STIGQter: STIG Summary: Voice/Video over Internet Protocol (VVoIP) STIG Version: 3 Release: 14 Benchmark Date: 26 Apr 2019: STIGQter: STIG Summary: Voice/Video over Internet Protocol (VVoIP) STIG Version: 3 Release: 14 Benchmark Date: 26 Apr 2019:SV-21777r3_rule
V-19636
VVoIP 5605
VVoIP 5605
CAT II
10
Implement and document a deny-by-default ACL for all VVoIP endpoint VLAN interfaces on VVoIP non-core routing devices as defined in the VVoIP system ACL design as follows:
- Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from other endpoint VLAN interfaces (VLAN/subnets) wherever they intersect.
- Deny all other traffic. End the ACL with a “deny all” statement.
All other EI traffic at this level in the network remains confined to the VLAN and is passed to the routing device that manages EI access to the VVoIP core equipment/infrastructure. The purpose of permitting media traffic to be routed between VVoIP EI VLANs at this level is to reduce the loading of the core routing device and LAN NEs in between. This also enhances QoS within the LAN itself.
Review site documentation, especially the VVoIP system ACL design, to confirm a deny-by-default ACL for all VVoIP endpoint VLAN interfaces is implemented on VVoIP non-core routing devices. Ensure a deny-by-default ACL is implemented on all VVoIP endpoint (hardware and software) VLAN interfaces on the VVoIP routing devices throughout the LAN that do not support the VVoIP system core equipment directly to control traffic as follows:
- Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from other endpoint VLAN interfaces (VLAN/subnets) wherever they intersect.
- Deny all other traffic. End the ACL with a “deny all” statement.
If a deny-by-default ACL for all VVoIP endpoint VLAN interfaces is not implemented on VVoIP non-core routing devices as defined in the VVoIP system ACL design, this is a finding.
V-19636
False
VVoIP 5605
Review site documentation, especially the VVoIP system ACL design, to confirm a deny-by-default ACL for all VVoIP endpoint VLAN interfaces is implemented on VVoIP non-core routing devices. Ensure a deny-by-default ACL is implemented on all VVoIP endpoint (hardware and software) VLAN interfaces on the VVoIP routing devices throughout the LAN that do not support the VVoIP system core equipment directly to control traffic as follows:
- Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from other endpoint VLAN interfaces (VLAN/subnets) wherever they intersect.
- Deny all other traffic. End the ACL with a “deny all” statement.
If a deny-by-default ACL for all VVoIP endpoint VLAN interfaces is not implemented on VVoIP non-core routing devices as defined in the VVoIP system ACL design, this is a finding.
M
3407