| Finding ID |
Severity |
Title |
Description |
|
V-259935
|
High |
The Session Border Controller (SBC) (or similar firewall type device) must deny all packets traversing the enclave boundary (inbound or outbound) through the IP port pinholes opened for VVoIP sessions, except RTP/RTCP, SRTP/SRTCP, or other protocol/flow established by signaling messages. |
Once a pinhole is opened in the enclave boundary for a known session, the packets that are permitted to pass must be managed. If they are not properly managed, packets that are not part of a known session may traverse a pinhole, giving unauthorized access to the enclave's LAN or... |
|
V-259934
|
High |
The Session Border Controller (SBC) (or similar firewall type device) must perform stateful inspection and packet authentication for all VVoIP traffic (inbound and outbound) and deny all other packets. |
Once a pinhole is opened in the enclave boundary for a known session, the packets that are permitted to pass must be managed. If they are not properly managed, packets that are not part of a known session could traverse the pinhole, thereby giving unauthorized access to the enclave's LAN... |
|
V-259893
|
High |
An IP-based VTC system implementing a single CODEC that supports conferences on multiple networks with different classification levels (i.e., unclassified, SECRET, TOP SECRET, TS-SCI) must support Periods Processing by connecting the CODEC to one network at a time, matching the classification level of the session to the classification level of the network. |
Connecting to networks of different classifications simultaneously incurs the risk of data from a higher classification being released to a network of a lower classification, referred to as a "spill".
It is imperative that networks of differing classification levels or with differing handling caveats not be interconnected at any time.... |
|
V-259890
|
High |
The Enterprise Voice, Video, and Messaging Policy must define operations for VTC and endpoint cameras regarding the ability to pick up and transmit sensitive information. |
Users of conference room or office-based VTC systems and PC-based communications applications that employ a camera must not inadvertently display sensitive or classified information that is not part of the communications session while the camera is active. This can happen if information in the form of charts, pictures, or maps... |
|
V-259939
|
Medium |
A MAC Authentication Bypass policy must be implemented for 802.1x unsupported devices that connect to the Enterprise Voice, Video, and Messaging system. |
MAC Authentication Bypass (MAB) is not a sufficient stand-alone authentication mechanism for non-802.1x supplicant endpoints. Additional policy-based validation techniques must be developed to ensure that 802.1x exempted devices are properly tracked and controlled to prevent compromise of the underlying 802.1x system and allow unapproved devices to access the Enterprise Voice,... |
|
V-259938
|
Medium |
The Multifunction Soft Switch (MFSS) must be configured to synchronize with at minimum a paired MFSS and/or others so that each may serve as a backup for the other when signaling with its assigned Local Session Controller (LSC), thus improving the reliability and survivability of the DISN IPVS network. |
MFSSs are critical to the operation of the DISN NIPRNet IPVS network. They broker the establishment of calls between enclaves. An MFSS provides the following functions:
- Receives AS-SIP-TLS messages from other MFSSs and a specific set of regionally associated LSCs to act as a call routing manager across the... |
|
V-259937
|
Medium |
The Enterprise Voice, Video, and Messaging system connecting with a DISN IPVS must be configured to signal with a backup Multifunction Soft Switch (MFSS) (or SS) if the primary cannot be reached. |
Redundancy of equipment and associations is used in an IP network to increase the availability of a system. Multiple MFSSs in the DISN NIPRNet IPVS network and multiple SSs in the DISN SIPRNet IPVS network have been implemented to provide networkwide redundancy of their functions. They are intended to work... |
|
V-259936
|
Medium |
The Session Border Controller (SBC) must be configured to notify system administrators and the information system security officer (ISSO) when attempts to cause a denial of service (DoS) or other suspicious events are detected. |
Action cannot be taken to thwart an attempted DOS or compromise if the system administrators responsible for the operation of the SBC and/or the network defense operators are not alerted to the occurrence in real time. |
|
V-259933
|
Medium |
The Session Border Controller (SBC) must be configured to manage IP port pinholes for the SRTP/SRTCP bearer streams based on the information in the SIP and AS-SIP messages. |
The function of the SBC is to manage SIP and AS-SIP signaling messages. The SBC also manages the SRTP/SRTCP bearer streams. The DISN IPVS PMO has determined that the SBC will pass the negotiated and encrypted SRTP/SRTCP bearer streams without decryption and inspection. This is because doing so will not... |
|
V-259932
|
Medium |
The Session Border Controller (SBC) must drop all SIP and AS-SIP packets except those secured with TLS. |
DISN NIPRNet IPVS PMO and the Unified Capabilities Requirements (UCR) require all session signaling across the DISN WAN and between the Local Session Controller (LSC) and EBC to be secured with TLS. The standard IANA assigned IP port for SIP protected by TLS (SIP-TLS) is 5061.
DOD PPSM requires that... |
|
V-259930
|
Medium |
The Session Border Controller (SBC) must be configured to only process signaling packets whose integrity is validated. |
The validation of signaling packet integrity is required to ensure the packet has not been altered in transit. Packets can be altered during uncontrollable network events, such as bit errors and packet truncation that would cause the packet to contain erroneous information. Packets containing detectable errors must not be processed.... |
|
V-259929
|
Medium |
The Session Border Controller (SBC) must be configured to only process packets authenticated from an authorized source within the DISN IPVS network. |
The function of the SBC is to manage SIP and AS-SIP signaling messages. The SBC also authenticates SIP and AS-SIP signaling messages, ensuring they are from an authorized source. DOD policy dictates that authentication be performed using DOD PKI certificates. This also applies to network hosts and elements. SIP and... |
|
V-259928
|
Medium |
The Session Border Controller (SBC) must be configured to terminate and decrypt inbound and outbound SIP and AS-SIP sessions to ensure proper management for the transition of the SRTP/SRTCP streams. |
The function of the SBC is to manage SIP and AS-SIP signaling messages. To perform its proper function in the enclave boundary, the SBC must decrypt and decode or understand the contents of SIP and AS-SIP messages. Additionally, the SBC can perform message validity checks and determine of an attack... |
|
V-259927
|
Medium |
The Session Border Controller (SBC) must filter inbound SIP and AS-SIP traffic based on the IP addresses of the internal Enterprise Session Controller (ESC), Local Session Controller (LSC), or Multifunction Soft Switch (MFSS). |
The SBC is in the VVoIP signaling between the LSC and MFSS. To limit exposure to compromise and denial of service, the SBC must only exchange signaling messages using the designated protocol (AS-SIP-TLS) with the LSC(s) within the enclave and the SBC fronting the MFSS (and its backup) to which... |
|
V-259925
|
Medium |
Two hours of backup power must be provided for LAN Infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints to support Immediate or Priority precedence C2 users. |
Unified Capabilities (UC) users require different levels of capability depending upon command and control (C2) needs. Special-C2 decision makers requiring Flash or Flash Override precedence must have eight hours of continuous backup power at all times. C2 users requiring Immediate or Priority precedence must have two hours of continuous backup... |
|
V-259924
|
Medium |
Eight hours of backup power must be provided for LAN Infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints to support Special-C2 users. |
Unified Capabilities (UC) users require different levels of capability depending on command and control needs. Special-C2 decision makers requiring Flash or Flash Override precedence must have eight hours of continuous backup power at all times. C2 users requiring Immediate or Priority precedence must have two hours of continuous backup power.... |
|
V-259923
|
Medium |
The Fire and Emergency Services (F&ES) communications over a site's private telephone system must route emergency calls as a priority call in a nonblocking manner. |
|
|
V-259922
|
Medium |
The Fire and Emergency Services (F&ES) communications over a site's private telephone system must provide a direct callback telephone number and physical location of an F&ES caller to the emergency services answering point or call center through a transfer of Automatic Number Identification (ANI) and extended Automatic Location Identification (ALI) information or access to an extended ALI database. |
|
|
V-259921
|
Medium |
The Fire and Emergency Services (F&ES) communications over a site's private telephone system must provide the originating telephone number to the emergency services answering point or call center through a transfer of Automatic Number Identification (ANI) or Automatic Location Identification (ALI) information. |
|
|
V-259920
|
Medium |
The Fire and Emergency Services (FES) communications over a site's telephone system must be configured to support the Department of Defense Instruction (DODI) 6055.06 telecommunication capabilities. |
|
|
V-259919
|
Medium |
Enclaves with commercial VoIP connections must be approved by the DODIN Waiver Panel and signed by DOD CIO for a permanent alternate connection to the Internet Telephony Service Provider (ITSP). |
The DOD requires the use of DISN services as the first choice to meet core communications needs. When additional services for SIP trunks are necessary, an ITSP may provide an "alternate connection", but this requires approval by the DODIN Waiver Panel and signature by the DOD CIO.
Local ISP connections... |
|
V-259917
|
Medium |
The required dua- homed DISN Core or NIPRNet access circuits must follow geographically diverse paths from the CER(s) along the entire route to the geographically diverse SDNs. |
One way to provide the greatest reliability and availability for DISN services is to provide redundancy in the network pathways between the customer site and the redundant DISN SDNs.
The DISN core network is designed to be highly reliable and available in support of the DOD mission. The most vulnerable... |
|
V-259916
|
Medium |
The dual homed DISN core access circuits must be implemented so that each one can support the full bandwidth engineered for the enclave plus additional bandwidth to support surge conditions in time of crisis. |
Providing dual-homed access circuits from a command and control (C2) enclave to the DISN core is useless unless both circuits provide the same capacity to include enough overhead to support surge conditions.
If one circuit is lost due to equipment failure or facility damage, the other circuit must be able... |
|
V-259915
|
Medium |
The enclave must be dual homed to two geographically diverse DISN SDNs and DISN WAN Service (NIPRNet or SIPRNet) Aggregation Routers (AR) or DISN Provider Edge (PE) routers. |
Redundancy and dual homing is used within the DISN core to provide for continuity of operations (COOP) if a piece of equipment, circuit path, or an entire service delivery node is lost.
DOD policy also requires DOD enclaves that support command and control (C2) users for data services to be... |
|
V-259914
|
Medium |
Local commercial phone service must be provided in support of continuity of operations (COOP) and Fire and Emergency Services (FES) communications. |
Voice phone services are critical to the effective operation of the DOD mission. Phone service must be available an emergency, such as a security breach or life safety event. The ability to place calls to emergency services must be maintained.
While the DOD voice networks are designed to be extremely... |
|
V-259913
|
Medium |
The site's enclave boundary protection must route commercial VoIP traffic via a local Media Gateway (MG) connected to a commercial service provider using PRI, CAS, or POTS analog trunks. |
There are several reasons VVoIP system access to local voice services must use a locally implemented MG connected to commercial voice services, including:
- The implementation or receipt of commercial VoIP service provides a path to the Internet. These "back doors" into the local network place the DISN at risk... |
|
V-259912
|
Medium |
The LAN hardware supporting VVoIP services must provide physically diverse pathways for redundant links supporting command and control (C2) assured services and Fire and Emergency Services (FES) communications. |
Voice services in support of high-priority military command and control precedence must meet minimum requirements for reliability and survivability of the supporting infrastructure. Design requirements for networks supporting DOD VVoIP implementations are in the Unified Capabilities Requirements (UCR), specifying assured services supporting DOD IP-based voice services.
Network survivability refers to... |
|
V-259911
|
Medium |
The LAN hardware supporting VVoIP services must provide redundancy to support command and control (C2) assured services and Fire and Emergency Services (FES) communications. |
Voice services in support of high-priority military command and control precedence must meet minimum requirements for reliability and survivability of the supporting infrastructure. Design requirements for networks supporting DOD VVoIP implementations are in the Unified Capabilities Requirements (UCR), specifying assured services supporting DOD IP-based voice services.
The UCR defines LAN... |
|
V-259910
|
Medium |
The local Enterprise Voice, Video, and Messaging system must have the capability to place intrasite and local phone calls when network connectivity is severed from the remote centrally located session controller. |
Voice phone services are critical to the effective operation of a business, an office, or in support or control of a DOD mission. It is critical that phone service is available in the event of an emergency situation, such as a security breach or life safety event. The ability to... |
|
V-259909
|
Medium |
A Call Center or Computer Telephony Integration (CTI) system using soft clients must be segregated into a protected enclave and limit traffic traversing the boundary. |
UC soft clients may be used on a strategic LAN when associated with or part of a CTI application. Traditional computer telephony integration CTI encompasses the control of a telephone or telecommunications switch by a computer application. Interfaces have been developed to provide connection between the computer, typically a workstation,... |
|
V-259908
|
Medium |
Deploying Unified Capabilities (UC) soft clients on DOD networks must have authorizing official (AO) approval. |
This use case addresses situations in which UC soft client applications on workstations are not the primary voice communications device in the work area. This means there is a validated mission need and the number of UC soft clients permitted to operate inside the LAN will be less than the... |
|
V-259907
|
Medium |
Implementing Unified Capabilities (UC) soft clients as the primary voice endpoint must have authorizing official (AO) approval. |
The AO responsible for the implementation of a voice system that uses UC soft clients for its endpoints must be made aware of the risks and benefits. In addition, the commander of an organization whose mission depends on such a telephone system must also be made aware and provide approval.... |
|
V-259906
|
Medium |
When soft-phones are implemented as the primary voice endpoint in the user's workspace, a policy must be defined to supplement with physical hardware-based phones near all such workspaces. |
This and several other requirements discuss the implementation of PC soft-phones or UC applications as the primary and only communications device in the user's workspace.
While this degrades the protections afforded a hardware-based system, the trend is to use more and more PC-based communications applications due to their advanced features,... |
|
V-259905
|
Medium |
Voice networks must not be bridged via a Unified Capability (UC) soft client accessory. |
While a headset, microphone, or webcam can be considered to be UC soft client accessories, these are also accessories for other collaboration and communications applications.
This discussion relates to UC soft client-specific accessories, which consist of USB phones, USB ATAs, and PPGs. A USB phone is a physical USB-connected telephone... |
|
V-259903
|
Medium |
An inventory of authorized instruments must be documented and maintained in support of the detection of unauthorized instruments connected to the Enterprise Voice, Video, and Messaging system. |
Traditional telephone systems require physical wiring and/or switch configuration changes to add an instrument to the system. This makes it difficult for someone to add unauthorized digital instruments to the system. However, this could be done more easily with older analog systems by tapping an existing analog line.
With Enterprise... |
|
V-259902
|
Medium |
Video conferencing, Unified Capability (UC) soft client, and speakerphone speaker operations policy must prevent disclosure of sensitive or classified information over nonsecure systems. |
Speakers used with Voice Video systems and devices may be heard by people and microphones with no relationship to the conference or call in progress. In open areas, conference audio may be overheard by others in the area without a need-to-know.
A policy must be in place and enforced regarding... |
|
V-259901
|
Medium |
The implementation of an IP-based VTC system that supports conferences on multiple networks with different classification levels must maintain isolation between the networks to which it connects by implementing separation of equipment and cabling between the various networks with differing classification levels in accordance with CNSSAM TEMPEST/01-13, RED/BLACK Installation Guidance. |
Information leakage is the intentional or unintentional release of information to an untrusted environment from electromagnetic signals emanations. Security categories or classifications of information systems (with respect to confidentiality) and organizational security policies guide the selection of security controls employed to protect systems against information leakage due to electromagnetic signals... |
|
V-259900
|
Medium |
An IP-based VTC system implementing a single set of input/output devices (cameras, microphones, speakers, control system), an A/V switcher, and multiple CODECs connected to multiple IP networks with different classification levels must provide automatic mutually exclusive power control for the CODECs or their network connections so only one CODEC is powered on or one CODEC is connected to any network at any given time. |
If a VTC system is implemented using multiple CODECs, each connected to a network with a different classification level, along with an A/V switcher, a potential path exists through the CODECs and A/V switcher that could permit classified information to be exposed/released from one classified network to a network with... |
|
V-259898
|
Medium |
The A/B, A/B/C, or A/B/C/D switch used for network switching in IP-based VTC systems implementing a single CODEC that supports conferences on multiple networks with different classification levels must be Common Criteria certified. |
Common Criteria provides assurance that the process of specification, implementation, and evaluation of a computer security product has been conducted in a rigorous, standard, and repeatable manner at a level commensurate with the target environment for use.
The Defense Security/Cybersecurity Authorization Working Group (DSAWG) mandated that the A/B, A/B/C, or... |
|
V-259897
|
Medium |
An IP-based VTC system implementing a single CODEC that supports conferences on multiple networks with different classification levels must be implemented in such a way that configuration information for a network having a higher classification level is not disclosed to a network having a lower classification level. |
Connecting the CODEC to a network while it is being reconfigured could lead to the disclosure of sensitive configuration information for a network having a higher classification level to a network having a lower classification level.
Ideally, the CODEC will be disconnected from any network while it is being reconfigured.... |
|
V-259896
|
Medium |
The A/B, A/B/C, or A/B/C/D switch within an IP-based VTC system that supports conferences on multiple networks with different classification levels must be based on optical technologies to maintain electrical isolation between the various networks to which it connects. |
The A/B, A/B/C, or A/B/C/D switch is physically connected to multiple networks that have different classification levels. Copper-based switches provide minimal or no electrical isolation due to capacitance between the wires in the switch box and the switch contacts. This can permit information on one network to bleed or leak... |
|
V-259895
|
Medium |
IP-based VTC systems implementing a single CODEC that support conferences on multiple networks with different classification levels must sanitize nonvolatile memory while transitioning between networks by overwriting all configurable parameters with null settings before reconfiguring the CODEC for connection to the next network. |
A factory reset is the software restoration of an electronic device to its original system state by erasing all information stored on the device to restore the device to its original factory or unconfigured settings. This erases all data, settings, and applications that were previously on the device. Factory reset... |
|
V-259894
|
Medium |
An IP-based VTC system implementing a single CODEC that supports conferences on multiple networks with different classification levels (i.e., unclassified, SECRET, TOP SECRET, TS-SCI) must support Periods Processing sanitization by purging/clearing volatile memory within the CODEC by powering the CODEC off for a minimum of 60 seconds. |
Volatile memory requires power to maintain the stored information. It retains its contents while powered, but when power is interrupted, stored data is immediately lost. Dynamic random-access memory (DRAM) is a type of random-access memory that stores each bit of data in a separate capacitor within an integrated circuit. Because... |
|
V-259892
|
Medium |
An IP-based VTC system implementing a single CODEC that supports conferences on multiple networks with different classification levels (i.e., unclassified, SECRET, TOP SECRET, TS-SCI) must support Periods Processing by being sanitized of all information while transitioning from one period/network to the next. |
All residual data (data unintentionally left behind on computer media) must be cleared before transitioning from one period/network to the next. Because the equipment is reused, nondestructive techniques are used.
According to NIST Special Publication 800-88:
Clearing information is a level of media sanitization that would protect the confidentiality of... |
|
V-259891
|
Medium |
The Enterprise Voice, Video, and Messaging Policy must define operations for endpoint microphones regarding the ability to pick up and transmit sensitive information. |
Microphones used with VTC systems and devices are designed to be extremely sensitive so the voice of anyone speaking anywhere within a conference room is picked up and amplified so they can be heard clearly and understood at the remote location on the call. This same sensitivity is included in... |
|
V-259931
|
Low |
The Session Border Controller (SBC) must be configured to validate the structure and validity of SIP and AS-SIP messages so that malformed messages or messages containing errors are dropped before action is taken on the contents. |
Malformed SIP and AS_SIP messages, as well as messages containing errors, could be an indication that an adversary is attempting some form of attack or denial of service. Such an attack is called fuzzing. Fuzzing is the deliberate sending of signaling messages that contain errors in an attempt to cause... |
|
V-259926
|
Low |
Sufficient backup power must be provided for LAN infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints to support non-command and control (C2) user accessible endpoints for emergency life safety and security calls. |
Unified Capabilities (UC) users require different levels of capability depending on command and control needs. Special-C2 decision makers requiring Flash or Flash Override precedence must have eight hours of continuous backup power at all times. C2 users requiring Immediate or Priority precedence must have two hours of continuous backup power.... |
|
V-259918
|
Low |
Critical network equipment must be redundant and in geographically diverse locations for a site supporting command and control (C2) users. |
The enhanced reliability and availability achieved by the implementation of redundancy and geographic diversity throughout the DISN Core, along with the implementation of dual-homed circuits via geographically diverse pathways and facilities, is negated if both access circuits enter the enclave via the same facility containing a single Customer Edge Router... |
|
V-259904
|
Low |
Customers of the DISN VoSIP service must use address blocks assigned by the DRSN/VoSIP PMO. |
Ensure different, dedicated, address blocks or ranges are defined for the VVoIP system within the LAN (Enclave) that are separate from the address blocks/ranges used by the rest of the LAN for non-VVoIP system devices, thus allowing traffic and access control using firewalls and router ACLs.
NOTE: This is applicable... |
|
V-259899
|
Low |
The A/B, A/B/C, or A/B/C/D switch used for network switching in IP-based VTC systems implementing a single CODEC that supports conferences on multiple networks with different classification levels must be TEMPEST certified. |
Committee on National Security Systems Advisory Memorandum (CNSSAM) TEMPEST/01-13, RED/BLACK Installation Guidance, provides criteria for the installation of electronic equipment, cabling, and facility support for the processing of secure information. National policy requires that systems and facilities processing NSI must be reviewed by a Certified TEMPEST Technical Authority (CTTA) to... |
