IP based VVoIP services over Wireless LAN (WLAN - Wi-Fi 802.11x) or Wireless MAN (WMAN - WiMAX 802.16) are being used without the applicable Wireless STIG/Checklist security guidance applied to the wireless service or endpoints in addition to the VoIP STIG/Checklist requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-8256	VVoIP 1035 (GENERAL)	SV-8742r1_rule	ECSC-1 ECWN-1	Low

Description
The incorporation of wireless technology into the VVoIP environment or service elevates many existing VoIP concerns such as quality of service (QoS), network capacity, provisioning, architecture and not the least important, security. Many government entities are exploring mobile communication solutions that include wireless VoIP that can meet critical needs for interoperability and flexibility. This will soon expand to video and unified communications over wireless. IP based wireless voice services and devices (endpoints) initially used Wi-Fi (802.11(x)) wireless LAN (WLAN) technologies. These devices are still available today and are essentially a cordless phone that happens to use Wi-Fi. Today vendors are integrating 802.11(x) VoIP capabilities into cellular phones that can transition seamlessly between a cellular network and a WLAN. This means that a user can place a call using the WLAN in their office and then move out of range and transition to their cellular carrier’s network without losing the call. Such a transition can operate in the other direction as well. Other devices integrate Cellular and Wi-Fi with WiMAX (802.11(e)) capabilities providing similar transitions as well as enterprise grade presence, messaging, directories, email, etc. Additionally, SmartPhones can support VoIP softphone applications which utilize the smartphone’s native IP connectivity. Similarly SmartPhone supported connectivity can be over cellular, Wi-Fi, and/or WiMAX network. Using these capabilities over wireless technologies presents vulnerabilities to the communications carried and the VVoIP infrastructure. Confidentiality is one of the greatest concerns requiring encryption of the media and signaling as it is on a wired MAN/WAN or LAN per the VoIP STIG/Checklist but even more so. This encryption is in addition to the WLAN encryption required by the Wireless STIG/Checklist. Additionally, per the Wireless STIG/Checklist, the endpoints must authenticate to the WLAN before being granted access thus preventing rogue endpoints and other devices from accessing the network, while the endpoint must also register with the VVoIP controllers. Another great concern for using wireless VVoIP communications services is reliability and availability when using the technology for critical C2 communications. Being wireless, all of the usual issues with radio transmission and reception come into play. In the event a C2 call is initiated, it could be blocked at either the transmitting end or the receiving end. This could be because the spectrum or channels could be busy/overloaded, unavailable, or deliberately jammed by an adversary. As such, VVoIP services should not be relied upon for C2 communications. NOTE: If Wireless VoIP technology is deployed all the requirements in the VoIP STIG/Checklist as well as those contained in the Wireless STIG/Checklist are to be applied to the wireless VoIP environment.

Description

The incorporation of wireless technology into the VVoIP environment or service elevates many existing VoIP concerns such as quality of service (QoS), network capacity, provisioning, architecture and not the least important, security. Many government entities are exploring mobile communication solutions that include wireless VoIP that can meet critical needs for interoperability and flexibility. This will soon expand to video and unified communications over wireless. IP based wireless voice services and devices (endpoints) initially used Wi-Fi (802.11(x)) wireless LAN (WLAN) technologies. These devices are still available today and are essentially a cordless phone that happens to use Wi-Fi. Today vendors are integrating 802.11(x) VoIP capabilities into cellular phones that can transition seamlessly between a cellular network and a WLAN. This means that a user can place a call using the WLAN in their office and then move out of range and transition to their cellular carrier’s network without losing the call. Such a transition can operate in the other direction as well. Other devices integrate Cellular and Wi-Fi with WiMAX (802.11(e)) capabilities providing similar transitions as well as enterprise grade presence, messaging, directories, email, etc. Additionally, SmartPhones can support VoIP softphone applications which utilize the smartphone’s native IP connectivity. Similarly SmartPhone supported connectivity can be over cellular, Wi-Fi, and/or WiMAX network. Using these capabilities over wireless technologies presents vulnerabilities to the communications carried and the VVoIP infrastructure. Confidentiality is one of the greatest concerns requiring encryption of the media and signaling as it is on a wired MAN/WAN or LAN per the VoIP STIG/Checklist but even more so. This encryption is in addition to the WLAN encryption required by the Wireless STIG/Checklist. Additionally, per the Wireless STIG/Checklist, the endpoints must authenticate to the WLAN before being granted access thus preventing rogue endpoints and other devices from accessing the network, while the endpoint must also register with the VVoIP controllers. Another great concern for using wireless VVoIP communications services is reliability and availability when using the technology for critical C2 communications. Being wireless, all of the usual issues with radio transmission and reception come into play. In the event a C2 call is initiated, it could be blocked at either the transmitting end or the receiving end. This could be because the spectrum or channels could be busy/overloaded, unavailable, or deliberately jammed by an adversary. As such, VVoIP services should not be relied upon for C2 communications. NOTE: If Wireless VoIP technology is deployed all the requirements in the VoIP STIG/Checklist as well as those contained in the Wireless STIG/Checklist are to be applied to the wireless VoIP environment.

STIG	Date
Voice/Video Services Policy STIG	2014-04-07

Details

Check Text ( C-23624r1_chk )
Interview the IAO and review site documentation to confirm compliance with the following requirement: In the event IP based VVoIP (V-V) services are used over a Wireless LAN (WLAN - Wi-Fi 802.11x) or Wireless MAN (WMAN - WiMAX 802.16) connection, Ensure the applicable endpoint and service related requirements contained in the Wireless STIG/Checklist have been applied to the wireless VVoIP service and endpoints in addition to the applicable VoIP STIG/Checklist requirements. NOTE: If a wireless LAN exists, the WLAN must already be implemented and secured per the Wireless STIG. NOTE: If registering an IP based wireless VVoIP endpoint asset in the DISA VMS apply the following postures to ensure the applicable checks are assigned and reviewed. > If the wireless endpoint is a PDA or smartphone, ensure the following VMS condition has been applied "Computing –Network – Wireless - PDA/PED”. > If the phone uses WLAN, the following condition should be applied in VMS to the asset "Computing –Network – Wireless – wireless Client - Wireless LAN Client”. > If the phone uses WiMax, the following condition should be applied in VMS to the asset "Computing –Network – Wireless – wireless Client - WMAN Subscriber”. Determine if the site has implemented or supports IP based wireless (802.11x or 802.16) VVoIP endpoints. If so this implies that there is a supporting WLAN and any applicable requirements in the Wireless STIG apply to the wireless VVoIP endpoints and service in addition to those in this checklist. Obtain a copy of the Wireless SRR or Self Assessment results and review for compliance. If SRR results are not available, then perform a wireless SRR on a representative number of wireless VVoIP endpoints and on the service. Areas of primary concern are, but are not limited to the following: > Is the endpoint an approved endpoint? > Is the endpoint configured to support the required VoIP endpoint, registration, authentication, and media/signaling encryption requirements? > Is the endpoint configured to support the required WLAN access control, authentication, and encryption requirements? This is a finding in the event it is evident that the appropriate STIGs have not been applied. This check is not intended to determine if the asset is in full compliance. Additionally, this check does not relate to the STIG compliance of the WLAN itself. However if the WLAN is not STIG compliant, then the wireless VVoIP endpoints and service it supports will not meet STIG requirements. Ergo this is a finding. NOTE: Wireless endpoints in this case are typically going to be handheld devices of some sort such as a dedicated VoIP only “cordless phone”, a cellular phone with dual cellular and Wi-Fi (possibly including WiMAX) capabilities, or a PDA/PED with a VoIP soft-phone installed. However, the endpoints could also be desk phones and some could also support Bluetooth headsets, which are also covered in the Wireless STIG/Checklist. NOTE: Wireless VVoIP service relates to the conveyance of the V-V traffic over the wireless LAN/MAN including related requirements for encryption and endpoint authentication. This requirement does not relate directly to the VVoIP infrastructure connected to a wired LAN that also happens to be using wireless transport.

Check Text ( C-23624r1_chk )

Interview the IAO and review site documentation to confirm compliance with the following requirement: In the event IP based VVoIP (V-V) services are used over a Wireless LAN (WLAN - Wi-Fi 802.11x) or Wireless MAN (WMAN - WiMAX 802.16) connection, Ensure the applicable endpoint and service related requirements contained in the Wireless STIG/Checklist have been applied to the wireless VVoIP service and endpoints in addition to the applicable VoIP STIG/Checklist requirements.
NOTE: If a wireless LAN exists, the WLAN must already be implemented and secured per the Wireless STIG.

NOTE: If registering an IP based wireless VVoIP endpoint asset in the DISA VMS apply the following postures to ensure the applicable checks are assigned and reviewed.
> If the wireless endpoint is a PDA or smartphone, ensure the following VMS condition has been applied "Computing –Network – Wireless - PDA/PED”.
> If the phone uses WLAN, the following condition should be applied in VMS to the asset "Computing –Network – Wireless – wireless Client - Wireless LAN Client”.
> If the phone uses WiMax, the following condition should be applied in VMS to the asset "Computing –Network – Wireless – wireless Client - WMAN Subscriber”.

Determine if the site has implemented or supports IP based wireless (802.11x or 802.16) VVoIP endpoints. If so this implies that there is a supporting WLAN and any applicable requirements in the Wireless STIG apply to the wireless VVoIP endpoints and service in addition to those in this checklist.

Obtain a copy of the Wireless SRR or Self Assessment results and review for compliance. If SRR results are not available, then perform a wireless SRR on a representative number of wireless VVoIP endpoints and on the service.

Areas of primary concern are, but are not limited to the following:
> Is the endpoint an approved endpoint?
> Is the endpoint configured to support the required VoIP endpoint, registration, authentication, and media/signaling encryption requirements?
> Is the endpoint configured to support the required WLAN access control, authentication, and encryption requirements?

This is a finding in the event it is evident that the appropriate STIGs have not been applied. This check is not intended to determine if the asset is in full compliance. Additionally, this check does not relate to the STIG compliance of the WLAN itself. However if the WLAN is not STIG compliant, then the wireless VVoIP endpoints and service it supports will not meet STIG requirements. Ergo this is a finding.

NOTE: Wireless endpoints in this case are typically going to be handheld devices of some sort such as a dedicated VoIP only “cordless phone”, a cellular phone with dual cellular and Wi-Fi (possibly including WiMAX) capabilities, or a PDA/PED with a VoIP soft-phone installed. However, the endpoints could also be desk phones and some could also support Bluetooth headsets, which are also covered in the Wireless STIG/Checklist.
NOTE: Wireless VVoIP service relates to the conveyance of the V-V traffic over the wireless LAN/MAN including related requirements for encryption and endpoint authentication. This requirement does not relate directly to the VVoIP infrastructure connected to a wired LAN that also happens to be using wireless transport.

Fix Text (F-7739r1_fix)
Apply requirements contained in both the VoIP STIG and the Wireless STIG wherever VoIP over Wireless is used.