| Finding ID |
Severity |
Title |
Description |
|
V-260046
|
High |
The Enterprise Voice, Video, and Messaging Session Manager must be configured to use only TLS 1.2 or greater for all TLS and SSL communications. |
Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.
This requirement applies to TLS gateways (also known as SSL gateways), web servers, and web applications. Application protocols such as HTTPS and DNSSEC use TLS as... |
|
V-260039
|
High |
The Enterprise Voice, Video, and Messaging Session Manager must implement NIST FIPS-validated cryptography for communications sessions. |
All signaling and media traffic from an Enterprise Voice, Video, and Messaging Session Manager must be encrypted. Network elements using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that... |
|
V-260034
|
High |
The Enterprise Voice, Video, and Messaging Session Manager must be configured to protect the confidentiality and integrity of transmitted configuration files, signaling, and media streams. |
Without protection of the transmitted information, confidentiality and integrity may be compromised as unprotected communications can be intercepted and either read or altered. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.
Voice Video protocol suites include SIP, SCCP, and... |
|
V-260024
|
High |
The Enterprise Voice, Video, and Messaging Session Manager must be configured to offload session (call) records to a central log server. |
Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information systems with limited audit storage capacity.
This requirement only applies to components where this is specific to the function of the device (e.g., IDPS sensor logs, firewall logs). This... |
|
V-260016
|
High |
The Enterprise Voice, Video, and Messaging Session Manager must be configured to use FIPS-validated SHA-2 or higher to protect the authenticity of communications sessions. |
Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.
Although allowed by SP800-131Ar2 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. Unless required for legacy use, DOD systems should... |
|
V-260010
|
High |
The Enterprise Voice, Video, and Messaging Session Manager must be configured to use an organizational-level user account management system. |
To effectively manage user accounts, organizational level systems such as Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) are used to create and manage user credentials that can be used across the organization.
This reduces the need for separate user account databases across systems, that can create orphaned account... |
|
V-260009
|
High |
The Enterprise Voice, Video, and Messaging Session Manager must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). |
To ensure accountability and prevent unauthenticated access, organizational users must be uniquely identified and authenticated to prevent potential misuse and compromise of the system.
Sharing of accounts prevents accountability and nonrepudiation. Organizational users must be uniquely identified and authenticated for all accesses. |
|
V-260008
|
High |
The Enterprise Voice, Video, and Messaging Session Manager must only use ports, protocols, and services allowed per the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and Vulnerability Assessments (VAs). |
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.
Network elements are capable of providing a wide variety of functions and... |
|
V-259995
|
High |
The Enterprise Voice, Video, and Messaging Session Manager must use TLS 1.2 or greater to protect the confidentiality of remote access. |
Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.
This requirement applies to TLS gateways (also known as SSL gateways). Application protocols such as HTTPS, SFTP, and others use TLS as the underlying security protocol... |
|
V-259988
|
High |
The Enterprise Voice, Video, and Messaging Session Manager must disable (prevent) auto-registration of Voice Video Endpoints. |
Authentication must not automatically give an entity access to an asset. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Registration authenticates... |
|
V-260047
|
Medium |
When using PKI, the Enterprise Voice, Video, and Messaging Session Manager must validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation. |
A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate.
Certification path validation includes checks such as certificate issuer trust,... |
|
V-260045
|
Medium |
When using locally stored user accounts, the Enterprise Voice, Video, and Messaging Session Manager must store only cryptographic representations of passwords. |
If passwords and PSKs are not encrypted when stored, they may be read if the storage location is compromised.
Note that DOD requires the use two-factor, CAC-enabled authentication and the use of passwords incurs a permanent finding. Passwords should be used only in limited situations.
Examples of situations where a... |
|
V-260044
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must be configured to use a voice or video VLAN, separate from all other VLANs. |
When network elements do not dynamically reconfigure the data security attributes as data is created and combined, the possibility exist that security attributes will not correctly reflect the data with which they are associated. For the Enterprise Voice, Video, and Messaging Session Manager, the use of 802.1q tags on media... |
|
V-260043
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must be configured to apply 802.1Q VLAN tags to signaling and media traffic. |
When network elements do not dynamically reconfigure the data security attributes as data is created and combined, the possibility exists that security attributes will not correctly reflect the data with which they are associated. For the Enterprise Voice, Video, and Messaging Session Manager, the use of 802.1q tags on media... |
|
V-260042
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager requiring user access authentication must provide a logout capability for user-initiated communications sessions. |
If a user cannot explicitly end a session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session.
However, for some types of interactive sessions including, for example, remote login, information systems typically send logout messages as final messages prior to... |
|
V-260041
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. |
Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DOD that reflects the most restrictive security posture consistent with operational requirements.
Configuration settings are the set of parameters that can be changed that affect... |
|
V-260040
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must be configured to use the organization authoritative time source (NTP) to maintain system time. |
Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DOD that reflects the most restrictive security posture consistent with operational requirements.
Configuration settings are the set of parameters that can be changed that affect... |
|
V-260038
|
Medium |
When using locally stored user accounts, the Enterprise Voice, Video, and Messaging Session Manager must generate audit records for all account creations, modifications, disabling, and termination events. |
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g.,... |
|
V-260037
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must generate session (call) records when concurrent logons from multiple endpoints occur. |
Without generating audit (session) records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.
Records can be generated from various components within the information system (e.g.,... |
|
V-260036
|
Medium |
For accounts using password authentication, the Enterprise Voice, Video, and Messaging Session Manager must be configured to use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process. |
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Use of passwords for authentication is intended only for limited situations and should not be used as... |
|
V-260035
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager, when using locally stored user accounts, must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded. |
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.
This applies to network elements that have the concept of a user account (e.g., VPN, ALG, and proxy)... |
|
V-260033
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must be configured to limit and reserve bandwidth based on priority of the traffic type. |
Without the implementation of safeguards which allocate network communication resources based on priority, network availability, and particularly high priority traffic, may be dropped or delayed. DOD supporting C2 communications relies on the implementation of MLPP to ensure that flag officers and senior staff are provided higher priority for communications than... |
|
V-260032
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must be configured to protect against or limit the effects of all types of denial-of-service (DoS) attacks by employing organizationally defined security safeguards. |
A network element experiencing a DoS attack will not be able to handle the traffic load. The high CPU utilization caused by a DoS attack will also have impact control keep-alives and timers used for neighbor peering, resulting in route flapping and eventually black hole traffic.
The network element must... |
|
V-260031
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must only allow the use of DOD-approved PKI certificate authorities when using PKI. |
Untrusted certificate authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established.... |
|
V-260030
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager supporting Command and Control (C2) communications must associate multilevel precedence and preemption (MLPP) attributes when exchanged between unified capabilities (UC) system components. |
If MLPP attributes are not associated with the information being transmitted between systems, then access control policies and information flows which depend on these MLPP attributes will not function and unauthorized access may result.
Without the implementation of safeguards which allocate network communication resources based on priority, network availability, and... |
|
V-260029
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must be configured to provide an indication of current participants in all calls, meetings, and conferences. |
Providing an explicit indication of current participants in videoconferences helps to prevent unauthorized individuals from participating in collaborative videoconference sessions without the explicit knowledge of other participants. videoconferences allow groups of users to collaborate and exchange information. Without knowing who is in attendance, information could be compromised. For videoconferences with... |
|
V-260028
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must be configured to authenticate each Voice Video peer (trunk) before registration. |
Device registration is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices and trunks can access the system. Registration is the process of authorizing endpoints and trunks to communicate with the session manager. Registration occurs with the SIP server... |
|
V-260027
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must be configured to authenticate each Voice Video Endpoint device before registration. |
Device registration is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices and trunks can access the system. Registration is the process of authorizing endpoints and trunks to communicate with the session manager. Registration occurs with the SIP server... |
|
V-260026
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must be configured to require Voice Video peers to re-register (reauthenticate) at least every hour. |
Device registration is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices can access the system. Registration is the process of authorizing endpoints to communicate with the session manager. Registration occurs with the SIP server in VoIP systems and... |
|
V-260025
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must be configured to require Voice Video Endpoints to re-register at least every three hours. |
Device registration is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices can access the system. Registration is the process of authorizing endpoints to communicate with the session manager. Registration occurs with the SIP server in VoIP systems and... |
|
V-260023
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must be configured to provide centralized management of session (call) records. |
Without the ability to centrally manage the content captured in the audit records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an ongoing attack. The content captured in audit records must be managed from a central location (necessitating... |
|
V-260022
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must be configured to enforce changes to privileges of Voice Video Endpoint device access. |
Without the enforcement of immediate change to privilege levels, users and devices may not provide the correct level of service. Privileges include access to outside connections, precedence, and preemption capabilities. A user with higher precedence and preemption capability may supplant users authorized higher levels of access. Endpoints must be limited... |
|
V-260021
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must be configured to enforce changes to privileges of Voice Video Endpoint user access. |
Without the enforcement of immediate change to privilege levels, users and devices may not provide the correct level of service. Privileges include access to outside connections, precedence, and preemption capabilities. A user with higher precedence and preemption capability may supplant users authorized higher levels of access. Endpoint users must be... |
|
V-260020
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must be configured to restrict Enterprise Voice, Video, and Messaging Session Manager access outside of operational hours. |
Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during operational hours can indicate hostile activity if it occurs during off hours. Depending on mission needs and conditions, usage restrictions based on conditions and circumstances may be critical to limit access to resources and data... |
|
V-260019
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must be configured to generate session (call) records that provide information necessary for corrective actions without revealing personally identifiable information or sensitive information. |
Any Enterprise Voice, Video, and Messaging Session Manager providing too much information in session records risks compromising the data and security of the application and system. The structure and content of session records must be carefully considered by the organization and development team. |
|
V-260018
|
Medium |
In the event of a system failure, Enterprise Voice, Video, and Messaging Session Managers must be configured to preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes. |
Failure in a known state can address safety or security in accordance with the mission needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system.... |
|
V-260017
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must fail to a secure state if system initialization fails, shutdown fails, or aborts fail. |
Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources. Network elements that fail suddenly and with no incorporated failure state planning may leave the hosting system available but with a reduced security protection... |
|
V-260015
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager supporting Command and Control (C2) communications must validate the integrity of transmitted multilevel precedence and preemption (MLPP) attributes. |
If MLPP attributes are not associated with the information being transmitted between components, then access control policies and information flows which depend on these MLPP attributes will not function and unauthorized access may result. When data is exchanged, the MLPP attributes associated with this data must be validated to ensure... |
|
V-260014
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager supporting Command and Control (C2) communications must associate multilevel precedence and preemption (MLPP) attributes when exchanged between unified capabilities (UC) systems. |
If MLPP attributes are not associated with the information being transmitted between systems, then access control policies and information flows which depend on these MLPP attributes will not function and unauthorized access may result.
Without the implementation of safeguards which allocate network communication resources based on priority, network availability, and... |
|
V-260013
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must be configured to terminate all network connections associated with a communications session at the end of the session. |
Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, and de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system level network connection.
Enterprise Voice, Video, and Messaging Session Managers do not... |
|
V-260012
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must be configured to uniquely identify each Voice Video Endpoint device before registration. |
Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Typically, devices can be identified by MAC or IP address, but certificates provide a greater level of security. Identification of devices works with registration of devices as part of a defense in depth approach to Voice... |
|
V-260011
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must be configured to implement attack-resistant mechanisms for Voice Video Endpoint registration. |
Attacks against an Enterprise Voice, Video, and Messaging Session Manager may include denial of service (DoS), replay attacks, or cross-site scripting. A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be... |
|
V-260007
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must be configured to disable nonessential capabilities. |
It is detrimental for Enterprise Voice, Video, and Messaging Session Managers to provide, or enable by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Enterprise Voice,... |
|
V-260006
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must produce session (call) records for events determined to be significant and relevant by local policy. |
Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are generated from several components within the Voice Video system (e.g., session manager, session border control, gateway, gatekeeper, or endpoints).
Session record content... |
|
V-260005
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must protect session (call) records from unauthorized deletion. |
If session records were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of session records, the information system and/or the application must protect session information from unauthorized modification. This requirement can be achieved... |
|
V-260004
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must protect session (call) records from unauthorized modification. |
If session records were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of session records, the information system and/or the application must protect session information from unauthorized modification. This requirement can be achieved... |
|
V-260003
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must protect session (call) records from unauthorized read access. |
Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. Thus, it is imperative that the collected log data from the various... |
|
V-260002
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must alert the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of a session (call) record system failure. |
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process session records. Without this notification, the security personnel may be unaware of an impending failure of the session record capability. Session record processing failures include software/hardware errors, failures in the... |
|
V-260001
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must produce session (call) records containing the identity of the users and identifiers associated with the session. |
Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are generated from several components within the Voice Video system (e.g., session manager, session border control, gateway, gatekeeper, or endpoints).
Session record content... |
|
V-260000
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must produce session (call) records containing the outcome (status) of the connection. |
Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are generated from several components within the Voice Video system (e.g., session manager, session border control, gateway, gatekeeper, or endpoints).
Session record content... |
|
V-259999
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must produce session (call) records containing the identity of the initiator of the call. |
Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are generated from several components within the Voice Video system (e.g., session manager, session border control, gateway, gatekeeper, or endpoints).
Session record content... |
|
V-259998
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must produce session (call) records containing where (location) the connection originated. |
Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are generated from several components within the Voice Video system (e.g., session manager, session border control, gateway, gatekeeper, or endpoints).
Session record content... |
|
V-259997
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must produce session (call) records containing timestamps (date and time) for all session connections. |
Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are generated from several components within the Voice Video system (e.g., session manager, session border control, gateway, gatekeeper, or endpoints).
Session record content... |
|
V-259996
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must produce session (call) records containing the type of session connection. |
Without the capability to generate session records, it is difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible. Session records are generated from several components within the Voice Video system (e.g., session manager, session border control, gateway, gatekeeper, or endpoints).
Session record content... |
|
V-259994
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must limit the number of concurrent management sessions to an organizationally defined limit. |
Network element management includes the ability to control the number of users and user sessions that use a network element. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to denial-of-service (DoS) attacks.
This requirement addresses concurrent sessions for information system accounts and... |
|
V-259993
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must retain the Standard Mandatory DOD Notice and Consent Banner on the screen for management sessions until admins acknowledge the usage conditions and take explicit actions to log on for further access. |
The banner must be acknowledged by the user prior to allowing the user access to the network. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DOD will not be in compliance with... |
|
V-259992
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must display the Standard Mandatory DOD Notice and Consent Banner before granting access to management sessions. |
|
|
V-259991
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must be configured to use DNS servers assigned to support the VVoIP system. |
In some cases a VVoIP endpoint will be configured with one or more URLs pointing to the locations of various servers with which they are associated such as their call controller. These URLs are translated to IP addresses by a DNS server. The use of URLs in this manner permits... |
|
V-259990
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must be configured to globally disable the extension mobility feature for endpoints. |
Extension mobility is a feature of a VVoIP system that permits a person to transfer their phone number extension and phone features (or configuration) to a phone that is not in their normal workspace. This is useful when a person is visiting a remote office away from their normal office... |
|
V-259989
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must be configured to only enable the extension mobility feature for endpoints on a per user basis. |
Extension mobility is a feature of a VVoIP system that permits a person to transfer their phone number extension and phone features (or configuration) to a phone that is not in their normal workspace. This is useful when a person is visiting a remote office away from their normal office... |
|
V-259987
|
Medium |
The Enterprise Voice, Video, and Messaging Session Manager must automatically disable user accounts after a 35-day period of account inactivity. |
Attackers that are able to exploit an inactive account can potentially obtain and maintain undetected access to an application. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Enterprise Voice, Video, and Messaging Session Managers must track periods of user inactivity and... |
