STIGQter: STIG Summary: Voice/Video over Internet Protocol (VVoIP) STIG Version: 3 Release: 14 Benchmark Date: 26 Apr 2019:

The Session Border Controller (SBC) must be configured to only process packets authenticated from an authorized source within the DISN IPVS network.

DISA Rule

SV-21808r3_rule

Vulnerability Number

V-19667

Group Title

VVoIP 6310

Rule Version

VVoIP 6310

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Ensure the DISN NIPRNet IPVS SBC is configured to only process packets authenticated from an authorized source as follows:
- Authenticate outbound SIP and AS-SIP messages as being from the primary or backup LSC (or the site’s MFSS and is backup LSC) within the enclave.
- Authenticate inbound SIP and AS-SIP messages as being from the SBC at the enclave’s assigned primary and secondary (backup) MFSS sites.

NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

Check Contents

Interview the ISSO to confirm compliance with the following requirement:

Ensure the DISN NIPRNet IPVS SBC is configured to only process packets authenticated from an authorized source as follows:
- Authenticate outbound SIP and AS-SIP messages as being from the primary or backup LSC (or the site’s MFSS and its backup LSC) within the enclave.
- Authenticate inbound SIP and AS-SIP messages as being from the SBC at the enclave’s assigned primary and secondary (backup) MFSS sites.

Inspect the configurations of the EBC to determine compliance with the requirement.

If the SBC does not use DoD PKI to authenticate the source of SIP and AS-SIP packets, this is a finding. the SBC is not configured to validate sending appliance’s public PKI certificate against the DoD PKI registry and CRLs, this is a finding.

NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

Vulnerability Number

V-19667

Documentable

False

Rule Version

VVoIP 6310

Severity Override Guidance

Interview the ISSO to confirm compliance with the following requirement:

Ensure the DISN NIPRNet IPVS SBC is configured to only process packets authenticated from an authorized source as follows:
- Authenticate outbound SIP and AS-SIP messages as being from the primary or backup LSC (or the site’s MFSS and its backup LSC) within the enclave.
- Authenticate inbound SIP and AS-SIP messages as being from the SBC at the enclave’s assigned primary and secondary (backup) MFSS sites.

Inspect the configurations of the EBC to determine compliance with the requirement.

If the SBC does not use DoD PKI to authenticate the source of SIP and AS-SIP packets, this is a finding. the SBC is not configured to validate sending appliance’s public PKI certificate against the DoD PKI registry and CRLs, this is a finding.

NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

Check Content Reference

M

Target Key

3407

Comments