STIGQter: STIG Summary: Voice/Video over Internet Protocol (VVoIP) STIG Version: 3 Release: 14 Benchmark Date: 26 Apr 2019:

A deny-by-default ACL for media gateway VLAN interfaces must be implemented on VVoIP core routing devices as defined in the VVoIP system ACL design.

DISA Rule

SV-21779r3_rule

Vulnerability Number

V-19638

Group Title

VVoIP 5615

Rule Version

VVoIP 5615

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Implement and document a deny-by-default ACL for media gateway VLAN interfaces on VVoIP core routing devices as defined in the VVoIP system ACL design as follows:
- Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the endpoint VLAN interfaces (VLAN/subnets)
- Permit (only as required for proper functionality) the specific system required signaling protocols used by the media gateway ((e.g., MGCP, H.248, H.323, AS-SIP) to/from the VVoIP core control equipment VLAN interfaces (VLAN/subnets).
- Deny all other traffic. End the ACL with a “deny all” statement.

Check Contents

Review site documentation, especially the VVoIP system ACL design, to confirm a deny-by-default ACL for media gateway VLAN interfaces is implemented on VVoIP core routing devices. Ensure a deny-by-default ACL is implemented on the VVoIP Media Gateway (MG) VLAN interfaces on the VVoIP routing devices supporting the VVoIP system core equipment to control traffic as follows:
- Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the endpoint VLAN interfaces (VLAN/subnets).
- Permit (only as required for proper functionality) the specific system required signaling protocols used by the media gateway ((e.g., MGCP, H.248, H.323, AS-SIP) to/from the VVoIP core control equipment VLAN interfaces (VLAN/subnets).
- Deny all other traffic. End the ACL with a “deny all” statement.

If a deny-by-default ACL for media gateway VLAN interfaces is not implemented on VVoIP core routing devices as defined in the VVoIP system ACL design, this is a finding.

Vulnerability Number

V-19638

Documentable

False

Rule Version

VVoIP 5615

Severity Override Guidance

Review site documentation, especially the VVoIP system ACL design, to confirm a deny-by-default ACL for media gateway VLAN interfaces is implemented on VVoIP core routing devices. Ensure a deny-by-default ACL is implemented on the VVoIP Media Gateway (MG) VLAN interfaces on the VVoIP routing devices supporting the VVoIP system core equipment to control traffic as follows:
- Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the endpoint VLAN interfaces (VLAN/subnets).
- Permit (only as required for proper functionality) the specific system required signaling protocols used by the media gateway ((e.g., MGCP, H.248, H.323, AS-SIP) to/from the VVoIP core control equipment VLAN interfaces (VLAN/subnets).
- Deny all other traffic. End the ACL with a “deny all” statement.

If a deny-by-default ACL for media gateway VLAN interfaces is not implemented on VVoIP core routing devices as defined in the VVoIP system ACL design, this is a finding.

Check Content Reference

M

Target Key

3407

Comments