STIGQter: STIG Summary: Voice/Video over Internet Protocol (VVoIP) STIG Version: 3 Release: 14 Benchmark Date: 26 Apr 2019: STIGQter: STIG Summary: Voice/Video over Internet Protocol (VVoIP) STIG Version: 3 Release: 14 Benchmark Date: 26 Apr 2019:SV-21815r4_rule
V-19674
VVoIP 6345
VVoIP 6345
CAT I
10
Configure the DISN NIPRnet boundary SBC to drop any packet attempting to traverse the enclave boundary (inbound or outbound) through the IP port pinholes opened for VVoIP sessions that is not a RTP/RTCP or SRTP/SRTCP packet or other approved protocol / flow established by the signaling messages.
NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.
Verify the DISN NIPRnet boundary SBC is configured to deny all packets attempting to traverse the enclave boundary (inbound or outbound) through the IP port pinholes opened for VVoIP sessions that are not an approved protocol. The allowed protocols are RTP/RTCP, SRTP/SRTCP, and other approved protocols/flows established by signaling messages. This requires filtering on protocol type.
If the DISN NIPRnet boundary SBC does not deny all packets traversing the enclave boundary (inbound or outbound) through the IP port pinholes opened for VVoIP sessions, except approved protocols, this is a finding.
If packets that are not RTP/RTCP or SRTP/SRTCP (or other approved packet type as established in the signaling messages) protocol packets can pass through the boundary SBC, this is a finding.
NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.
V-19674
False
VVoIP 6345
Verify the DISN NIPRnet boundary SBC is configured to deny all packets attempting to traverse the enclave boundary (inbound or outbound) through the IP port pinholes opened for VVoIP sessions that are not an approved protocol. The allowed protocols are RTP/RTCP, SRTP/SRTCP, and other approved protocols/flows established by signaling messages. This requires filtering on protocol type.
If the DISN NIPRnet boundary SBC does not deny all packets traversing the enclave boundary (inbound or outbound) through the IP port pinholes opened for VVoIP sessions, except approved protocols, this is a finding.
If packets that are not RTP/RTCP or SRTP/SRTCP (or other approved packet type as established in the signaling messages) protocol packets can pass through the boundary SBC, this is a finding.
NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.
M
3407