STIGQter STIGQter: STIG Summary: Voice Video Services Policy Security Technical Implementation Guide Version: 3 Release: 17 Benchmark Date: 25 Oct 2019:

The VVoIP system time is not properly implemented and/or synched with the LAN’s NTP servers.

DISA Rule

SV-23735r1_rule

Vulnerability Number

V-21523

Group Title

Deficient design: VVoIP system re: NTP

Rule Version

VVoIP 5250 (LAN)

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Implement NTP usage in the VVoIP system in accordance with the Network Infrastructure STIG policy and requirements.

Ensure the VVoIP system’s time is synchronized with or receives its time from the two internal LAN NTP servers that are configured within the LAN management VLAN in accordance with the Network Infrastructure STIG. Further ensure the VVoIP endpoints receive their time from the VVoIP system controller.

NOTE: Implementing NTP within the VVoIP system will require the system/call controller to be configured to receive authenticated NTP messages from the two NTP server IP addresses via its management interface. This will require that permissions be granted between the VVoIP management VLAN and the LAN management VLAN such that NTP requests and responses can flow between the VVoIP system controller and the two NTP servers in the LAN management VLAN. If the VVoIP endpoints time is synchronized via NTP, the VVoIP controller will have to serve as their NTP server since the endpoints do not have access to the VVoIP or LAN management VLANs and should not be permitted such access.

Check Contents

Inspect the configuration of the VVoIP system controller and its endpoints to validate that the endpoints’ time is synchronized from the VVoIP controller and not from an independent source.

Vulnerability Number

V-21523

Documentable

False

Rule Version

VVoIP 5250 (LAN)

Severity Override Guidance

Inspect the configuration of the VVoIP system controller and its endpoints to validate that the endpoints’ time is synchronized from the VVoIP controller and not from an independent source.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

594

Comments