STIGQter: STIG Summary: Voice Video Services Policy Security Technical Implementation Guide Version: 3 Release: 17 Benchmark Date: 25 Oct 2019: STIGQter: STIG Summary: Voice Video Services Policy Security Technical Implementation Guide Version: 3 Release: 17 Benchmark Date: 25 Oct 2019:SV-8818r2_rule
V-8323
Deficient design: VLAN ACL design for VVoIP prot’n
VVoIP 5515 (LAN)
CAT II
10
Develop a comprehensive VVoIP VLAN ACL design for the supporting LAN that properly controls VVoIP system access and traffic flow. The design documentation must be maintained for future review.
Interview the IAO to confirm compliance with the following requirement:
Verify a comprehensive VVoIP VLAN ACL design is developed for the supporting LAN such that VVoIP system access and traffic flow is properly controlled. The defined ACLs must use a deny-by-default configuration allowing only the protocols and traffic required to reach the device. The ACLs filter on VLAN, IP address, subnet, protocol type, and associated standard IP port for the protocol. The ACLs generally are egress filters (referenced the router core) on the VLAN interfaces. Additionally, the routing devices should log and alarm on inappropriate traffic. Similar restrictions are placed on a dedicated VTC VLAN interface, however, VVoIP media and signaling is permitted in the event a VTC unit needs to communicate with the UC system. The ACL design will change depending on the specifics of the VVoIP system implementation such as the components used and defined VLANs. The design documentation must be maintained for future review.
If a comprehensive VVoIP VLAN ACL design for the supporting LAN properly controlling VVoIP system access and traffic flow is not in place, this is a finding.
V-8323
False
VVoIP 5515 (LAN)
Interview the IAO to confirm compliance with the following requirement:
Verify a comprehensive VVoIP VLAN ACL design is developed for the supporting LAN such that VVoIP system access and traffic flow is properly controlled. The defined ACLs must use a deny-by-default configuration allowing only the protocols and traffic required to reach the device. The ACLs filter on VLAN, IP address, subnet, protocol type, and associated standard IP port for the protocol. The ACLs generally are egress filters (referenced the router core) on the VLAN interfaces. Additionally, the routing devices should log and alarm on inappropriate traffic. Similar restrictions are placed on a dedicated VTC VLAN interface, however, VVoIP media and signaling is permitted in the event a VTC unit needs to communicate with the UC system. The ACL design will change depending on the specifics of the VVoIP system implementation such as the components used and defined VLANs. The design documentation must be maintained for future review.
If a comprehensive VVoIP VLAN ACL design for the supporting LAN properly controlling VVoIP system access and traffic flow is not in place, this is a finding.
M
Information Assurance Officer
594