SV-21779r3_rule
V-19638
VVoIP 5615
VVoIP 5615
CAT II
10
Implement and document a deny-by-default ACL for media gateway VLAN interfaces on VVoIP core routing devices as defined in the VVoIP system ACL design as follows:
- Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the endpoint VLAN interfaces (VLAN/subnets)
- Permit (only as required for proper functionality) the specific system required signaling protocols used by the media gateway ((e.g., MGCP, H.248, H.323, AS-SIP) to/from the VVoIP core control equipment VLAN interfaces (VLAN/subnets).
- Deny all other traffic. End the ACL with a “deny all” statement.
Review site documentation, especially the VVoIP system ACL design, to confirm a deny-by-default ACL for media gateway VLAN interfaces is implemented on VVoIP core routing devices. Ensure a deny-by-default ACL is implemented on the VVoIP Media Gateway (MG) VLAN interfaces on the VVoIP routing devices supporting the VVoIP system core equipment to control traffic as follows:
- Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the endpoint VLAN interfaces (VLAN/subnets).
- Permit (only as required for proper functionality) the specific system required signaling protocols used by the media gateway ((e.g., MGCP, H.248, H.323, AS-SIP) to/from the VVoIP core control equipment VLAN interfaces (VLAN/subnets).
- Deny all other traffic. End the ACL with a “deny all” statement.
If a deny-by-default ACL for media gateway VLAN interfaces is not implemented on VVoIP core routing devices as defined in the VVoIP system ACL design, this is a finding.
V-19638
False
VVoIP 5615
Review site documentation, especially the VVoIP system ACL design, to confirm a deny-by-default ACL for media gateway VLAN interfaces is implemented on VVoIP core routing devices. Ensure a deny-by-default ACL is implemented on the VVoIP Media Gateway (MG) VLAN interfaces on the VVoIP routing devices supporting the VVoIP system core equipment to control traffic as follows:
- Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the endpoint VLAN interfaces (VLAN/subnets).
- Permit (only as required for proper functionality) the specific system required signaling protocols used by the media gateway ((e.g., MGCP, H.248, H.323, AS-SIP) to/from the VVoIP core control equipment VLAN interfaces (VLAN/subnets).
- Deny all other traffic. End the ACL with a “deny all” statement.
If a deny-by-default ACL for media gateway VLAN interfaces is not implemented on VVoIP core routing devices as defined in the VVoIP system ACL design, this is a finding.
M
3407