STIGQter: STIG Summary: Voice Video Services Policy Security Technical Implementation Guide Version: 3 Release: 17 Benchmark Date: 25 Oct 2019: STIGQter: STIG Summary: Voice Video Services Policy Security Technical Implementation Guide Version: 3 Release: 17 Benchmark Date: 25 Oct 2019:SV-8736r4_rule
V-8250
VVoIP 1400
VVoIP 1400
CAT I
10
Implement all DoD-to-DoD VVOIP signaling and media traffic traversing a public or publicly accessible WAN network (i.e., Internet, NIPRnet) to use FIPS-validated encryption for unclassified traffic or NSA-approved encryption for classified traffic, either natively at the application or protocol level, or by using network or data-link layer encryption (i.e., encrypted VPN or bulk link encryption).
The encryption of VVOIP signaling and media traffic may either use native end-to-end basis or tunnel it using site-to-site or client-to-site (remote access) VPN technologies or bulk link encryption.
Review site documentation to confirm all DoD-to-DoD VVOIP signaling and media traffic traversing a public or publicly accessible WAN (i.e., Internet, NIPRnet) is encrypted, natively at the application or protocol level, or using network or data-link layer encryption (i.e., encrypted VPN or bulk link encryption) using FIPS-validated encryption for unclassified traffic or NSA-approved encryption for classified traffic. Otherwise this is a finding.
NOTE: This requirement is applicable to the following:
- Calls established between DoD endpoints within an extended enclave (single MILDEP organization using directly interoperable VoIP systems).
- Calls established between DoD endpoints located in different enclaves operated by a single MILDEP organization using directly interoperable VoIP systems.
- Calls established between DoD endpoints located in different enclaves operated by different MILDEP organizations whether using directly interoperable VoIP systems and endpoints or the systems are subscribers to the DISN IPVS using IPVS standard protocols.
- Calls established between remote DoD endpoints located outside their home enclave and connecting across the Internet and/or NIPRnet. In this case, a remote access VPN is used.
NOTE: At this time, this requirement is not applicable for calls established from DoD to commercial VoIP telephones via commercial ITSP services implemented as a replacement for TDM-based PSTN access. This is because there is no encryption standard for end-to-end VoIP sessions to which all ITSPs and phone vendors have subscribed. Once a universal standard is adopted and implemented, or translation gateways are developed, this requirement could then be applied. Before encryption standards are adopted, the world must adopt interoperable signaling and media standards. At this time, Session Border Controllers can provide some translation services. Additional considerations are discussed in the section on ITSP services.
V-8250
False
VVoIP 1400
Review site documentation to confirm all DoD-to-DoD VVOIP signaling and media traffic traversing a public or publicly accessible WAN (i.e., Internet, NIPRnet) is encrypted, natively at the application or protocol level, or using network or data-link layer encryption (i.e., encrypted VPN or bulk link encryption) using FIPS-validated encryption for unclassified traffic or NSA-approved encryption for classified traffic. Otherwise this is a finding.
NOTE: This requirement is applicable to the following:
- Calls established between DoD endpoints within an extended enclave (single MILDEP organization using directly interoperable VoIP systems).
- Calls established between DoD endpoints located in different enclaves operated by a single MILDEP organization using directly interoperable VoIP systems.
- Calls established between DoD endpoints located in different enclaves operated by different MILDEP organizations whether using directly interoperable VoIP systems and endpoints or the systems are subscribers to the DISN IPVS using IPVS standard protocols.
- Calls established between remote DoD endpoints located outside their home enclave and connecting across the Internet and/or NIPRnet. In this case, a remote access VPN is used.
NOTE: At this time, this requirement is not applicable for calls established from DoD to commercial VoIP telephones via commercial ITSP services implemented as a replacement for TDM-based PSTN access. This is because there is no encryption standard for end-to-end VoIP sessions to which all ITSPs and phone vendors have subscribed. Once a universal standard is adopted and implemented, or translation gateways are developed, this requirement could then be applied. Before encryption standards are adopted, the world must adopt interoperable signaling and media standards. At this time, Session Border Controllers can provide some translation services. Additional considerations are discussed in the section on ITSP services.
M
Information Assurance Officer
594