One or more DOD APL listed Local Session Controller’s (LSCs) or Multi-Function Soft Switch (MFSS) are not implemented within the enclave for DISN IPVS session control.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19599	VVoIP 6130 (DISN-IPVS)	SV-21740r1_rule	DCBP-1 ECSC-1	Medium

Description
DISA has developed the DISN IPVS to support C2 Assured Service reliability and availability. As such, the worldwide availability and effectiveness of this service is dependant upon the components of the overall system that are located in each interconnected enclave. These components must be interoperable and support the needed quality of service. Therefore, if the VVoIP system in an enclave is to utilize the DISN IPVS to communicate with other enclaves across the NIPRNet, the system must be designed with equipment that has specific capabilities. Additionally, the implementation of VVoIP across the enclave boundary must not degrade the security or protection of the enclave. Use of the DISN IPVS network requires the following equipment such that interoperability is assured across the DISN service: > One or more DOD APL listed Customer Edge Routers (CERs) on which the DISN access circuits are terminated. The CER is robust/reliable and provides QOS features / capabilities as required by the UCR for the specific type of site. NOTE: the CER is the enclave’s perimeter or premise router as designated by the Network Infrastructure and Enclave STIGs. > One or more DOD APL listed Local Session Controller’s (LSCs) or Multi-Function Soft Switch (MFSS) within the enclave for session control. These are the system control and signaling agents of the system. The LSC and MFSS are robust/reliable and provide admission control, and QOS features / capabilities as required by the UCR. The LSC (one or more per site) manages local endpoint registration and calls established to/from local endpoints and facilities. Also manages calls into and out of the enclave. The MFSS (typically one per site) performs LSC functions for its site and provides signaling management for a regional set of LSCs. An MFSS is a backbone device and is only required at DISN IPVS PMO designated locations. > Each LSC or MFSS and CER will be separated by a firewall or session border controller having specific functionality as defined in the UCR. This DoD specific device is called a Edge Boundary Controller (EBC). This may be a dedicated device or may be a functional part of the required data firewall. The use of these devices is critical to the success of the DISN IPVS’s mission NOTE: As noted in the LAN section, on a large facility (site) the primary LSC should have a backup LSC that is geographically separate from it. This is also applicable to a facility/site that has a MFSS. While the MFSSs work in pairs in the backbone and are therefore redundant with regard to backbone services, their LSC functionality should also be redundant.

Description

DISA has developed the DISN IPVS to support C2 Assured Service reliability and availability. As such, the worldwide availability and effectiveness of this service is dependant upon the components of the overall system that are located in each interconnected enclave. These components must be interoperable and support the needed quality of service. Therefore, if the VVoIP system in an enclave is to utilize the DISN IPVS to communicate with other enclaves across the NIPRNet, the system must be designed with equipment that has specific capabilities. Additionally, the implementation of VVoIP across the enclave boundary must not degrade the security or protection of the enclave. Use of the DISN IPVS network requires the following equipment such that interoperability is assured across the DISN service: > One or more DOD APL listed Customer Edge Routers (CERs) on which the DISN access circuits are terminated. The CER is robust/reliable and provides QOS features / capabilities as required by the UCR for the specific type of site. NOTE: the CER is the enclave’s perimeter or premise router as designated by the Network Infrastructure and Enclave STIGs. > One or more DOD APL listed Local Session Controller’s (LSCs) or Multi-Function Soft Switch (MFSS) within the enclave for session control. These are the system control and signaling agents of the system. The LSC and MFSS are robust/reliable and provide admission control, and QOS features / capabilities as required by the UCR. The LSC (one or more per site) manages local endpoint registration and calls established to/from local endpoints and facilities. Also manages calls into and out of the enclave. The MFSS (typically one per site) performs LSC functions for its site and provides signaling management for a regional set of LSCs. An MFSS is a backbone device and is only required at DISN IPVS PMO designated locations. > Each LSC or MFSS and CER will be separated by a firewall or session border controller having specific functionality as defined in the UCR. This DoD specific device is called a Edge Boundary Controller (EBC). This may be a dedicated device or may be a functional part of the required data firewall. The use of these devices is critical to the success of the DISN IPVS’s mission NOTE: As noted in the LAN section, on a large facility (site) the primary LSC should have a backup LSC that is geographically separate from it. This is also applicable to a facility/site that has a MFSS. While the MFSSs work in pairs in the backbone and are therefore redundant with regard to backbone services, their LSC functionality should also be redundant.

STIG	Date
Voice/Video Services Policy STIG	2014-04-07

Details

Check Text ( C-23875r1_chk )
Interview the IAO to confirm compliance with the following requirement: In the event the VVoIP system within the enclave is integrated with the unclassified DISN IPVS network, ensure the system is designed to include one or more DOD APL listed LSCs or a MFSS for call/session control within the enclave. NOTE: The LSC (one or more per site) manages local endpoint registration and calls established to/from local endpoints and facilities. Also manages calls into and out of the enclave. The MFSS (one per site and potentially a backup LSC) performs LSC functions for its site and provides signaling management for a regional set of LSCs. An MFSS is a backbone device and is only required at DISN IPVS PMO designated locations. NOTE: The LSC and MFSS are robust/reliable and provide admission control, and QoS features / capabilities as required by the UCR. NOTE: in the future this requirement may be applicable (with some modification) to the classified DISN IPVS network when the PMO adopts the unclassified DISN IPVS architecture. Determine, through interview and/or physical inspection, the specific make, model, and OS version of the LSCs and/or MFSS.

Check Text ( C-23875r1_chk )

Interview the IAO to confirm compliance with the following requirement:

In the event the VVoIP system within the enclave is integrated with the unclassified DISN IPVS network, ensure the system is designed to include one or more DOD APL listed LSCs or a MFSS for call/session control within the enclave.

NOTE: The LSC (one or more per site) manages local endpoint registration and calls established to/from local endpoints and facilities. Also manages calls into and out of the enclave. The MFSS (one per site and potentially a backup LSC) performs LSC functions for its site and provides signaling management for a regional set of LSCs. An MFSS is a backbone device and is only required at DISN IPVS PMO designated locations.

NOTE: The LSC and MFSS are robust/reliable and provide admission control, and QoS features / capabilities as required by the UCR.

NOTE: in the future this requirement may be applicable (with some modification) to the classified DISN IPVS network when the PMO adopts the unclassified DISN IPVS architecture.

Determine, through interview and/or physical inspection, the specific make, model, and OS version of the LSCs and/or MFSS.

Fix Text (F-20298r1_fix)
In the event the VVoIP system within the enclave is integrated with the unclassified or classified DISN IPVS network, ensure the system is designed to include one or more DOD APL listed LSCs or a MFSS for call/session control within the enclave. An MFSS is a backbone device and is only required at DISN IPVS PMO designated locations. APL listed devices and software loads can be found at Access the DoD APL web site at http://jitc.fhu.disa.mil/tssi/apl.html.

Fix Text (F-20298r1_fix)

In the event the VVoIP system within the enclave is integrated with the unclassified or classified DISN IPVS network, ensure the system is designed to include one or more DOD APL listed LSCs or a MFSS for call/session control within the enclave.

An MFSS is a backbone device and is only required at DISN IPVS PMO designated locations.

APL listed devices and software loads can be found at Access the DoD APL web site at http://jitc.fhu.disa.mil/tssi/apl.html.