finding in the event unnecessary traffic can pass.

Fix Text (F-16203r1_fix)
In the event a Call Center / CTI system/application (e.g., call center, helpdesk, operators console, E911 system, etc.) utilizing or incorporating PC based soft-phones are approved for use in the strategic LAN, ensure the following: - The supporting network is configured as a closed environment (enclave) or a segregated and access controlled sub-enclave having appropriate boundary protection between it and the local general business LAN or external WAN. - In the event the CTI application accesses resources outside this enclave and there is the potential of the application being compromised from external sources, the supporting network is configured to provide separate voice and data zones and maintains separation of voice and data traffic per the VoIP STIG if technically feasible (i.e., such separation does not break the CTI application or there is another compelling reason). - The supporting network enclave and boundary protection is configured in substantial compliance with the Enclave, Network Infrastructure, and VoIP STIGs. - The CTI application/enclave (e.g., a call center application) is supported by a dedicated VoIP controller. Implement the proper Call Center / CTI system protection mechanisms segregating it into its own protected enclave and limit traffic into and out of this enclave.

Fix Text (F-16203r1_fix)

In the event a Call Center / CTI system/application (e.g., call center, helpdesk, operators console, E911 system, etc.) utilizing or incorporating PC based soft-phones are approved for use in the strategic LAN, ensure the following:
- The supporting network is configured as a closed environment (enclave) or a segregated and access controlled sub-enclave having appropriate boundary protection between it and the local general business LAN or external WAN.
- In the event the CTI application accesses resources outside this enclave and there is the potential of the application being compromised from external sources, the supporting network is configured to provide separate voice and data zones and maintains separation of voice and data traffic per the VoIP STIG if technically feasible (i.e., such separation does not break the CTI application or there is another compelling reason).
- The supporting network enclave and boundary protection is configured in substantial compliance with the Enclave, Network Infrastructure, and VoIP STIGs.
- The CTI application/enclave (e.g., a call center application) is supported by a dedicated VoIP controller.

Implement the proper Call Center / CTI system protection mechanisms segregating it into its own protected enclave and limit traffic into and out of this enclave.