STIGQter: STIG Summary: Voice/Video over Internet Protocol (VVoIP) STIG Version: 3 Release: 14 Benchmark Date: 26 Apr 2019:

A deny-by-default ACL for session border VLAN interfaces must be implemented on VVoIP core routing devices as defined in the VVoIP system ACL design.

DISA Rule

SV-21781r3_rule

Vulnerability Number

V-19640

Group Title

VVoIP 5625

Rule Version

VVoIP 5625

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Implement and document a deny-by-default ACL for session border VLAN interfaces on VVoIP core routing devices as defined in the VVoIP system ACL design as follows:
- Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the endpoint VLAN interfaces (VLAN/subnets).
- Permit (only as required for proper functionality) the specific system required signaling protocols used by the session manager ((e.g., H.323, SIP, AS-SIP) to/from the VVoIP core control equipment VLAN interfaces (VLAN/subnets).
- Deny all other traffic. End the ACL with a “deny all” statement.

Check Contents

Review site documentation, especially the VVoIP system ACL design, to confirm a deny-by-default ACL for session border VLAN interfaces is implemented on VVoIP core routing devices. Ensure a deny-by-default ACL is implemented on the VVoIP session border controller VLAN or firewall VLAN interfaces on the VVoIP routing devices supporting the VVoIP system core equipment to control traffic as follows:
- Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the endpoint VLAN interfaces (VLAN/subnets).
- Permit (only as required for proper functionality) the specific system required signaling protocols used by the session manager ((e.g., H.323, SIP, AS-SIP) to/from the VVoIP core control equipment VLAN interfaces (VLAN/subnets).
- Deny all other traffic. End the ACL with a “deny all” statement.

If a deny-by-default ACL for session border VLAN interfaces is not implemented on VVoIP core routing devices as defined in the VVoIP system ACL design, this is a finding.

Vulnerability Number

V-19640

Documentable

False

Rule Version

VVoIP 5625

Severity Override Guidance

Review site documentation, especially the VVoIP system ACL design, to confirm a deny-by-default ACL for session border VLAN interfaces is implemented on VVoIP core routing devices. Ensure a deny-by-default ACL is implemented on the VVoIP session border controller VLAN or firewall VLAN interfaces on the VVoIP routing devices supporting the VVoIP system core equipment to control traffic as follows:
- Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the endpoint VLAN interfaces (VLAN/subnets).
- Permit (only as required for proper functionality) the specific system required signaling protocols used by the session manager ((e.g., H.323, SIP, AS-SIP) to/from the VVoIP core control equipment VLAN interfaces (VLAN/subnets).
- Deny all other traffic. End the ACL with a “deny all” statement.

If a deny-by-default ACL for session border VLAN interfaces is not implemented on VVoIP core routing devices as defined in the VVoIP system ACL design, this is a finding.

Check Content Reference

M

Target Key

3407

Comments