STIGQter STIGQter: STIG Summary: Voice/Video over Internet Protocol (VVoIP) STIG Version: 3 Release: 14 Benchmark Date: 26 Apr 2019:

Logical or physical interfaces must be configured on the VVoIP core routing devices for the VVoIP core equipment to support access and traffic control for the VVoIP system components.

DISA Rule

SV-21773r3_rule

Vulnerability Number

V-19632

Group Title

VVoIP 5520

Rule Version

VVoIP 5520

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Ensure logical or physical interfaces (VLAN/subnets or direct connect physical interfaces with discrete subnets) are established/configured on the VVoIP core routing devices for the VVoIP core equipment as follows:
- VVoIP system core control equipment containing the LSC, endpoint configuration server, and DHCP server if used, etc.
- VVoIP system management VLAN which is separate from the general LAN management VLAN.
- Media gateways to the DSN and PSTN.
- Signaling gateways (SG) to the DSN.
- DoD WAN access VVoIP firewall (SBC or other).
- Voicemail and Unified Messaging Servers, which may need to be accessible from both the voice and data VLANs.
- UC servers supporting presence, web browser based conferencing, and directory services. These may need to be accessible from both the voice and data VLANs.
Alternately, ensure the VVoIP core equipment employs direct connections with discrete subnets to the VVoIP core routing devices so that the ACLs may be implemented on the physical interface to the device instead of the logical interface to the VLAN.
NOTE: If the device for which a VLAN/subnet is designated does not exist in the system, the VLAN is not required. These devices may be the core routing devices for the data LAN as well.

Check Contents

Inspect the configurations of the VVoIP core routing devices to determine compliance with the following requirement:

Ensure logical or physical interfaces (VLAN/subnets or direct connect physical interfaces with discrete subnets) are configured on the VVoIP core routing devices for the VVoIP core equipment as follows:
- VVoIP system core control equipment containing the LSC, endpoint configuration server, and DHCP server if used, etc.
- VVoIP system management VLAN which is separate from the general LAN management VLAN.
- Media gateways to the DSN and PSTN.
- Signaling gateways (SG) to the DSN.
- DoD WAN access VVoIP firewall (SBC or other).
- Voicemail and Unified Messaging Servers, which may need to be accessible from both the voice and data VLANs.
- UC servers supporting presence, web browser based conferencing, and directory services. These may need to be accessible from both the voice and data VLANs.
Alternately, ensure the VVoIP core equipment employs direct connections with discrete subnets to the VVoIP core routing devices so that the ACLs may be implemented on the physical interface to the device instead of the logical interface to the VLAN.
NOTE: If the device for which a VLAN/subnet is designated does not exist in the system, the VLAN is not required. These devices may be the core routing devices for the data LAN as well.

If the logical or physical interfaces with discrete subnets have not been implemented against which the ACLs can be applied, this is a finding.

Vulnerability Number

V-19632

Documentable

False

Rule Version

VVoIP 5520

Severity Override Guidance

Inspect the configurations of the VVoIP core routing devices to determine compliance with the following requirement:

Ensure logical or physical interfaces (VLAN/subnets or direct connect physical interfaces with discrete subnets) are configured on the VVoIP core routing devices for the VVoIP core equipment as follows:
- VVoIP system core control equipment containing the LSC, endpoint configuration server, and DHCP server if used, etc.
- VVoIP system management VLAN which is separate from the general LAN management VLAN.
- Media gateways to the DSN and PSTN.
- Signaling gateways (SG) to the DSN.
- DoD WAN access VVoIP firewall (SBC or other).
- Voicemail and Unified Messaging Servers, which may need to be accessible from both the voice and data VLANs.
- UC servers supporting presence, web browser based conferencing, and directory services. These may need to be accessible from both the voice and data VLANs.
Alternately, ensure the VVoIP core equipment employs direct connections with discrete subnets to the VVoIP core routing devices so that the ACLs may be implemented on the physical interface to the device instead of the logical interface to the VLAN.
NOTE: If the device for which a VLAN/subnet is designated does not exist in the system, the VLAN is not required. These devices may be the core routing devices for the data LAN as well.

If the logical or physical interfaces with discrete subnets have not been implemented against which the ACLs can be applied, this is a finding.

Check Content Reference

M

Target Key

3407

Comments