Title

The Session Border Controller (SBC) must be configured to terminate and decrypt inbound and outbound SIP and AS-SIP sessions to ensure proper management for the transition of the SRTP/SRTCP streams. (Cat II impact)

Discussion

The function of the SBC is to manage SIP and AS-SIP signaling messages. To perform its proper function in the enclave boundary, the SBC must decrypt and decode or understand the contents of SIP and AS-SIP messages. Additionally, the SBC can perform message validity checks and determine of an attack is being attempted. The SBC acts as an application-level proxy and firewall for the SIP and AS-SIP signaling messages.

Check Content

Verify the DISN NIPRNet IPVS SBC is configured to terminate inbound and outbound SIP and AS-SIP sessions (messages) and decrypt the packets to determine the information needed to properly manage the transition of SRTP/SRTCP streams across the boundary. Verify the SBC establishes a new SIP or AS-SIP session for the "next hop" to the internal Local Session Controller (LSC) or the far end SBC that fronts the destination Multifunction Soft Switch (MFSS). Inspect the configuration of the EBC to determine compliance with the requirement. If SIP or AS-SIP messages are passed through the SBC without termination and decryption, this is a finding. If the SBC is not configured to, or is not capable of, terminating and decrypting the SIP or AS-SIP messages, this is a finding. If the SBC is not configured to, or is not capable of, understanding the contents of the decrypted SIP or AS-SIP messages, this is a finding. If the SBC is not configured to establish a new SIP or AS-SIP session with the far end SBC that fronts the destination LSC or MFSS, this is a finding. If the SBC is not configured to establish a new SIP or AS-SIP session with the LSC inside the enclave, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.

Fix Text

Ensure the DISN NIPRNet IPVS SBC is configured to terminate inbound and outbound SIP and AS-SIP sessions (messages). The SBC must be configured to decrypt the packets to determine the information needed to properly manage the transition of SRTP/SRTCP streams across the boundary. Also ensure the SBC establishes a new SIP or AS-SIP session for the "next hop" to the internal LSC or the far end SBC that fronts the destination LSC or MFSS. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.

Additional Identifiers

Rule ID: SV-259928r948774_rule

Vulnerability ID: V-259928

Group Title: SRG-VOIP-000480

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.