STIGQter: STIG Summary: Voice Video Services Policy Security Technical Implementation Guide Version: 3 Release: 17 Benchmark Date: 25 Oct 2019:

A Session Border Controller (SBC) implemented as the DISN boundary element for the DISN NIPRNet IP Voice Services (IPVS) must be listed on the DoD Approved Products List (APL).

DISA Rule

SV-21738r2_rule

Vulnerability Number

V-19597

Group Title

VVoIP 6120

Rule Version

VVoIP 6120

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

For VVoIP systems subscribed to the DISN NIPRNet IPVS network, ensure a DoD APL listed Session Border Controller (SBC) is implemented at the enclave boundary between the CER and LSC/ESC/MFSS to maintain the required enclave boundary protection while permitting DISN IPVS traffic to pass.

NOTE: The SBC may be a dedicated device or may be part of the required data firewall.
NOTE: In the future this requirement may be applicable (with some modification) to the DISN SIPRNet IPVS (VoSIP) network when the PMO adopts the DISN NIPRNet IPVS architecture.
NOTE: The SBC may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

Check Contents

Interview the ISSO to confirm compliance with the following requirement:

For VVoIP systems subscribed to the DISN NIPRNet IPVS network, ensure a DoD APL listed Session Border Controller (SBC) is implemented at the enclave boundary between the CER and LSC/ESC/MFSS to maintain the required enclave boundary protection while permitting DISN IPVS traffic to pass.

NOTE: The SBC may be a dedicated device or may be part of the required data firewall.
NOTE: In the future this requirement may be applicable (with some modification) to the DISN SIPRNet IPVS (VoSIP) network when the PMO adopts the DISN NIPRNet IPVS architecture.
NOTE: The SBC may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

Determine, through interview and/or physical inspection, the specific make, model, and OS version of the SBC. Access the DoD APL websites at listed below:
https://www.disa.mil/network-services/ucco
https://aplits.disa.mil/apl/
https://www.disa.mil/Network-Services/UCCO/APL-Removal-List

Verify all installed SBCs and software load (OS) versions are listed.

If all installed SBCs and software load (OS) versions are not listed, this is a finding.

Vulnerability Number

V-19597

Documentable

False

Rule Version

VVoIP 6120

Severity Override Guidance

Interview the ISSO to confirm compliance with the following requirement:

For VVoIP systems subscribed to the DISN NIPRNet IPVS network, ensure a DoD APL listed Session Border Controller (SBC) is implemented at the enclave boundary between the CER and LSC/ESC/MFSS to maintain the required enclave boundary protection while permitting DISN IPVS traffic to pass.

NOTE: The SBC may be a dedicated device or may be part of the required data firewall.
NOTE: In the future this requirement may be applicable (with some modification) to the DISN SIPRNet IPVS (VoSIP) network when the PMO adopts the DISN NIPRNet IPVS architecture.
NOTE: The SBC may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

Determine, through interview and/or physical inspection, the specific make, model, and OS version of the SBC. Access the DoD APL websites at listed below:
https://www.disa.mil/network-services/ucco
https://aplits.disa.mil/apl/
https://www.disa.mil/Network-Services/UCCO/APL-Removal-List

Verify all installed SBCs and software load (OS) versions are listed.

If all installed SBCs and software load (OS) versions are not listed, this is a finding.

Check Content Reference

M

Target Key

594

Comments