STIGQter: STIG Summary: Voice/Video over Internet Protocol (VVoIP) STIG Version: 3 Release: 14 Benchmark Date: 26 Apr 2019: STIGQter: STIG Summary: Voice/Video over Internet Protocol (VVoIP) STIG Version: 3 Release: 14 Benchmark Date: 26 Apr 2019:SV-21785r3_rule
V-19644
VVoIP 5645
VVoIP 5645
CAT II
10
Implement and document a deny-by-default ACL for system management VLAN interfaces must be implemented on VVoIP core routing devices as defined in the VVoIP system ACL design as follows:
- Deny access to the VVoIP system management VLAN from the VVoIP endpoint and core equipment production VLANs
- Deny access to the VVoIP system management VLAN from the general data production VLANs
- Deny general access to the VVoIP system management VLAN from the general LAN management VLAN and any other management VLAN
- Permit access to the VVoIP system management VLAN from other management VLANs, NOC VPNs, and enterprise management/monitoring networks as specifically required to meet mission and NETOPS requirements. Such permissions will be based on the specific IP addresses (or limited address ranges) requiring access
- Permit only those ports and protocols specifically required to meet mission and NETOPS requirements
Review site documentation, especially the VVoIP system ACL design, to confirm a deny-by-default ACL for system management VLAN interfaces is implemented on VVoIP core routing devices. Ensure a deny-by-default ACL is implemented on the VVoIP system management VLAN interfaces on the VVoIP routing devices supporting the VVoIP system core equipment to control traffic as follows:
- Deny access to the VVoIP system management VLAN from the VVoIP endpoint and core equipment production VLANs
- Deny access to the VVoIP system management VLAN from the general data production VLANs
- Deny general access to the VVoIP system management VLAN from the general LAN management VLAN and any other management VLAN
- Permit access to the VVoIP system management VLAN from other management VLANs, NOC VPNs, and enterprise management/monitoring networks as specifically required to meet mission and NETOPS requirements. Such permissions will be based on the specific IP addresses (or limited address ranges) requiring access
- Permit only those ports and protocols specifically required to meet mission and NETOPS requirements
If a deny-by-default ACL for system management VLAN interfaces is not implemented on VVoIP core routing devices as defined in the VVoIP system ACL design, this is a finding.
V-19644
False
VVoIP 5645
Review site documentation, especially the VVoIP system ACL design, to confirm a deny-by-default ACL for system management VLAN interfaces is implemented on VVoIP core routing devices. Ensure a deny-by-default ACL is implemented on the VVoIP system management VLAN interfaces on the VVoIP routing devices supporting the VVoIP system core equipment to control traffic as follows:
- Deny access to the VVoIP system management VLAN from the VVoIP endpoint and core equipment production VLANs
- Deny access to the VVoIP system management VLAN from the general data production VLANs
- Deny general access to the VVoIP system management VLAN from the general LAN management VLAN and any other management VLAN
- Permit access to the VVoIP system management VLAN from other management VLANs, NOC VPNs, and enterprise management/monitoring networks as specifically required to meet mission and NETOPS requirements. Such permissions will be based on the specific IP addresses (or limited address ranges) requiring access
- Permit only those ports and protocols specifically required to meet mission and NETOPS requirements
If a deny-by-default ACL for system management VLAN interfaces is not implemented on VVoIP core routing devices as defined in the VVoIP system ACL design, this is a finding.
M
3407