Servers supporting the VVoIP and UC/UM telephony environment are not dedicated to telephony (VVoIP, UC, or UM) applications or their support.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-8247	VVoIP 1050 (GENERAL)	SV-8733r1_rule	ECSC-1	Medium

Description
For the purpose of this requirement a VVoIP, UC, or UM server is any server directly supporting the communications service. Unlike a regular PC or print server on the network VVoIP servers are “mission critical” to the operation of the VoIP system. Dedicating these critical servers to their task is one of the key steps in key in securing the VVoIP environment. Permitting critical servers to run non-critical applications can provide a means or a path whereby the server or the critical applications can be compromised. Additionally, by running non-critical applications not required for the operations or not related to the primary purpose of the server can degrade the performance of the server and thereby the reliability of the service provided. By not permitting non-critical applications to run on these servers the server is made more secure. Therefore, the securing of these voice processing and signaling platforms, to include their installed applications, is vital in protecting the VoIP environment from malicious attack.

Description

For the purpose of this requirement a VVoIP, UC, or UM server is any server directly supporting the communications service. Unlike a regular PC or print server on the network VVoIP servers are “mission critical” to the operation of the VoIP system. Dedicating these critical servers to their task is one of the key steps in key in securing the VVoIP environment. Permitting critical servers to run non-critical applications can provide a means or a path whereby the server or the critical applications can be compromised. Additionally, by running non-critical applications not required for the operations or not related to the primary purpose of the server can degrade the performance of the server and thereby the reliability of the service provided. By not permitting non-critical applications to run on these servers the server is made more secure. Therefore, the securing of these voice processing and signaling platforms, to include their installed applications, is vital in protecting the VoIP environment from malicious attack.

STIG	Date
Voice/Video Services Policy STIG	2014-04-07

Details

Check Text ( C-23603r1_chk )
Interview the IAO and review site documentation to confirm compliance with the following requirement: Ensure critical servers/devices supporting the VVoIP/UC/UM system are dedicated to only applications required to support operations. Interview the IAO and SA to determine the purpose and use of each server/device that comprises the VVoIP/UC/UM core infrastructure. Then determine each server/device can support or run any application other than what is required in support of its primary purpose. Such servers would be the LSC, without which the system will not operate, voicemail or unified mail servers, management servers, IM / presence servers, conference bridges, etc. Inspect each server/device’s software storage looking for its installed applications. This is a finding if applications are found that are not required to fulfill the server/device’s primary function. General purpose applications like browsers, word processors, etc., or other applications like development software or special purpose applications should not be found unless directly required for operations and support. Additionally, unnecessary portions of the operating system such as sub-applications or files and routines that are not required to support the telephony system should not be found. NOTE: VVoIP core infrastructure servers/devices include but may not be limited to the TDM telephone switches, local session controller (LSC), voicemail / unified mail system, interactive voice response system, media gateway, signaling gateway, management servers and workstations, conference bridges, IM/presence servers, etc.

Check Text ( C-23603r1_chk )

Interview the IAO and review site documentation to confirm compliance with the following requirement: Ensure critical servers/devices supporting the VVoIP/UC/UM system are dedicated to only applications required to support operations.

Interview the IAO and SA to determine the purpose and use of each server/device that comprises the VVoIP/UC/UM core infrastructure. Then determine each server/device can support or run any application other than what is required in support of its primary purpose. Such servers would be the LSC, without which the system will not operate, voicemail or unified mail servers, management servers, IM / presence servers, conference bridges, etc. Inspect each server/device’s software storage looking for its installed applications. This is a finding if applications are found that are not required to fulfill the server/device’s primary function. General purpose applications like browsers, word processors, etc., or other applications like development software or special purpose applications should not be found unless directly required for operations and support. Additionally, unnecessary portions of the operating system such as sub-applications or files and routines that are not required to support the telephony system should not be found.

NOTE: VVoIP core infrastructure servers/devices include but may not be limited to the TDM telephone switches, local session controller (LSC), voicemail / unified mail system, interactive voice response system, media gateway, signaling gateway, management servers and workstations, conference bridges, IM/presence servers, etc.

Fix Text (F-20122r1_fix)
Ensure critical servers/devices supporting the VVoIP/UC/UM system are dedicated to only applications required to support operations. Dedicate critical servers in the VVoIP/UC/UM core infrastructure to only run applications required for executing the primary function of the server/device and those required for its support. Additionally, remove all unnecessary portions of the operating system such as sub-applications or files and routines that are not required to support the telephony system.

Fix Text (F-20122r1_fix)

Ensure critical servers/devices supporting the VVoIP/UC/UM system are dedicated to only applications required to support operations.

Dedicate critical servers in the VVoIP/UC/UM core infrastructure to only run applications required for executing the primary function of the server/device and those required for its support. Additionally, remove all unnecessary portions of the operating system such as sub-applications or files and routines that are not required to support the telephony system.