A non-approved public or commercial IM or IP telephony service or soft-client application is in use.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-16117	VVoIP 1990 (GENERAL)	SV-17105r1_rule	DCBP-1 ECSC-1	Medium

Description
Various DoD policies disallow general PC users from installing any non-approved application on their workstations or from attaching any non-approved or non-government furnished devices to them. Still other DoD policies require users of government furnished equipment (GFE) (i.e., DoD PCs/workstations) to limit their use to official business and not use them for personal business or other personal activities. Additionally, and more specific to this STIG, DoDI 8500.2 IA controls ECVI-1 and ECIM-1 to disallow general PC users from installing VoIP and IM clients that are intended to access public services for non-official, personal, use. An exception is made for the eventuality that such installations may be approved and performed by a DoD component for official business purposes. The IA controls state the following: • ECVI-1: “Voice over Internet Protocol (VoIP) traffic to and from workstation IP telephony clients that are independently configured by end users for personal use is prohibited within DoD information systems. Both inbound and outbound individually configured voice over IP traffic is blocked at the enclave boundary. NOTE: This does not include VoIP services that are configured by a DoD AIS application or enclave to perform an authorized and official function.” • ECIM-1: “Instant messaging traffic to and from instant messaging clients that are independently configured by end users and that interact with a public service provider is prohibited within DoD information systems. Both inbound and outbound public service instant messaging traffic is blocked at the enclave boundary. NOTE: This does not include IM services that are configured by a DoD AIS application or enclave to perform an authorized and official function.” NOTE: AIS in this case means Automated Information System and relates to an official program. The vulnerability is that installation of VoIP and IM clients that associate themselves with, and connect to a public VoIP or IM service places the DoD system on which the client is installed at risk of, and provides an avenue for, its compromise and unauthorized access. Once compromised, the system could be used as a launching point for further compromise of the network or other DoD systems. Additionally, the use of these services also places the confidentiality of DoD information conveyed by them at risk. Such information could be sensitive or the collection of non-sensitive information over time could reveal sensitive information. The mitigation of the vulnerabilities presented by these public services requires a two prong approach. The first is a technical approach, while the second is an administrative approach requiring user awareness, training, and agreements. A technical approach defined by the IA controls stipulates that traffic to and from public IM and VoIP services is to be blocked at the enclave boundary. It would be best if this were to occur at the NIPRNet Internet Access Points (IAPs), thus preventing such traffic from using the DISN, however this is not happening at this time since such blockage might also block other required services and the IAPs are not fully capable of such blockage at this time. This traffic must also be blocked at any Internet Service Provider (ISP) connection(s) to the enclave. NOTE: All ISP connections must be approved and operated under a waiver obtained from the Global Information Grid (GIG) waiver panel. It is the responsibility of the enclave to provide the required blocking since their firewalls and proxies are where the capability resides. To implement the mitigation, one might think that blocking specific IP addresses would be effective. This is not correct, however, since many of the public services have many IP addresses and servers, while they change their IP addresses regularly as a method of enhancing availability. Some of the public services have classically used non standard IP ports for their communications. Blocking these ports can be an effective measure in meeting the IA controls. Unfortunately, some of the public services are changing to use standard ports to get around the fact that many organizations block the nonstandard ports at their firewalls. The services are migrating to the standard ports 80 and 443 for web services which are generally never blocked. While the purpose of blocking these public services in the network is that this mitigation will prevent the application or service from functioning properly in the event one is installed. It is best to prevent the user from installing the client applications. This can be accomplished by limiting a user’s privileges on their PC such that they cannot install new software. This is typically done on many DoD PCs, however, some users require that ability. Also, unfortunately, just like the trend toward using standard ports, some services may function without a specific client by just using a web browser. This will most likely be the trend for the future. A seemingly more effective approach to blocking these public services or prevent their installation is to block them by their URL. This might be done at a proxy in the enclave boundary or on the PC itself by listing the URLs as un-trusted and setting the PC or proxy security or protection level such that un-trusted sites are blocked.

Description

Various DoD policies disallow general PC users from installing any non-approved application on their workstations or from attaching any non-approved or non-government furnished devices to them. Still other DoD policies require users of government furnished equipment (GFE) (i.e., DoD PCs/workstations) to limit their use to official business and not use them for personal business or other personal activities. Additionally, and more specific to this STIG, DoDI 8500.2 IA controls ECVI-1 and ECIM-1 to disallow general PC users from installing VoIP and IM clients that are intended to access public services for non-official, personal, use. An exception is made for the eventuality that such installations may be approved and performed by a DoD component for official business purposes. The IA controls state the following: • ECVI-1: “Voice over Internet Protocol (VoIP) traffic to and from workstation IP telephony clients that are independently configured by end users for personal use is prohibited within DoD information systems. Both inbound and outbound individually configured voice over IP traffic is blocked at the enclave boundary. NOTE: This does not include VoIP services that are configured by a DoD AIS application or enclave to perform an authorized and official function.” • ECIM-1: “Instant messaging traffic to and from instant messaging clients that are independently configured by end users and that interact with a public service provider is prohibited within DoD information systems. Both inbound and outbound public service instant messaging traffic is blocked at the enclave boundary. NOTE: This does not include IM services that are configured by a DoD AIS application or enclave to perform an authorized and official function.” NOTE: AIS in this case means Automated Information System and relates to an official program. The vulnerability is that installation of VoIP and IM clients that associate themselves with, and connect to a public VoIP or IM service places the DoD system on which the client is installed at risk of, and provides an avenue for, its compromise and unauthorized access. Once compromised, the system could be used as a launching point for further compromise of the network or other DoD systems. Additionally, the use of these services also places the confidentiality of DoD information conveyed by them at risk. Such information could be sensitive or the collection of non-sensitive information over time could reveal sensitive information. The mitigation of the vulnerabilities presented by these public services requires a two prong approach. The first is a technical approach, while the second is an administrative approach requiring user awareness, training, and agreements. A technical approach defined by the IA controls stipulates that traffic to and from public IM and VoIP services is to be blocked at the enclave boundary. It would be best if this were to occur at the NIPRNet Internet Access Points (IAPs), thus preventing such traffic from using the DISN, however this is not happening at this time since such blockage might also block other required services and the IAPs are not fully capable of such blockage at this time. This traffic must also be blocked at any Internet Service Provider (ISP) connection(s) to the enclave. NOTE: All ISP connections must be approved and operated under a waiver obtained from the Global Information Grid (GIG) waiver panel. It is the responsibility of the enclave to provide the required blocking since their firewalls and proxies are where the capability resides. To implement the mitigation, one might think that blocking specific IP addresses would be effective. This is not correct, however, since many of the public services have many IP addresses and servers, while they change their IP addresses regularly as a method of enhancing availability. Some of the public services have classically used non standard IP ports for their communications. Blocking these ports can be an effective measure in meeting the IA controls. Unfortunately, some of the public services are changing to use standard ports to get around the fact that many organizations block the nonstandard ports at their firewalls. The services are migrating to the standard ports 80 and 443 for web services which are generally never blocked. While the purpose of blocking these public services in the network is that this mitigation will prevent the application or service from functioning properly in the event one is installed. It is best to prevent the user from installing the client applications. This can be accomplished by limiting a user’s privileges on their PC such that they cannot install new software. This is typically done on many DoD PCs, however, some users require that ability. Also, unfortunately, just like the trend toward using standard ports, some services may function without a specific client by just using a web browser. This will most likely be the trend for the future. A seemingly more effective approach to blocking these public services or prevent their installation is to block them by their URL. This might be done at a proxy in the enclave boundary or on the PC itself by listing the URLs as un-trusted and setting the PC or proxy security or protection level such that un-trusted sites are blocked.

STIG	Date
Voice/Video Services Policy STIG	2014-04-07

Details

Check Text ( C-17161r1_chk )
Interview the IAO to validate compliance with the following requirement: Ensure PC based public or commercial IM and/or VoIP telephony services and/or supporting applications are unable to be used in the enclave in support of DoDI 8500.2 IA controls ECVI-1 and ECIM-1. NOTE: This requirement does not include IM and/or IP telephony services and/or supporting applications implemented by a DoD component and approved for use by the responsible DAA to fulfill a validated mission requirement. (e.g., DISA’s enterprise wide collaboration tools). NOTE: Examples of soft-clients and services to be disabled are, but are not limited to, the following: - Yahoo Messenger - America Online (AOL) Instant Messenger (AIM) - Microsoft Network (MSN) Messenger - Skype - Freshtel - Google Talk - Magic Jack (A hardware USB ATA and PC soft-client) - Soft clients associated with home telephone service from major PSTN carriers such as Verizon. AT&T, and Quest, major cable carriers such as Comcast and Cox, or competing VoIP carriers such as Vonage. Many others. Determine if Public or commercial IM or VoIP services are installed on PCs and/or are used. If installed, further determine if the application(s) are implemented by a DoD component and approved for use by the responsible DAA to fulfill a validated mission requirement. Inspect a random sample of PCs to determine if such applications are installed and which ones. This is a finding if such applications are installed whether used or not unless approved to fulfill a validated mission requirement or a non-approved application is installed beside an approved one.

Check Text ( C-17161r1_chk )

Interview the IAO to validate compliance with the following requirement:

Ensure PC based public or commercial IM and/or VoIP telephony services and/or supporting applications are unable to be used in the enclave in support of DoDI 8500.2 IA controls ECVI-1 and ECIM-1.

NOTE: This requirement does not include IM and/or IP telephony services and/or supporting applications implemented by a DoD component and approved for use by the responsible DAA to fulfill a validated mission requirement. (e.g., DISA’s enterprise wide collaboration tools).

NOTE: Examples of soft-clients and services to be disabled are, but are not limited to, the following:
- Yahoo Messenger
- America Online (AOL) Instant Messenger (AIM)
- Microsoft Network (MSN) Messenger
- Skype
- Freshtel
- Google Talk
- Magic Jack (A hardware USB ATA and PC soft-client)
- Soft clients associated with home telephone service from major PSTN carriers such as Verizon. AT&T, and Quest, major cable carriers such as Comcast and Cox, or competing VoIP carriers such as Vonage.
Many others.

Determine if Public or commercial IM or VoIP services are installed on PCs and/or are used. If installed, further determine if the application(s) are implemented by a DoD component and approved for use by the responsible DAA to fulfill a validated mission requirement. Inspect a random sample of PCs to determine if such applications are installed and which ones. This is a finding if such applications are installed whether used or not unless approved to fulfill a validated mission requirement or a non-approved application is installed beside an approved one.

Fix Text (F-16223r1_fix)
Ensure PC based public or commercial IM and/or IP telephony services and/or supporting applications are unable to be used in the enclave in support of DoDI 8500.2 IA controls ECVI-1 and ECIM-1. Uninstall any and all applications associated with Public IM or VoIP services that have not been implemented by a DoD component and approved for use by the responsible DAA to fulfill a validated mission requirement. NOTE: This is typically handled by limiting user permissions to install software on their workstations or via policy or profile limitations enforced by HBSS.

Fix Text (F-16223r1_fix)

Ensure PC based public or commercial IM and/or IP telephony services and/or supporting applications are unable to be used in the enclave in support of DoDI 8500.2 IA controls ECVI-1 and ECIM-1.

Uninstall any and all applications associated with Public IM or VoIP services that have not been implemented by a DoD component and approved for use by the responsible DAA to fulfill a validated mission requirement.

NOTE: This is typically handled by limiting user permissions to install software on their workstations or via policy or profile limitations enforced by HBSS.