Deficient end-to-end interoperable confidentiality and integrity for VVoIP session media streams per DISN IPVS requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19441	VVoIP 6170 (DISN-IPVS)	SV-21492r1_rule	ECCT-1 ECSC-1	Medium

Description
Until recently VVoIP traffic has been restricted to the LAN/CAN within the enclave for most VVoIP systems. This is due to the lack of inter-vendor interoperability, end-to-end encryption, and the inability of VoIP to provide assured service in support of C2 communications reliability and priority requirements. The DSN PMO, DISA Engineering, and the Real Time Services (RTS) working group have been working to define network and system requirements to overcome the inherent obstacles in pursuit of a DISN wide interoperable assured service VVoIP or Voice Services network. In doing so, specific choices had to be made among the various technological and vendor solutions to provide the capability. These choices were made with the full cooperation of a consortium of vendor engineers. The following requirement reflects one of these choices made to meet DoD “confidentiality of data in transit” requirements under the DoDI 8500.2 IA controls ECCT-1 and ECNK-1 as well as Federal Information Processing Standards (FIPS) and Internet Engineering Task Force (IETF) recommendations. NOTE: For the purpose of this document the DISN wide IP enabled DSN or RTS network will be referred to the DISN IP Voice Services / Unified Capabilities (UC) Network or DISN IPVS/UCN or DISN IPVS/UC network. Real time IP communications (known as real time Services (RTS)) is comprised of signaling protocols which set up and manage the communications session and the media transfer protocols which carry the communications. Both signaling and media protocols and the resulting communications can be compromised when sent in the clear. The common means (per IETF recommendations) of transporting RTS media across an IP network is to use Real-time Transfer Protocol (RTP). The common means of providing confidentiality and integrity of the RTP streams is to apply a security profile to RTP called Secure Real-time Transfer Protocol (RTP). An additional factor to interoperability is the use of the same key management strategies at both ends of the session. The encryption algorithm, key strength, and key management processes are denied in the current version of the DoD Unified Capabilities Requirements (UCR) document available from the DISA voice Services PMO. NOTE: The devices in a VVoIP system that are required to provide this protection are the End Instruments (EIs) and Media Gateways (MGs). These are the only devices in the end-to-end communications path that are required to have access to the unencrypted media stream.

Description

Until recently VVoIP traffic has been restricted to the LAN/CAN within the enclave for most VVoIP systems. This is due to the lack of inter-vendor interoperability, end-to-end encryption, and the inability of VoIP to provide assured service in support of C2 communications reliability and priority requirements. The DSN PMO, DISA Engineering, and the Real Time Services (RTS) working group have been working to define network and system requirements to overcome the inherent obstacles in pursuit of a DISN wide interoperable assured service VVoIP or Voice Services network. In doing so, specific choices had to be made among the various technological and vendor solutions to provide the capability. These choices were made with the full cooperation of a consortium of vendor engineers. The following requirement reflects one of these choices made to meet DoD “confidentiality of data in transit” requirements under the DoDI 8500.2 IA controls ECCT-1 and ECNK-1 as well as Federal Information Processing Standards (FIPS) and Internet Engineering Task Force (IETF) recommendations. NOTE: For the purpose of this document the DISN wide IP enabled DSN or RTS network will be referred to the DISN IP Voice Services / Unified Capabilities (UC) Network or DISN IPVS/UCN or DISN IPVS/UC network. Real time IP communications (known as real time Services (RTS)) is comprised of signaling protocols which set up and manage the communications session and the media transfer protocols which carry the communications. Both signaling and media protocols and the resulting communications can be compromised when sent in the clear. The common means (per IETF recommendations) of transporting RTS media across an IP network is to use Real-time Transfer Protocol (RTP). The common means of providing confidentiality and integrity of the RTP streams is to apply a security profile to RTP called Secure Real-time Transfer Protocol (RTP). An additional factor to interoperability is the use of the same key management strategies at both ends of the session. The encryption algorithm, key strength, and key management processes are denied in the current version of the DoD Unified Capabilities Requirements (UCR) document available from the DISA voice Services PMO. NOTE: The devices in a VVoIP system that are required to provide this protection are the End Instruments (EIs) and Media Gateways (MGs). These are the only devices in the end-to-end communications path that are required to have access to the unencrypted media stream.

STIG	Date
Voice/Video Services Policy STIG	2014-04-07

Details

Check Text ( C-23701r1_chk )
Interview the IAO to confirm compliance with the following requirement: In the event a VVoIP system provides assured, service sensitive but unclassified (SBU), or classified site-to-site communications and is integrated into a DISN IP Voice Services (VS) or Unified Capabilities (UC) network (classified or unclassified); ensure End Instruments (EIs) and Media Gateways (MGs) provide end-to-end confidentiality for media streams using SRTP with AES_CM_128 as the default encryption algorithm or [as Required FY12] AES 256-bit algorithm as defined in the UCR. Additionally ensure key management is performed in accordance with UCR requirements to ensure interoperability across the DISN IPVS network.

Check Text ( C-23701r1_chk )

Interview the IAO to confirm compliance with the following requirement:

In the event a VVoIP system provides assured, service sensitive but unclassified (SBU), or classified site-to-site communications and is integrated into a DISN IP Voice Services (VS) or Unified Capabilities (UC) network (classified or unclassified); ensure End Instruments (EIs) and Media Gateways (MGs) provide end-to-end confidentiality for media streams using SRTP with AES_CM_128 as the default encryption algorithm or [as Required FY12] AES 256-bit algorithm as defined in the UCR.

Additionally ensure key management is performed in accordance with UCR requirements to ensure interoperability across the DISN IPVS network.

Fix Text (F-20295r1_fix)
When integrating a VVoIP system into an assured services classified or unclassified DISN IPVS network, ensure End Instruments (EIs) and Media Gateways (MGs) provide end-to-end confidentiality for media streams using SRTP with AES_CM_128 as the default encryption algorithm or [as Required FY12] AES 256-bit algorithm as defined in the UCR. Additionally ensure key management is performed in accordance with UCR requirements to ensure interoperability across the DISN IPVS network. Configure the VVoIP system components per the DoD APL IA deployment guide specific to the product being deployed.

Fix Text (F-20295r1_fix)

When integrating a VVoIP system into an assured services classified or unclassified DISN IPVS network, ensure End Instruments (EIs) and Media Gateways (MGs) provide end-to-end confidentiality for media streams using SRTP with AES_CM_128 as the default encryption algorithm or [as Required FY12] AES 256-bit algorithm as defined in the UCR.

Additionally ensure key management is performed in accordance with UCR requirements to ensure interoperability across the DISN IPVS network.

Configure the VVoIP system components per the DoD APL IA deployment guide specific to the product being deployed.