The dedicated VVoIP address range is NOT defined using “private” (non WAN routed) addresses IAW RFC 1918.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-8228	VVoIP 5205 (LAN)	SV-8714r1_rule	DCBP-1 DCPA-1 ECSC-1	Low

Description
RFC 1918 defines “private” IP address blocks as follows: 10.x.x.x, 172.16.x.x, and 192.168.x.x. The purpose of this is to conserve the available public address pool since there are far more hosts needing addresses than there are addresses. This is done by using one public address for a publicly accessible WAN termination at the enclave boundary and NAT on the firewall or router with many ‘private” addresses in the LAN. The use of the term ”private” IP addresses in this sense means that these address blocks are not routed or advertised across the internet by international agreement. NIPRNet WAN addresses are “publicly accessible” and the PMO also follows RFC 1918 routing policy (meaning that these addresses are not routed). RFC 1918 addresses are routable within the LAN enclave however, and can be on closed private networks. This sub-network(s) will use a different major address range than is deployed on the local data network(s) to further separate IPT from the data network. This will help to reduce the chances of voice traffic traversing outside the telephony network segment and vice versa for data traffic. The use of RFC 1918 IP address space, like the data VLANs, has the effect hiding the VVoIP components from the WAN, and making their addresses non-routable as a destination across the Internet (or NIPRNet). Deploying VVoIP Systems using RFC1918 address space enhances security of the VVoIP environment. If VVoIP systems are not deployed on ”private” address space and if the address space is not properly configured, managed, and controlled, the VVoIP network could be accessed by unauthorized personnel resulting in security compromise of site information and resources.

Description

RFC 1918 defines “private” IP address blocks as follows: 10.x.x.x, 172.16.x.x, and 192.168.x.x. The purpose of this is to conserve the available public address pool since there are far more hosts needing addresses than there are addresses. This is done by using one public address for a publicly accessible WAN termination at the enclave boundary and NAT on the firewall or router with many ‘private” addresses in the LAN. The use of the term ”private” IP addresses in this sense means that these address blocks are not routed or advertised across the internet by international agreement. NIPRNet WAN addresses are “publicly accessible” and the PMO also follows RFC 1918 routing policy (meaning that these addresses are not routed). RFC 1918 addresses are routable within the LAN enclave however, and can be on closed private networks. This sub-network(s) will use a different major address range than is deployed on the local data network(s) to further separate IPT from the data network. This will help to reduce the chances of voice traffic traversing outside the telephony network segment and vice versa for data traffic. The use of RFC 1918 IP address space, like the data VLANs, has the effect hiding the VVoIP components from the WAN, and making their addresses non-routable as a destination across the Internet (or NIPRNet). Deploying VVoIP Systems using RFC1918 address space enhances security of the VVoIP environment. If VVoIP systems are not deployed on ”private” address space and if the address space is not properly configured, managed, and controlled, the VVoIP network could be accessed by unauthorized personnel resulting in security compromise of site information and resources.

STIG	Date
Voice/Video Services Policy STIG	2014-04-07

Details

Check Text ( C-23791r1_chk )
Interview the IAO to confirm compliance with the following requirement: Ensure the dedicated VVoIP address range is defined using “private” (non WAN routed) addresses IAW RFC 1918. NOTE: This is applicable to the following: > A closed unclassified LAN > A unclassified LAN connected to a unclassified WAN such as the NIPRNet or Internet > A closed classified LAN > A classified LAN connected to a classified WAN where network wide address based accountability or traceability is NOT required by the WAN PMO and the WAN is configured to NOT route “private” addresses. NOTE: This is not applicable in situations where network wide address based accountability or traceability is required by the WAN PMO. For example, This is not applicable to DAA approved VoSIP systems residing on secured classified LANs that are connected to a classified WAN (such as the SIPRNet) where RFC 1918 addressing is not permissible for reasons of network wide accountability, traceability, and policy. NOTE: This is applicable to the following: > A closed unclassified LAN (in the event this LAN is some day connected to a WAN). > A unclassified LAN connected to a unclassified WAN such as the NIPRNet or Internet. > A closed classified LAN (in the event this LAN is some day connected to a WAN). > A classified LAN connected to a classified WAN where network wide address based accountability or traceability is NOT required by the WAN PMO and the WAN is configured to NOT route “private” addresses. Determine if “private” RFC 1918 addresses are being used for the VVoIP system. These will be within one of the following ranges: 10.x.x.x, 172.16.x.x, and 192.168.x.x.

Check Text ( C-23791r1_chk )

Interview the IAO to confirm compliance with the following requirement:

Ensure the dedicated VVoIP address range is defined using “private” (non WAN routed) addresses IAW RFC 1918.
NOTE: This is applicable to the following:
> A closed unclassified LAN
> A unclassified LAN connected to a unclassified WAN such as the NIPRNet or Internet
> A closed classified LAN
> A classified LAN connected to a classified WAN where network wide address based accountability or traceability is NOT required by the WAN PMO and the WAN is configured to NOT route “private” addresses.

NOTE: This is not applicable in situations where network wide address based accountability or traceability is required by the WAN PMO. For example, This is not applicable to DAA approved VoSIP systems residing on secured classified LANs that are connected to a classified WAN (such as the SIPRNet) where RFC 1918 addressing is not permissible for reasons of network wide accountability, traceability, and policy.

NOTE: This is applicable to the following:
> A closed unclassified LAN (in the event this LAN is some day connected to a WAN).
> A unclassified LAN connected to a unclassified WAN such as the NIPRNet or Internet.
> A closed classified LAN (in the event this LAN is some day connected to a WAN).
> A classified LAN connected to a classified WAN where network wide address based accountability or traceability is NOT required by the WAN PMO and the WAN is configured to NOT route “private” addresses.

Determine if “private” RFC 1918 addresses are being used for the VVoIP system. These will be within one of the following ranges: 10.x.x.x, 172.16.x.x, and 192.168.x.x.

Fix Text (F-20237r1_fix)
Ensure the dedicated VVoIP address range is defined using “private” (non WAN routed) addresses IAW RFC 1918. NOTE: This is applicable to the following: > A closed unclassified LAN (in the event this LAN is some day connected to a WAN) > A unclassified LAN connected to a unclassified WAN such as the NIPRNet or Internet > A closed classified LAN (in the event this LAN is some day connected to a WAN) > A classified LAN connected to a classified WAN where network wide address based accountability or traceability is NOT required by the WAN PMO and the WAN is configured to NOT route “private” addresses. NOTE: This is not applicable in situations where network wide address based accountability or traceability is required by the WAN PMO. For example, This is not applicable to DAA approved VoSIP systems residing on secured classified LANs that are connected to a classified WAN (such as the SIPRNet) where RFC 1918 addressing is not permissible for reasons of network wide accountability, traceability, and policy. NOTE: The affected devices in this case are as follows: > VVoIP Call or session controllers; LSC / MFSS. > Adjunct UC systems. > Edge Boundary Controller (EBC) internal and external interfaces. > Customer Edge (Premise) router internal interface to the VVoIP VLANs. > VVoIP endpoints including for PCs that support multiple VLANs.

Fix Text (F-20237r1_fix)

Ensure the dedicated VVoIP address range is defined using “private” (non WAN routed) addresses IAW RFC 1918.

NOTE: This is applicable to the following:
> A closed unclassified LAN (in the event this LAN is some day connected to a WAN)
> A unclassified LAN connected to a unclassified WAN such as the NIPRNet or Internet
> A closed classified LAN (in the event this LAN is some day connected to a WAN)
> A classified LAN connected to a classified WAN where network wide address based accountability or traceability is NOT required by the WAN PMO and the WAN is configured to NOT route “private” addresses.

NOTE: This is not applicable in situations where network wide address based accountability or traceability is required by the WAN PMO. For example, This is not applicable to DAA approved VoSIP systems residing on secured classified LANs that are connected to a classified WAN (such as the SIPRNet) where RFC 1918 addressing is not permissible for reasons of network wide accountability, traceability, and policy.

NOTE: The affected devices in this case are as follows:
> VVoIP Call or session controllers; LSC / MFSS.
> Adjunct UC systems.
> Edge Boundary Controller (EBC) internal and external interfaces.
> Customer Edge (Premise) router internal interface to the VVoIP VLANs.
> VVoIP endpoints including for PCs that support multiple VLANs.