STIGQter: STIG Summary: Voice/Video over Internet Protocol (VVoIP) STIG Version: 3 Release: 14 Benchmark Date: 26 Apr 2019:

A deny-by-default ACL for unified communications server VLAN interfaces must be implemented on core routing devices as defined in the VVoIP system ACL design.

DISA Rule

SV-21784r3_rule

Vulnerability Number

V-19643

Group Title

VVoIP 5640

Rule Version

VVoIP 5640

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Implement and document a deny-by-default ACL for unified communications server VLAN interfaces on core routing devices as defined in the VVoIP system ACL design as follows:
- Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the endpoint VLAN interfaces (VLAN/subnets).
- Permit (only as required for proper functionality) the specific system required signaling protocols used by the Unified Communications Servers (e.g., H.323, SIP, AS-SIP, proprietary, other) to/from the VVoIP core control equipment VLAN interfaces (VLAN/subnets).
- Deny all other traffic. End the ACL with a “deny all” statement.

Check Contents

Review site documentation, especially the VVoIP system ACL design, to confirm a deny-by-default ACL for unified communications server VLAN interfaces is implemented on core routing devices. Ensure a deny-by-default ACL is implemented on the Unified Communications Servers VLAN interfaces on the VVoIP routing devices supporting the VVoIP system core equipment to control traffic as follows:
- Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the endpoint VLAN interfaces (VLAN/subnets).
- Permit (only as required for proper functionality) the specific system required signaling protocols used by the Unified Communications Servers (e.g., H.323, SIP, AS-SIP, proprietary, other) to/from the VVoIP core control equipment VLAN interfaces (VLAN/subnets).
- Deny all other traffic. End the ACL with a “deny all” statement.

If a deny-by-default ACL for unified communications server VLAN interfaces is not implemented on core routing devices as defined in the VVoIP system ACL design, this is a finding.

Vulnerability Number

V-19643

Documentable

False

Rule Version

VVoIP 5640

Severity Override Guidance

Review site documentation, especially the VVoIP system ACL design, to confirm a deny-by-default ACL for unified communications server VLAN interfaces is implemented on core routing devices. Ensure a deny-by-default ACL is implemented on the Unified Communications Servers VLAN interfaces on the VVoIP routing devices supporting the VVoIP system core equipment to control traffic as follows:
- Permit Media protocols/traffic (RTP/RTCP, SRTP/SRTCP) to/from the endpoint VLAN interfaces (VLAN/subnets).
- Permit (only as required for proper functionality) the specific system required signaling protocols used by the Unified Communications Servers (e.g., H.323, SIP, AS-SIP, proprietary, other) to/from the VVoIP core control equipment VLAN interfaces (VLAN/subnets).
- Deny all other traffic. End the ACL with a “deny all” statement.

If a deny-by-default ACL for unified communications server VLAN interfaces is not implemented on core routing devices as defined in the VVoIP system ACL design, this is a finding.

Check Content Reference

M

Target Key

3407

Comments