STIGQter: STIG Summary: Video Services Policy STIG Version: 1 Release: 11 Benchmark Date: 24 Apr 2020: STIGQter: STIG Summary: Video Services Policy STIG Version: 1 Release: 11 Benchmark Date: 24 Apr 2020:SV-55756r1_rule
V-43027
RTS-VTC 6000 [IP]
RTS-VTC 6000
CAT I
10
Obtain and implement a VTC/VVoIP-aware firewall or H.460-based firewall traversal solution at the enclave boundary. If this is not possible, configure the existing firewall to allow VTC traffic only to the internal IP address(es) of the internal CODEC(s) and the external address(es) of a central MCU or a limited set of remote endpoints. If possible, reconfigure the firewall to close VTC ports between sessions.
Review system documentation and verify that a VTC/VVoIP-aware firewall or H.460-based firewall traversal solution has been implemented at the enclave boundary. If this does not exist, verify the following:
• The enclave firewall allows VTC traffic only to the internal IP address(es) of the internal CODEC(s) and the external address(es) of a central MCU or a limited set of remote endpoints.
• The inbound permit statements are restricted to a limited range of UDP ports and external IP addresses while routing/outbound permit statements force all outbound VTC traffic to these external addresses.
• These UDP ports are not statically opened, but are manually opened and closed by the firewall administrator for the duration of VTC sessions.
If there is not a VTC/VVoIP-aware firewall or H.460-based firewall traversal solution implemented at the enclave boundary and no other measures have been taken, this is a CAT I finding.
If there is not a VTC/VVoIP-aware firewall or H.460-based firewall traversal solution implemented at the enclave boundary, and the firewall is configured to allow VTC traffic only to the internal IP address(es) of the internal CODEC(s) and the external address(es) of a central MCU or a limited set of remote endpoints and the inbound permit statements are restricted to a limited range of UDP ports, this is a CAT III finding. If the firewall allows the VTC traffic only during VTC sessions, then this is no longer a finding.
V-43027
False
RTS-VTC 6000
Review system documentation and verify that a VTC/VVoIP-aware firewall or H.460-based firewall traversal solution has been implemented at the enclave boundary. If this does not exist, verify the following:
• The enclave firewall allows VTC traffic only to the internal IP address(es) of the internal CODEC(s) and the external address(es) of a central MCU or a limited set of remote endpoints.
• The inbound permit statements are restricted to a limited range of UDP ports and external IP addresses while routing/outbound permit statements force all outbound VTC traffic to these external addresses.
• These UDP ports are not statically opened, but are manually opened and closed by the firewall administrator for the duration of VTC sessions.
If there is not a VTC/VVoIP-aware firewall or H.460-based firewall traversal solution implemented at the enclave boundary and no other measures have been taken, this is a CAT I finding.
If there is not a VTC/VVoIP-aware firewall or H.460-based firewall traversal solution implemented at the enclave boundary, and the firewall is configured to allow VTC traffic only to the internal IP address(es) of the internal CODEC(s) and the external address(es) of a central MCU or a limited set of remote endpoints and the inbound permit statements are restricted to a limited range of UDP ports, this is a CAT III finding. If the firewall allows the VTC traffic only during VTC sessions, then this is no longer a finding.
M
Information Assurance Officer
1418