STIGQter: STIG Summary: Voice Video Services Policy Security Technical Implementation Guide Version: 3 Release: 17 Benchmark Date: 25 Oct 2019: STIGQter: STIG Summary: Voice Video Services Policy Security Technical Implementation Guide Version: 3 Release: 17 Benchmark Date: 25 Oct 2019:SV-8824r2_rule
V-8329
VVoIP 1010
VVoIP 1010
CAT II
10
Configure the site’s VVoIP system to connect to a DSN service provider via a local MG. For C2 enclaves with any MLPP support needed, T619A trunks must be installed. For sites without an MLPP requirement, PRI, CAS, and POTS analog trunks should be used. The connections from the local MG to a DSN service provider via T619A, PRI, CAS, or POTS analog trunks.
NOTE: This does not apply to approved remote VoIP instruments or Soft Phones that connect to the VVoIP system enclave via an encrypted VPN and are therefore part of the enclave’s LAN.
NOTE: TDM or optical circuits should be bulk encrypted if using a commercial provider to supply any portion of the complete circuit. This will most likely be the case for the “last mile” connection to a DISN SDN since DoD owned facilities do not touch most sites.
NOTE: organizational Intranets using encrypted site-to-site or meshed VPN tunnels across a DISN IP routed network must block local access to/from the DISN IP routed network (e.g., NIPRNet) at the VPN termination points unless a full boundary protection suite of equipment is implemented locally.
If the site is approved for Sensitive But Unclassified (SBU) Voice, providing IP VoIP service including DSN connectivity, this is Not Applicable.
If the site is subtended to an enclave with approved IP voice services providing DSN services, this is Not Applicable.
Verify the site’s VVoIP system connects to a DSN service provider via a local MG. Ensure T619A trunks are used for C2 enclaves to provide MLPP support, or PRI, CAS, and POTS analog trunks are used for all other configurations to the DSN service provider.
If the site connects to a DSN service provider using T619A, PRI, CAS, or POTS analog trunks without using a local MG, this is a finding.
NOTE: This requirement dictates that each site’s VoIP enclave has a local (on site) MG for connecting the site locally to a DSN EO or MFS. The DSN EO or MFS may be located at a remote site, in which case the TDM trunks will carry the voice traffic between the sites. This arrangement means that VoIP traffic does not have to traverse the enclave boundary with the WAN, which is one of the reasons for the requirement.
V-8329
False
VVoIP 1010
If the site is approved for Sensitive But Unclassified (SBU) Voice, providing IP VoIP service including DSN connectivity, this is Not Applicable.
If the site is subtended to an enclave with approved IP voice services providing DSN services, this is Not Applicable.
Verify the site’s VVoIP system connects to a DSN service provider via a local MG. Ensure T619A trunks are used for C2 enclaves to provide MLPP support, or PRI, CAS, and POTS analog trunks are used for all other configurations to the DSN service provider.
If the site connects to a DSN service provider using T619A, PRI, CAS, or POTS analog trunks without using a local MG, this is a finding.
NOTE: This requirement dictates that each site’s VoIP enclave has a local (on site) MG for connecting the site locally to a DSN EO or MFS. The DSN EO or MFS may be located at a remote site, in which case the TDM trunks will carry the voice traffic between the sites. This arrangement means that VoIP traffic does not have to traverse the enclave boundary with the WAN, which is one of the reasons for the requirement.
M
594