STIGQter STIGQter: STIG Summary: Voice Video Services Policy Security Technical Implementation Guide Version: 3 Release: 17 Benchmark Date: 25 Oct 2019:

The VVoIP system and LAN design must provide segmentation and protection of the VVoIP system core device management traffic and interfaces such that role based access and traffic flow can be properly controlled.

DISA Rule

SV-21626r2_rule

Vulnerability Number

V-19562

Group Title

Segregated VVoIP management

Rule Version

VVoIP 5505 (LAN)

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Implement a dedicated OOB network or closed virtual In-band network (VLAN) for the VVoIP system and connect the core device management interfaces to it in compliance with the following requirement:

Ensure VVoIP system management is segregated or separated from production traffic and other management traffic and such that access and traffic flow can be properly controlled and role based access is supported.

NOTE: the purpose of the separate VVoIP management VLAN or OOB network is to provide for separation of access in support of separation of duties between the data network or server SAs and the VVoIP system SAs. This VLAN may be accessed from the general LAN management VLAN via a controlled ACL, gateway or firewall if needed.

Check Contents

Inspect the connections to and the configurations of the VVoIP system core devices and those of the core LAN elements that support them. Look for the dedicated management LAN or VLAN to confirm that one has been implemented.

Verify the voice/video system (VVoIP system and/or TDM switch) management is segregated or separated from production traffic and other management traffic and such that access and traffic flow can be properly controlled and role based access is supported.

If the VVoIP system and LAN is not designed to provide the necessary separation of the management traffic and interfaces or such separation is not implemented as described above or at all, this is a finding.

NOTE: This may be implemented using a separate voice system management VLAN or OOB network, the purpose of which is to provide for separation of access paths in support of separation of duties between the data network and server SAs and the VVoIP or TDM system SAs. This VLAN may be accessed from the general LAN management VLAN via a controlled ACL, gateway or firewall if needed.

Vulnerability Number

V-19562

Documentable

False

Rule Version

VVoIP 5505 (LAN)

Severity Override Guidance

Inspect the connections to and the configurations of the VVoIP system core devices and those of the core LAN elements that support them. Look for the dedicated management LAN or VLAN to confirm that one has been implemented.

Verify the voice/video system (VVoIP system and/or TDM switch) management is segregated or separated from production traffic and other management traffic and such that access and traffic flow can be properly controlled and role based access is supported.

If the VVoIP system and LAN is not designed to provide the necessary separation of the management traffic and interfaces or such separation is not implemented as described above or at all, this is a finding.

NOTE: This may be implemented using a separate voice system management VLAN or OOB network, the purpose of which is to provide for separation of access paths in support of separation of duties between the data network and server SAs and the VVoIP or TDM system SAs. This VLAN may be accessed from the general LAN management VLAN via a controlled ACL, gateway or firewall if needed.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

594

Comments