Deficient end-to-end interoperable confidentiality, integrity, and authentication for VVoIP session signaling per DISN IPVS Requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19440	VVoIP 6165 (DISN-IPVS)	SV-21491r1_rule	ECCT-1 ECSC-1	Medium

Description
Until recently VVoIP traffic has been restricted to the LAN/CAN within the enclave for most VVoIP systems. This is due to the lack of inter-vendor interoperability, end-to-end encryption, and the inability of VoIP to provide assured service in support of C2 communications reliability and priority requirements. The DSN PMO, DISA Engineering, and the Real Time Services (RTS) working group have been working to define network and system requirements to overcome the inherent obstacles in pursuit of a DISN wide interoperable assured service VVoIP or Voice Services network. In doing so, specific choices had to be made amongst the various technological and vendor solutions to provide the capability. These choices were made with the full cooperation of a consortium of vendor engineers. The following requirement reflects one of these choices made to meet DoD “confidentiality of data in transit” requirements under the DoDI 8500.2 IA controls ECCT-1 and ECNK-1 as well as Federal Information Processing Standards (FIPS) and Internet Engineering Task Force (IETF) recommendations. NOTE: For the purpose of this document the DISN wide IP enabled DSN or RTS network will be referred to the DISN IP Voice Services network or DISN IPVS network. Real time IP communications (known as real time Services (RTS)) is comprised of signaling protocols which set up and manage the communications session and the media transfer protocols which carry the communications. Both signaling and media protocols and the resulting communications can be compromised when sent in the clear. One of the common means (per IETF recommendations) of initiating a RTS communications session across an IP network is to use Session Initiation Protocol (SIP). To provide the assured service pre-emption and priority capabilities required for C2 telephone communications, DISA developed an extension to the SIP protocol (with the assistance of interested vendors) which is called Assured Service SIP or AS-SIP. The common means of providing confidentiality and integrity for SIP signaling as well as providing session authentication is to encrypt it using Transport Layer Security (TLS) as defined by the IETF recommendations. An additional factor to interoperability is the use of the same key management strategies at both ends of the session. The encryption algorithm, key strength, and key management processes are denied in the current version of the DoD Unified Capabilities Requirements (UCR) document available from the DISA voice Services PMO. NOTE: the devices in a VVoIP system that are required to provide this protection are all those involved in session initiation from end-to-end. These are the End Instruments (EIs), Media Gateways (MGs), Local Session Controller (LSC), Soft-Switch (SS), Multi-Function Soft Switch (MFSS), and Edge Border Controllers (EBCs) (which is the DISN IPVS/UCN VVoIP firewall).

Description

Until recently VVoIP traffic has been restricted to the LAN/CAN within the enclave for most VVoIP systems. This is due to the lack of inter-vendor interoperability, end-to-end encryption, and the inability of VoIP to provide assured service in support of C2 communications reliability and priority requirements. The DSN PMO, DISA Engineering, and the Real Time Services (RTS) working group have been working to define network and system requirements to overcome the inherent obstacles in pursuit of a DISN wide interoperable assured service VVoIP or Voice Services network. In doing so, specific choices had to be made amongst the various technological and vendor solutions to provide the capability. These choices were made with the full cooperation of a consortium of vendor engineers. The following requirement reflects one of these choices made to meet DoD “confidentiality of data in transit” requirements under the DoDI 8500.2 IA controls ECCT-1 and ECNK-1 as well as Federal Information Processing Standards (FIPS) and Internet Engineering Task Force (IETF) recommendations. NOTE: For the purpose of this document the DISN wide IP enabled DSN or RTS network will be referred to the DISN IP Voice Services network or DISN IPVS network. Real time IP communications (known as real time Services (RTS)) is comprised of signaling protocols which set up and manage the communications session and the media transfer protocols which carry the communications. Both signaling and media protocols and the resulting communications can be compromised when sent in the clear. One of the common means (per IETF recommendations) of initiating a RTS communications session across an IP network is to use Session Initiation Protocol (SIP). To provide the assured service pre-emption and priority capabilities required for C2 telephone communications, DISA developed an extension to the SIP protocol (with the assistance of interested vendors) which is called Assured Service SIP or AS-SIP. The common means of providing confidentiality and integrity for SIP signaling as well as providing session authentication is to encrypt it using Transport Layer Security (TLS) as defined by the IETF recommendations. An additional factor to interoperability is the use of the same key management strategies at both ends of the session. The encryption algorithm, key strength, and key management processes are denied in the current version of the DoD Unified Capabilities Requirements (UCR) document available from the DISA voice Services PMO. NOTE: the devices in a VVoIP system that are required to provide this protection are all those involved in session initiation from end-to-end. These are the End Instruments (EIs), Media Gateways (MGs), Local Session Controller (LSC), Soft-Switch (SS), Multi-Function Soft Switch (MFSS), and Edge Border Controllers (EBCs) (which is the DISN IPVS/UCN VVoIP firewall).

STIG	Date
Voice/Video Services Policy STIG	2014-04-07

Details

Check Text ( C-23699r1_chk )
Interview the IAO to confirm compliance with the following requirement: In the event a VVoIP system provides assured, service sensitive but unclassified (SBU), or classified site-to-site communications and is integrated into a DISN IP Voice Services (VS) or Unified Capabilities (UC) network (DISN IPVS/UCN)(classified or unclassified); ensure all active participants in the signaling path provide hop-by-hop confidentiality, integrity, and authentication for signaling messages using TLS or IPSec. Implement the AES 128-bit algorithm or AES 256-bit algorithm as defined in the UCR. NOTE: The participants in question are the End Instruments (EIs), Media Gateways (MGs), Local Session Controller (LSC), Soft-Switch (SS), Multi-Function Soft Switch (MFSS), and Edge Border Controllers (EBCs) (which is the DISN IPVS VVoIP firewall). Additionally, ensure key management is performed in accordance with UCR requirements to ensure interoperability across the DISN IPVS network.

Check Text ( C-23699r1_chk )

Interview the IAO to confirm compliance with the following requirement:

In the event a VVoIP system provides assured, service sensitive but unclassified (SBU), or classified site-to-site communications and is integrated into a DISN IP Voice Services (VS) or Unified Capabilities (UC) network (DISN IPVS/UCN)(classified or unclassified); ensure all active participants in the signaling path provide hop-by-hop confidentiality, integrity, and authentication for signaling messages using TLS or IPSec. Implement the AES 128-bit algorithm or AES 256-bit algorithm as defined in the UCR.

NOTE: The participants in question are the End Instruments (EIs), Media Gateways (MGs), Local Session Controller (LSC), Soft-Switch (SS), Multi-Function Soft Switch (MFSS), and Edge Border Controllers (EBCs) (which is the DISN IPVS VVoIP firewall).

Additionally, ensure key management is performed in accordance with UCR requirements to ensure interoperability across the DISN IPVS network.

Fix Text (F-20184r1_fix)
When integrating a VVoIP system into an assured services classified or unclassified DISN IPVS/UC network: Ensure all active participants in the signaling path provide hop-by-hop confidentiality, integrity, and authentication for signaling messages using TLS or IPEec. Implement the AES 128-bit algorithm or AES 256-bit algorithm as defined in the UCR. NOTE: The participants in question are the End Instruments (EIs), Media Gateways (MGs), Local Session Controller (LSC), Soft-Switch (SS), Multi-Function Soft Switch (MFSS), Signaling Gateway (SG), and Edge Border Controllers (EBCs) (which is the DISN IPVS VVoIP firewall). Additionally ensure key management is performed in accordance with UCR requirements to ensure interoperability across the DISN IPVS/UC network. Configure the VVoIP system components per the DoD APL IA deployment guide specific to the product being deployed.

Fix Text (F-20184r1_fix)

When integrating a VVoIP system into an assured services classified or unclassified DISN IPVS/UC network:

Ensure all active participants in the signaling path provide hop-by-hop confidentiality, integrity, and authentication for signaling messages using TLS or IPEec. Implement the AES 128-bit algorithm or AES 256-bit algorithm as defined in the UCR.
NOTE: The participants in question are the End Instruments (EIs), Media Gateways (MGs), Local Session Controller (LSC), Soft-Switch (SS), Multi-Function Soft Switch (MFSS), Signaling Gateway (SG), and Edge Border Controllers (EBCs) (which is the DISN IPVS VVoIP firewall).

Additionally ensure key management is performed in accordance with UCR requirements to ensure interoperability across the DISN IPVS/UC network.

Configure the VVoIP system components per the DoD APL IA deployment guide specific to the product being deployed.