STIGQter STIGQter: STIG Summary: Voice Video Services Policy Security Technical Implementation Guide Version: 3 Release: 17 Benchmark Date: 25 Oct 2019:

The architecture and/or configuration of a permanent, semi-permanent, or fixed (not highly mobile) tactical LAN supporting IP based voice, video, unified, and/or collaboration communications is not adequate to protect the VVoIP services and infrastructure.

DISA Rule

SV-17087r1_rule

Vulnerability Number

V-16099

Group Title

Deficient Network Architecture: Fixed Tactical

Rule Version

VVoIP 1925 (GENERAL)

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Ensure permanent, semi-permanent, or fixed (not highly mobile) tactical networks supporting IP based voice, video, unified, and/or collaboration communications are configured per the requirements for a strategic LAN.

Configure the fixed tactical LAN in accordance with the requirements for a strategic LAN that supports IP based voice, video, UC, and/or collaboration communications.

Check Contents

Interview the IAO to validate compliance with the following requirement:

Ensure permanent, semi-permanent, or fixed (not highly mobile) tactical networks supporting IP based voice, video, unified, and/or collaboration communications are configured per the requirements for a strategic LAN supporting voice/video/UC services.

Determine if the tactical LAN is supporting a fixed or generally non-moving base making it a fixed tactical LAN. If the fixed tactical network supports IP based voice, video, UC, and/or collaboration communications, determine if it is configured per the requirements for a strategic LAN. Inspect network diagrams and interview the IAO to determine compliance.

This is a finding in the event the deployed tactical network is relatively permanent compared to a small highly mobile unit and the LAN is not configured as a strategic LAN for the support of supports IP based voice, video, UC, and/or collaboration communications as defined in this and other STIGs.

NOTE: The factors determining whether a deployed tactical VVoIP system is subject to this requirement are varied. In general all VVoIP systems should be configured the same and such that the service and supporting infrastructure is protected. It is recognized that a small system operated out of a transit case in a tent, conex box, or a truck is highly mobile as opposed to a fixed installation in a building. While initially such a system can support a few users and remain highly mobile, as the number of users increases, the deployment becomes semi-permanent, or fixed (not highly mobile). Initial deployments may include as little as a half dozen workstations or as many as fifty. Once the initial deployment is in place, the network may grow and become relatively permanent as would be the case for a rear command or logistics center. Small deployable packages that are designed to be initially deployed with a small footprint supporting or using PC soft-phones, which are then to be the basis of a larger network, must be configured, or be configurable, to support the separate VoIP and data zones as well as hardware based instruments and admission control for C2 communications as the deployed network and supported systems grow. The network will also include soft-phone protection zones as required in a strategic network if soft-phones are permitted to be used beyond the initial deployment.
NOTE: A shipboard LAN is minimally considered as a fixed tactical LAN but can also be considered as a Strategic LAN. This is because the installation is permanent within the confines of the mobile floating base.

Vulnerability Number

V-16099

Documentable

False

Rule Version

VVoIP 1925 (GENERAL)

Severity Override Guidance

Interview the IAO to validate compliance with the following requirement:

Ensure permanent, semi-permanent, or fixed (not highly mobile) tactical networks supporting IP based voice, video, unified, and/or collaboration communications are configured per the requirements for a strategic LAN supporting voice/video/UC services.

Determine if the tactical LAN is supporting a fixed or generally non-moving base making it a fixed tactical LAN. If the fixed tactical network supports IP based voice, video, UC, and/or collaboration communications, determine if it is configured per the requirements for a strategic LAN. Inspect network diagrams and interview the IAO to determine compliance.

This is a finding in the event the deployed tactical network is relatively permanent compared to a small highly mobile unit and the LAN is not configured as a strategic LAN for the support of supports IP based voice, video, UC, and/or collaboration communications as defined in this and other STIGs.

NOTE: The factors determining whether a deployed tactical VVoIP system is subject to this requirement are varied. In general all VVoIP systems should be configured the same and such that the service and supporting infrastructure is protected. It is recognized that a small system operated out of a transit case in a tent, conex box, or a truck is highly mobile as opposed to a fixed installation in a building. While initially such a system can support a few users and remain highly mobile, as the number of users increases, the deployment becomes semi-permanent, or fixed (not highly mobile). Initial deployments may include as little as a half dozen workstations or as many as fifty. Once the initial deployment is in place, the network may grow and become relatively permanent as would be the case for a rear command or logistics center. Small deployable packages that are designed to be initially deployed with a small footprint supporting or using PC soft-phones, which are then to be the basis of a larger network, must be configured, or be configurable, to support the separate VoIP and data zones as well as hardware based instruments and admission control for C2 communications as the deployed network and supported systems grow. The network will also include soft-phone protection zones as required in a strategic network if soft-phones are permitted to be used beyond the initial deployment.
NOTE: A shipboard LAN is minimally considered as a fixed tactical LAN but can also be considered as a Strategic LAN. This is because the installation is permanent within the confines of the mobile floating base.

Check Content Reference

I

Potential Impact

Increased potential for the compromise of the VVoIP controllers, gateways, hardware based instruments, and other VVoIP infrastructure. Possible degradation of service on the hardware based phone system.
Reduced availability, confidentiality, and integrity of the VVoIP service.

Responsibility

Information Assurance Manager

Target Key

594

Comments