STIGQter STIGQter: STIG Summary: Voice Video Services Policy Security Technical Implementation Guide Version: 3 Release: 17 Benchmark Date: 25 Oct 2019: MGCP and/or H.248 (MEGACO) is not restricted/controlled on the LAN and/or protected on the WAN using encryption OR MGCP and/or H.248 (MEGACO) packets are not authenticated or filtered by source IP address.

DISA Rule

SV-8710r2_rule

Vulnerability Number

V-8224

Group Title

VVoIP 1405

Rule Version

VVoIP 1405

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

When the MGCP or MEGACO/H.248 is used to control Media Gateways (MGs) or other devices (e.g., endpoints), the following must be addressed:
- The LSC/MGC and MG are located in the same protected LSC VLAN and ACLs are established on all VLAN egress points to block the MGCP or MEGACO/H.248 from exiting the VLAN; OR
- The LSC/MGC and MG are located in adjacent protected VLANs and ACLs are established to permit MGCP or MEGACO/H.248 between the LSC/MGC and MG but block the MGCP or MEGACO/H.248 from exiting these VLANs; AND
- In the event MGCP or MEGACO/H.248 is used to control a MG or a distributed set of MGs across a WAN, ensure an encrypted VPN is used to protect the MGCP traffic.
- Additionally, ensure the source of MGCP or MEGACO/H.248 packets is authenticated to originate from a valid source and/or minimally filter acceptance on source IP address.

Check Contents

Request the SA demonstrate the measures used to protect MGCP or MEGACO/H.248 signaling on MGs, MGCs, and other devices such as end instruments if they use MGCP or MEGACO/H.248, by providing configuration details.

When the MGCP or MEGACO/H.248 is used to control Media Gateways (MGs) or other devices (e.g., endpoints), the following must be addressed:
- The LSC/MGC and MG are located in the same protected LSC VLAN and ACLs are established on all VLAN egress points to block the MGCP or MEGACO/H.248 from exiting the VLAN; OR
- The LSC/MGC and MG are located in adjacent protected VLANs and ACLs are established to permit MGCP or MEGACO/H.248 between the LSC/MGC and MG but block the MGCP or MEGACO/H.248 from exiting these VLANs; AND
- In the event MGCP or MEGACO/H.248 is used to control a MG or a distributed set of MGs across a WAN, ensure an encrypted VPN is used to protect the MGCP traffic.
- Additionally, ensure the source of MGCP or MEGACO/H.248 packets is authenticated to originate from a valid source and/or minimally filter acceptance on source IP address.

If the MGCP and H.248 (MEGACO) are not restricted on the LAN, and protected on the WAN using encryption, OR MGCP and H.248 (MEGACO) packets are not authenticated or filtered by source IP address, this is a finding.

Vulnerability Number

V-8224

Documentable

False

Rule Version

VVoIP 1405

Severity Override Guidance

Request the SA demonstrate the measures used to protect MGCP or MEGACO/H.248 signaling on MGs, MGCs, and other devices such as end instruments if they use MGCP or MEGACO/H.248, by providing configuration details.

When the MGCP or MEGACO/H.248 is used to control Media Gateways (MGs) or other devices (e.g., endpoints), the following must be addressed:
- The LSC/MGC and MG are located in the same protected LSC VLAN and ACLs are established on all VLAN egress points to block the MGCP or MEGACO/H.248 from exiting the VLAN; OR
- The LSC/MGC and MG are located in adjacent protected VLANs and ACLs are established to permit MGCP or MEGACO/H.248 between the LSC/MGC and MG but block the MGCP or MEGACO/H.248 from exiting these VLANs; AND
- In the event MGCP or MEGACO/H.248 is used to control a MG or a distributed set of MGs across a WAN, ensure an encrypted VPN is used to protect the MGCP traffic.
- Additionally, ensure the source of MGCP or MEGACO/H.248 packets is authenticated to originate from a valid source and/or minimally filter acceptance on source IP address.

If the MGCP and H.248 (MEGACO) are not restricted on the LAN, and protected on the WAN using encryption, OR MGCP and H.248 (MEGACO) packets are not authenticated or filtered by source IP address, this is a finding.

Check Content Reference

M

Target Key

594

Comments