STIGQter: STIG Summary: Voice/Video over Internet Protocol (VVoIP) STIG Version: 3 Release: 14 Benchmark Date: 26 Apr 2019:

The Session Border Controller (SBC) must filter inbound SIP and AS-SIP traffic based on the IP addresses of the internal Enterprise Session Controller (ESC), Local Session Controller (LSC), or Multi-Function Soft Switch (MFSS).

DISA Rule

SV-21806r3_rule

Vulnerability Number

V-19665

Group Title

VVoIP 6300

Rule Version

VVoIP 6300

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Ensure the DISN NIPRNet IPVS SBC is configured to only communicate as follows:
- Within the enclave, ensure the SBC only establishes SIP and AS-SIP sessions with the primary or backup LSC or the MFSS and its backup LSC within the enclave.
- If the SBC is at a site without a MFSS: External to the enclave (across the WAN), ensure the SBC only establishes SIP and AS-SIP sessions with the SBC at the enclave’s assigned primary and secondary (backup) MFSS sites.
- If the SBC is at a MFSS site: External to the enclave (across the WAN), ensure the SBC only establishes SIP and AS-SIP sessions with SBCs located at other MFSS sites and the LSC sites assigned to it.

NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

Check Contents

Interview the ISSO to confirm compliance with the following requirement:

Ensure the DISN NIPRNet IPVS SBC is configured to only communicate as follows:
- Within the enclave, ensure the SBC only establishes SIP and AS-SIP sessions with the primary or backup LSC or the MFSS and its backup LSC within the enclave.
- If the SBC is at a site without a MFSS: External to the enclave (across the WAN), ensure the SBC only establishes SIP and AS-SIP sessions with the SBC at the enclave’s assigned primary and secondary (backup) MFSS sites.
- If the SBC is at a MFSS site: External to the enclave (across the WAN), ensure the SBC only establishes SIP and AS-SIP sessions with SBCs located at other MFSS sites and the LSC sites assigned to it.

Determine the following:
- If the enclave contains LSCs, determine the IP address of SBCs fronting the primary and backup MFSSs to which the enclave is assigned or with which the LSC is to exchange signaling messages.
- If the enclave contains a MFSS, determine the IP addresses of the SBCs fronting the LSCs with which it is to signal. Additionally determine the IP addresses of the SBCs fronting the other MFSSs.

If the SBC does not filter inbound SIP and AS-SIP traffic based on the IP addresses of the SBCs fronting authorized ESCs, LSCs, and MFSSs, this is a finding. Alternatively, if the SBC does not filter SIP and AS-SIP traffic based on the IP addresses of the ESCs and LSCs within the enclave, this is a finding.

NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

Vulnerability Number

V-19665

Documentable

False

Rule Version

VVoIP 6300

Severity Override Guidance

Interview the ISSO to confirm compliance with the following requirement:

Ensure the DISN NIPRNet IPVS SBC is configured to only communicate as follows:
- Within the enclave, ensure the SBC only establishes SIP and AS-SIP sessions with the primary or backup LSC or the MFSS and its backup LSC within the enclave.
- If the SBC is at a site without a MFSS: External to the enclave (across the WAN), ensure the SBC only establishes SIP and AS-SIP sessions with the SBC at the enclave’s assigned primary and secondary (backup) MFSS sites.
- If the SBC is at a MFSS site: External to the enclave (across the WAN), ensure the SBC only establishes SIP and AS-SIP sessions with SBCs located at other MFSS sites and the LSC sites assigned to it.

Determine the following:
- If the enclave contains LSCs, determine the IP address of SBCs fronting the primary and backup MFSSs to which the enclave is assigned or with which the LSC is to exchange signaling messages.
- If the enclave contains a MFSS, determine the IP addresses of the SBCs fronting the LSCs with which it is to signal. Additionally determine the IP addresses of the SBCs fronting the other MFSSs.

If the SBC does not filter inbound SIP and AS-SIP traffic based on the IP addresses of the SBCs fronting authorized ESCs, LSCs, and MFSSs, this is a finding. Alternatively, if the SBC does not filter SIP and AS-SIP traffic based on the IP addresses of the ESCs and LSCs within the enclave, this is a finding.

NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

Check Content Reference

M

Target Key

3407

Comments