STIGQter: STIG Summary: Voice Video Services Policy Security Technical Implementation Guide Version: 3 Release: 17 Benchmark Date: 25 Oct 2019: STIGQter: STIG Summary: Voice Video Services Policy Security Technical Implementation Guide Version: 3 Release: 17 Benchmark Date: 25 Oct 2019:SV-75803r1_rule
V-61323
VVoIP 5415
VVoIP 5415
CAT III
10
Implement and document that the VVoIP system management network bidirectional enclave boundary protection between the local management network and the DISN voice services management network has ACLs permitting only specific inbound/outbound traffic and deny all other traffic.
The inbound ACL must include:
- The ability to permit the specifically authorized and required protocol sourced from the IP address of the specifically authorized device on the DISN management network to reach the specific IP address of the managed device or required local management server.
- Additional statements for each protocol and IP address pair.
- Deny all other traffic.
The outbound ACL must include:
- The ability to permit the specifically authorized and required protocol sourced from the specific IP address of the managed device or any required local management server to reach the specific IP address of the specifically authorized device on the DISN management network.
- Additional statements for each protocol and IP address pair.
- Deny all other traffic.
Review site documentation to confirm that the VVoIP system management network bidirectional enclave boundary protection between the local management network and the DISN voice services management network has ACLs permitting only specific inbound/outbound traffic and deny all other traffic. Enclave boundary protection must be implemented at the entry point of the DISN management network to Inspect the ACLs on the boundary protection devices to ensure a deny-by-default posture allowing only specifically required protocol traffic between specific pairs of IP addresses across the boundary.
The inbound ACL must include:
- The ability to permit the specifically authorized and required protocol sourced from the IP address of the specifically authorized device on the DISN management network to reach the specific IP address of the managed device or required local management server.
- Additional statements for each protocol and IP address pair.
- Deny all other traffic.
The outbound ACL must include:
- The ability to permit the specifically authorized and required protocol sourced from the specific IP address of the managed device or any required local management server to reach the specific IP address of the specifically authorized device on the DISN management network.
- Additional statements for each protocol and IP address pair.
- Deny all other traffic.
If the VVoIP system management network bidirectional enclave boundary protection between the local management network and the DISN voice services management network does not have ACLs permitting only specific inbound/outbound traffic and deny all other traffic as indicated above, this is a finding.
V-61323
False
VVoIP 5415
Review site documentation to confirm that the VVoIP system management network bidirectional enclave boundary protection between the local management network and the DISN voice services management network has ACLs permitting only specific inbound/outbound traffic and deny all other traffic. Enclave boundary protection must be implemented at the entry point of the DISN management network to Inspect the ACLs on the boundary protection devices to ensure a deny-by-default posture allowing only specifically required protocol traffic between specific pairs of IP addresses across the boundary.
The inbound ACL must include:
- The ability to permit the specifically authorized and required protocol sourced from the IP address of the specifically authorized device on the DISN management network to reach the specific IP address of the managed device or required local management server.
- Additional statements for each protocol and IP address pair.
- Deny all other traffic.
The outbound ACL must include:
- The ability to permit the specifically authorized and required protocol sourced from the specific IP address of the managed device or any required local management server to reach the specific IP address of the specifically authorized device on the DISN management network.
- Additional statements for each protocol and IP address pair.
- Deny all other traffic.
If the VVoIP system management network bidirectional enclave boundary protection between the local management network and the DISN voice services management network does not have ACLs permitting only specific inbound/outbound traffic and deny all other traffic as indicated above, this is a finding.
M
594