STIGQter: STIG Summary: Voice/Video over Internet Protocol (VVoIP) STIG Version: 3 Release: 14 Benchmark Date: 26 Apr 2019: STIGQter: STIG Summary: Voice/Video over Internet Protocol (VVoIP) STIG Version: 3 Release: 14 Benchmark Date: 26 Apr 2019:SV-21805r4_rule
V-19664
VVoIP 6215
VVoIP 6215
CAT III
10
Implement the CE-R to filter inbound SIP and AS-SIP traffic addressed to the local SBC based on the source address of the signaling messages.
NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.
Review site documentation to confirm the CE-R filters inbound SIP and AS-SIP traffic addressed to the local SBC based on the source address of the signaling messages. This supports the VVoIP system connecting to the DISN WAN for VVoIP transport between enclaves and the system providing Assured Services to any Command and Control (C2) user (Special-C2, C2, or C2-R). Permit inbound signaling messages sourced as follows:
- When the enclave contains one or more Local Session Controllers (LSCs), filter on the IP addresses of the SBCs fronting the primary and secondary MFSSs associated with the enclave.
- When the enclave contains an MFSS filter based on IP addresses of SBCs fronting the LSCs associated with the SS.
If the CE-R does not filter inbound SIP and AS-SIP traffic addressed to the local SBC based on the source address of the signaling messages, this is a finding.
NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.
V-19664
False
VVoIP 6215
Review site documentation to confirm the CE-R filters inbound SIP and AS-SIP traffic addressed to the local SBC based on the source address of the signaling messages. This supports the VVoIP system connecting to the DISN WAN for VVoIP transport between enclaves and the system providing Assured Services to any Command and Control (C2) user (Special-C2, C2, or C2-R). Permit inbound signaling messages sourced as follows:
- When the enclave contains one or more Local Session Controllers (LSCs), filter on the IP addresses of the SBCs fronting the primary and secondary MFSSs associated with the enclave.
- When the enclave contains an MFSS filter based on IP addresses of SBCs fronting the LSCs associated with the SS.
If the CE-R does not filter inbound SIP and AS-SIP traffic addressed to the local SBC based on the source address of the signaling messages, this is a finding.
NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.
M
3407