UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Without an applicable exception the site’s enclave boundary protection is not designed or implemented to route all voice traffic to/from a DSN number via a locally implemented Media Gateway (MG) connected to a DSN EO or MFSS using the appropriate type of trunk based on the site’s need to support C2 communications via the DSN.


Overview

Finding ID Version Rule ID IA Controls Severity
V-8329 VVoIP 1010 (GENERAL) SV-8824r1_rule EBBD-1 EBBD-2 EBBD-3 ECSC-1 Medium
Description
There are several reasons why voice traffic to/from the DSN must use a locally implemented Media Gateway (MG) connected to a DSN EO or MFSS via the appropriate type of trunk based on the site’s need to support C2 communications via the DSN if exceptions do not apply. These reasons are as follows: > VVoIP has the potential to significantly degrade the standard data enclave boundary protection afforded by the required data enclave firewall unless the firewall is designed to properly handle VVoIP traffic. Based on this degradation, VVoIP must not traverse a standard data firewall except under certain circumstances. > VVoIP aware/capable firewalls are being developed and few are deployed. > DoD must purchase and use VVoIP/UC devices and firewalls that meet UC requirements as defined in the UCR. > Confidentiality and integrity: Legacy (early) VoIP systems could not encrypt VoIP signaling or media to protect it for confidentiality and from various attacks while traversing a publicly accessible WAN (e.g., NIPRNet or Internet). This is changing due to the DoD’s efforts to develop interoperable VVoIP encryption standards with vendor assistance. The use of a MG eliminates the need for encryption on an IP WAN by placing the voice traffic on a traditional TDM network where the communications are more secure in general even though they are not encrypted. Physical access to the wire or TDM switch is required to compromise TDM communication whereas compromise could be effected from anywhere on an IP network. > Availability and C2 support between sites via interoperability: VoIP systems from different vendors are typically not directly interoperable via IP. This is primarily due to the lack of fully defined standards leaving vendors to develop their own extensions to the available protocols in support of unique feature sets. This is changing due to the DoD’s efforts to develop interoperable usage of the standards with vendor assistance. The use of a MG converts each vendor’s implementation to a common interoperable system, the TDM DSN.
STIG Date
Voice/Video Services Policy STIG 2014-04-07

Details

Check Text ( C-23858r1_chk )
Interview the IAO to confirm compliance with the following requirement:

Ensure all local DSN access for intra DoD dialup services (voice, video, fax, data) to/from a VVoIP system within a site enclave and a DSN number is via a local Media Gateway (MG) and one or more T619A trunks for C2 enclaves (MLPP support) or one or more PRI or CAS trunks for NON-C2 enclaves with a IP-PBX-2 (NO MLPP support) to a DSN EO or MFS except as follows:
• The VVoIP system within a site enclave is approved for DISN NIPRNet IP Voice Services (VS) (IP enabled DSN VoIP on NIPRNet).
• The VVoIP system within a site enclave is subtended to a larger enclave and tethered (connected) to it via a direct cable, or a dedicated TDM or optical circuit (e.g., a T1, DS2, OCx ). (This connection would be typical of a GSU located in relative close proximity to its MOB. This would be similar to a MAN).
• The enclave is part of an organizational Intranet whose enclaves (MOBs and GSUs and regional service/computing centers or server farms) are interconnected across the DISN using dedicated TDM or optical circuits or encrypted VPN tunnels, whether site-to-site or meshed.

NOTE: organizational Intranets using encrypted site-to-site or meshed VPN tunnels across a DISN IP routed network must block local access to/from the DISN IP routed network (e.g., NIPRNet) at the VPN termination points unless a full boundary protection suite of equipment is implemented locally.

NOTE: This does not apply to approved remote VoIP instruments or Soft Phones that connect to the VVoIP system enclave via an encrypted VPN and are therefore part of the enclave’s LAN.

NOTE: TDM or optical circuits should be bulk encrypted if using a commercial provider to supply any portion of the complete circuit. This will most likely be the case for the “last mile” connection to a DISN SDN since DoD owned facilities do not touch most sites.

Determine if the VVoIP system within the site enclave is connected to a DSN EO or MFS via a local (on site) Media Gateway (MG) and one or more T619A trunks for C2 enclaves (provides MLPP support) or one or more PRI or CAS trunks for NON-C2 enclaves with a IP-PBX-2 (NO MLPP support).

Additionally, determine if the following exceptions apply:
• Is the VVoIP system within the site enclave approved for DISN NIPRNet IP Voice Services (VS) (IP enabled DSN VoIP on NIPRNet)?
• Is the VVoIP system within the site enclave subtended to a larger enclave and tethered (connected) to it via a direct cable, or a dedicated TDM or optical circuit (e.g., a T1, DS2, OCx )? (This connection is typical of a GSU located in relative close proximity to its MOB. This would be similar to a MAN.)
• Is the enclave part of an organizational Intranet whose enclaves (MOBs and GSUs and regional service centers or server farms) are interconnected across the DISN using dedicated TDM or optical circuits or encrypted VPN tunnels, whether site-to-site or meshed?

This is a finding in the event the site is not connected to the DSN via a MG located at the local site enclave as described above AND one of the exceptions is not applicable.

NOTE: This requirement dictates that each site’s VoIP enclave has a local (on site) MG for connecting the site locally to a DSN EO or MFS. The DSN EO or MFS may be located at a remote site, in which case the TDM trunks will carry the voice traffic between the sites. This arrangement means that VoIP traffic does not have to traverse the enclave boundary with the WAN which is one of the reasons for the requirement.
Fix Text (F-20287r1_fix)
Unless one of the following exceptions apply:
• The VVoIP system within a site enclave is approved for DISN NIPRNet IP Voice Services (VS) (IP enabled DSN VoIP on NIPRNet).
• The VVoIP system within a site enclave is subtended to a larger enclave and tethered (connected) to it via a direct cable, or a dedicated TDM or optical circuit (e.g., a T1, DS2, OCx ). (This connection would be typical of a GSU located in relative close proximity to its MOB. This would be similar to a MAN.)
• The enclave is part of an organizational Intranet whose enclaves (MOBs and GSUs and regional service/computing centers or server farms) are interconnected across the DISN using dedicated TDM or optical circuits or encrypted VPN tunnels, whether site-to-site or meshed.

Ensure all DSN access for intra DoD dialup services (voice, video, fax, data) to/from a VVoIP system within a site enclave and a DSN number is via a local (on site) Media Gateway (MG) and one or more T619A trunks for C2 enclaves (MLPP support) or one or more PRI or CAS trunks for NON-C2 enclaves with a IP-PBX-2 (NO MLPP support) to a DSN EO or MFS:

NOTE: This does not apply to approved remote VoIP instruments or Soft Phones that connect to the VVoIP system enclave via an encrypted VPN and are therefore part of the enclave’s LAN.

NOTE: TDM or optical circuits should be bulk encrypted if using a commercial provider to supply any portion of the complete circuit. This will most likely be the case for the “last mile” connection to a DISN SDN since DoD owned facilities do not touch most sites.

NOTE: organizational Intranets using encrypted site-to-site or meshed VPN tunnels across a DISN IP routed network must block local access to/from the DISN IP routed network (e.g., NIPRNet) at the VPN termination points unless a full boundary protection suite of equipment is implemented locally.