STIGQter: STIG Summary: Voice/Video over Internet Protocol (VVoIP) STIG Version: 3 Release: 14 Benchmark Date: 26 Apr 2019:

The Session Border Controller (SBC) must drop all SIP and AS-SIP packets except those secured with TLS.

DISA Rule

SV-21811r3_rule

Vulnerability Number

V-19670

Group Title

VVoIP 6325

Rule Version

VVoIP 6325

Severity

CAT II

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

Ensure the DISN NIPRNet IPVS SBC is configured to drop the following signaling packets:
- SIP packets arriving on IP port 5060 or 5061
- SIP packets arriving on IP port 443 not secured with TLS
- AS-SIP packets arriving on IP port 5060
- AS-SIP packets arriving on IP port 5061 not secured with TLS

NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

Check Contents

Interview the ISSO to confirm compliance with the following requirement:

Ensure the DISN NIPRNet IPVS SBC is configured to drop the following signaling packets:
- SIP packets arriving on IP port 5060 or 5061
- SIP packets arriving on IP port 443 not secured with TLS
- AS-SIP packets arriving on IP port 5060
- AS-SIP packets arriving on IP port 5061 not secured with TLS

If all SIP and AS-SIP packets are not dropped except AS-SIP packets secured with TLS arriving on IP Port 5061 and SIP packets secured with TLS arriving on IP Port 443 secured with TLS, this is a finding.

NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

The Session Border Controller (SBC) must drop all SIP and AS-SIP packets except those secured with TLS.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments