STIGQter: STIG Summary: Voice Video Services Policy Security Technical Implementation Guide Version: 3 Release: 17 Benchmark Date: 25 Oct 2019: STIGQter: STIG Summary: Voice Video Services Policy Security Technical Implementation Guide Version: 3 Release: 17 Benchmark Date: 25 Oct 2019:SV-8710r2_rule
V-8224
VVoIP 1405
VVoIP 1405
CAT II
10
When the MGCP or MEGACO/H.248 is used to control Media Gateways (MGs) or other devices (e.g., endpoints), the following must be addressed:
- The LSC/MGC and MG are located in the same protected LSC VLAN and ACLs are established on all VLAN egress points to block the MGCP or MEGACO/H.248 from exiting the VLAN; OR
- The LSC/MGC and MG are located in adjacent protected VLANs and ACLs are established to permit MGCP or MEGACO/H.248 between the LSC/MGC and MG but block the MGCP or MEGACO/H.248 from exiting these VLANs; AND
- In the event MGCP or MEGACO/H.248 is used to control a MG or a distributed set of MGs across a WAN, ensure an encrypted VPN is used to protect the MGCP traffic.
- Additionally, ensure the source of MGCP or MEGACO/H.248 packets is authenticated to originate from a valid source and/or minimally filter acceptance on source IP address.
Request the SA demonstrate the measures used to protect MGCP or MEGACO/H.248 signaling on MGs, MGCs, and other devices such as end instruments if they use MGCP or MEGACO/H.248, by providing configuration details.
When the MGCP or MEGACO/H.248 is used to control Media Gateways (MGs) or other devices (e.g., endpoints), the following must be addressed:
- The LSC/MGC and MG are located in the same protected LSC VLAN and ACLs are established on all VLAN egress points to block the MGCP or MEGACO/H.248 from exiting the VLAN; OR
- The LSC/MGC and MG are located in adjacent protected VLANs and ACLs are established to permit MGCP or MEGACO/H.248 between the LSC/MGC and MG but block the MGCP or MEGACO/H.248 from exiting these VLANs; AND
- In the event MGCP or MEGACO/H.248 is used to control a MG or a distributed set of MGs across a WAN, ensure an encrypted VPN is used to protect the MGCP traffic.
- Additionally, ensure the source of MGCP or MEGACO/H.248 packets is authenticated to originate from a valid source and/or minimally filter acceptance on source IP address.
If the MGCP and H.248 (MEGACO) are not restricted on the LAN, and protected on the WAN using encryption, OR MGCP and H.248 (MEGACO) packets are not authenticated or filtered by source IP address, this is a finding.
V-8224
False
VVoIP 1405
Request the SA demonstrate the measures used to protect MGCP or MEGACO/H.248 signaling on MGs, MGCs, and other devices such as end instruments if they use MGCP or MEGACO/H.248, by providing configuration details.
When the MGCP or MEGACO/H.248 is used to control Media Gateways (MGs) or other devices (e.g., endpoints), the following must be addressed:
- The LSC/MGC and MG are located in the same protected LSC VLAN and ACLs are established on all VLAN egress points to block the MGCP or MEGACO/H.248 from exiting the VLAN; OR
- The LSC/MGC and MG are located in adjacent protected VLANs and ACLs are established to permit MGCP or MEGACO/H.248 between the LSC/MGC and MG but block the MGCP or MEGACO/H.248 from exiting these VLANs; AND
- In the event MGCP or MEGACO/H.248 is used to control a MG or a distributed set of MGs across a WAN, ensure an encrypted VPN is used to protect the MGCP traffic.
- Additionally, ensure the source of MGCP or MEGACO/H.248 packets is authenticated to originate from a valid source and/or minimally filter acceptance on source IP address.
If the MGCP and H.248 (MEGACO) are not restricted on the LAN, and protected on the WAN using encryption, OR MGCP and H.248 (MEGACO) packets are not authenticated or filtered by source IP address, this is a finding.
M
594