Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-19592 | VVoIP 1015 (GENERAL) | SV-21733r1_rule | EBBD-1 EBBD-2 EBBD-3 ECSC-1 | Medium |
Description |
---|
There are several reasons why VVoIP system access to commercial voice services (i.e., the PSTN) must be via a Media Gateway if exceptions do not apply. These reasons are as follows: > Most high capacity local commercial voice service (more than a few individual lines) is delivered from the carrier via TDM trunks. This requires the conversion to VoIP via a media gateway. > The implementation or receipt of commercial VoIP service from an Internet Telephony Service Provider (ITSP), would require the implementation of an Internet Service Provider (ISP) connection or a connection into the service provider’s network via a VPN or dedicated TDM or optical circuit. In effect, a connection into the service provider’s network would provide a path to the Internet. These types of local connections provide a “back door” into the local network that can place the entire DISN or GIG at risk from exploitation and can circumnavigate the protections put in place by the operators of the DISN (DISA). Such connections need to be specifically approved under CJCSI 6211.02C and DODI 4640.14. Such connections must also meet the requirements in the Network Infrastructure STIG for an “Approved Gateway.” This generally means that a full boundary architecture has to be implemented. Specific requirements for the implementation of commercial VoIP service will be defined later. NOTE: The term “back door” as used here means an illicit or UN-approved connection and is not intended to have the same meaning as the term “backdoor connection”, as defined in RFC 2764, and used in the Network Infrastructure STIG. NOTE: A PRI or CAS trunk is required because the DSN is not permitted to exchange SS7 signaling with the PSTN. Doing so would place the DoD’s SS7 network at risk. NOTE: The implementation of local ITSP connections to utilize commercial VoIP services at all BCPS would mean the implementation of an OSD / Gig Waiver Panel “approved ISP gateway” at each BCPS. This would amount to over 1000 direct connections between the Internet and the NIPRNet via the BCPS LAN. While these connections might be limited to VoIP only traffic, these would have the potential to be mis-configured in such a way that the connection provides an open “back door” for general access, Internet traffic, and attacks. This presents a huge risk to the DISN which is unacceptable. It is therefore highly unlikely that DoD will take such an approach and approve such connections. |
STIG | Date |
---|---|
Voice/Video Services Policy STIG | 2014-04-07 |
Check Text ( C-23862r1_chk ) |
---|
Interview the IAO to confirm compliance with the following requirement: Ensure all VVoIP system access to/from commercial dialup services (voice, video, fax, data) is via a locally implemented Media Gateway (MG) using a PRI or CAS trunk to a PSTN CO except as follows: • The enclave is small and has one or more PSTN subscriber lines terminated on individual phones, a dedicated key system, or a PBX, all of which are separate from the DoD VVoIP system. • The enclave is small and has one or more Commercial/Public VoIP subscriber lines or trunks terminated on an IP/Ethernet network that is separate from the DoD NIPRNet accessible network. (NOTE: This situation requires OSD GIG Waiver Panel approval for the required ISP connection.) NOTE: Trunks that support SS7 signaling and SS7 based signaling between a DoD network and a non-DOD network is prohibited. Determine if the following exceptions apply: • Is the enclave small and does it have one or more PSTN subscriber lines terminated on individual phones, OR a dedicated key system, OR a dedicated PBX, all of which are separate from the DoD VVoIP system? • Is the enclave small and does it have one or more Commercial/Public VoIP subscriber lines or trunks terminated on an IP/Ethernet network that is separate from the DoD NIPRNet accessible network? This is a finding in the event the site is not connected to the PSTN via a MG located within the local site enclave as described above AND one of the exceptions is not applicable. |
Fix Text (F-20290r1_fix) |
---|
Ensure all VVoIP system access to/from commercial dialup services (voice, video, fax, data) is via a locally implemented Media Gateway (MG) using a PRI or CAS trunk to a PSTN CO except as follows: • The enclave is small and has one or more PSTN subscriber lines terminated on individual phones, a dedicated key system, or a PBX, all of which are separate from the DoD VVoIP system. • The enclave is small and has one or more Commercial/Public VoIP subscriber lines or trunks terminated on an IP/Ethernet network that is separate from the DoD NIPRNet accessible network. (NOTE: This situation requires OSD GIG Waiver Panel approval for the required ISP connection.) NOTE: Trunks that support SS7 signaling and SS7 based signaling between a DoD network and a non DOD network is prohibited. |