STIGQter STIGQter: STIG Summary: Voice/Video over Internet Protocol (VVoIP) STIG Version: 3 Release: 14 Benchmark Date: 26 Apr 2019:

A VVoIP core system/device or a traditional TDM based telecom switch is acting as a network router in that it does not block traffic between its attached management network interfaces(s) (one or more; logical or physical) and/or its production network interface(s) (logical or physical).

DISA Rule

SV-21772r2_rule

Vulnerability Number

V-19631

Group Title

Deficient Impl’n: Inter interface traffic block

Rule Version

VVoIP 5400

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure VVoIP core system/devices and traditional TDM based telecom switches to comply with the following:
In the event a target system/device supports separate IP based production and management interfaces (logical or physical), or multiple management interfaces (logical or physical), connected to different networks or VLANs, ensure the target system/device does not rout IP traffic between the networks or VLANs attached / connected to these interfaces.
NOTE: this also applies to traditional TDM based telecom switches that are managed via IP networks that connect to the switch via different ports no matter the type of connection (Ethernet or serial).

The purpose of this requirement is to ensure that other devices connected to one side of the target device cannot be accessed or compromised through the target device via one of its other interfaces.

Configure the target system/device to NOT route between multiple attached management networks and/or its production network whether physically different or only logically different by being connected to different VLANs.

NOTE: While this specifically addresses a similar situation addressed in the Network Infrastructure STIG that essentially requires that the production side of a managed device must not be accessible from the management interface and vise versa, this requirement extends that requirement to multiple management interfaces. Many DSN switches and DISN IPVS system core devices are managed from the BCPS network and CCSA NOC via one interface and also monitored and potentially managed by the DISA ADIMSS or other NOC. These are separate enclaves which must be protected from inappropriate access between them. In some cases the connections from these enclaves to the managed devices are via separate interfaces on the managed devices. Ergo the requirement the managed device must not pass traffic between these interfaces.

Check Contents

Obtain the IP addressing schemes of the production and all management networks and VLANs (one or more) connected to the VVoIP core system/device. Connect a network scanner to each network or interface in sequence. Scan the IP range(s) of the network(s) connected to the other port(s) on the VVoIP core system/device.

This is a finding in the event the scanner can reach any host on the scanned network.

Procedural example:
1 - Connect the scanner to the production network or connection of the VVoIP core system/device. Scan the address range of the management VLAN or network and any other management network connected to the target.
1A - If the target device has redundant production interfaces, repeat step 1 for the second interface.
2 - Connect the scanner to the management network interface and scan the address ranges of the production network and any other attached management networks.
2A - If there is a second management network connection repeat step 2 for the second management interface.

The expected results are that the scanner should not report or reach any host on the scanned network(s).

NOTE: While a portion of this test might be performed as part of the scan used to check that the VVoIP production and management VLANs are closed thus validating the ACL requirements (providing the proper address ranges are scanned as noted above) a detailed review of the scan results would be required to identify if the hosts that were reached. Additional applicability of that test to this one is dependant upon where in the production or management VLAN the scanner is placed since the ACLS protecting the target VVoIP core device may mask a problem in the target device itself. Therefore it is recommended that an independent scan of the device be performed.

Vulnerability Number

V-19631

Documentable

False

Rule Version

VVoIP 5400

Severity Override Guidance

Obtain the IP addressing schemes of the production and all management networks and VLANs (one or more) connected to the VVoIP core system/device. Connect a network scanner to each network or interface in sequence. Scan the IP range(s) of the network(s) connected to the other port(s) on the VVoIP core system/device.

This is a finding in the event the scanner can reach any host on the scanned network.

Procedural example:
1 - Connect the scanner to the production network or connection of the VVoIP core system/device. Scan the address range of the management VLAN or network and any other management network connected to the target.
1A - If the target device has redundant production interfaces, repeat step 1 for the second interface.
2 - Connect the scanner to the management network interface and scan the address ranges of the production network and any other attached management networks.
2A - If there is a second management network connection repeat step 2 for the second management interface.

The expected results are that the scanner should not report or reach any host on the scanned network(s).

NOTE: While a portion of this test might be performed as part of the scan used to check that the VVoIP production and management VLANs are closed thus validating the ACL requirements (providing the proper address ranges are scanned as noted above) a detailed review of the scan results would be required to identify if the hosts that were reached. Additional applicability of that test to this one is dependant upon where in the production or management VLAN the scanner is placed since the ACLS protecting the target VVoIP core device may mask a problem in the target device itself. Therefore it is recommended that an independent scan of the device be performed.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

3407

Comments