Check: SRG-VOIP-000330
      
      
        
  Enterprise Voice, Video, and Messaging Policy SRG:
  SRG-VOIP-000330
  
    (in versions v1 r3 through v1 r1)
  
      
      
    
  Title
The site's enclave boundary protection must route commercial VoIP traffic via a local Media Gateway (MG) connected to a commercial service provider using PRI, CAS, or POTS analog trunks. (Cat II impact)
Discussion
There are several reasons VVoIP system access to local voice services must use a locally implemented MG connected to commercial voice services, including: - The implementation or receipt of commercial VoIP service provides a path to the Internet. These "back doors" into the local network place the DISN at risk from exploitation. Such connections must be specifically approved under CJCSI 6211.02C and DODI 4640.14. Such connections must also meet the requirements in the Network Infrastructure STIG for an "Approved Gateway". This generally means that a full boundary architecture must be implemented. - A PRI or CAS trunk is required because the DSN is not permitted to exchange SS7 signaling with the PSTN. Doing so would place the DOD's SS7 network at risk. - Local access is necessary to support Fire and Emergency Services (FES) calls.
Check Content
If the site is small and has POTS lines terminated on individual phones, a dedicated key system, or a PBX, all of which are separate from the DOD VVoIP system, this is not applicable. If the site is subtended to an enclave with approved IP voice services providing commercial service, this is not applicable. Verify all VVoIP system access to/from commercial dialup services (voice, video, fax, data) is via a local MG using a PRI, CAS, or POTS analog trunk to a commercial service provider. If the site is not connected to the PSTN via a MG located within the local site enclave as described above, this is a finding. NOTE: Trunks that support SS7 signaling and SS7-based signaling between a DOD network and a non-DOD network are prohibited.
Fix Text
Ensure all VVoIP system access to/from commercial dialup services (voice, video, fax, data) is via a locally implemented MG using a PRI, CAS, or POTS analog trunk to a commercial service provider. NOTE: Trunks that support SS7 signaling and SS7-based signaling between a DOD network and a non DOD network are prohibited.
Additional Identifiers
Rule ID: SV-259913r948759_rule
Vulnerability ID: V-259913
Group Title: SRG-VOIP-000330
Expert Comments
      
        
        
      
      
        
  CCIs
      
      
        
        
      
    
  | Number | Definition | 
|---|---|
| CCI-001606 | Identify potential accessibility problems to outline explicit mitigation actions. | 
      
        
        
      
      
        
  Controls
      
      
        
        
      
    
  | Number | Title | 
|---|---|
| CP-7(2) | Accessibility |