An error occurred:

Enterprise Voice, Video, and Messaging Policy SRG Version Comparison

Enterprise Voice, Video, and Messaging Policy Security Requirements Guide

Comparison

There are 1 differences between versions v1 r1 (March 15, 2024) (the "left" version) and v1 r2 (Jan. 31, 2025) (the "right" version).

Check SRG-VOIP-000490 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Text Differences

Title

The Session Border Controller (SBC) must be configured to only process packets authenticated from an authorized source within the DISN IPVS network.

Check Content

Verify the DISN NIPRNet IPVS SBC is configured to only process packets authenticated from an authorized source as follows: - Authenticate outbound SIP and AS-SIP messages as being from the primary or backup Local Session Controller (LSC) (or the site's Multifunction Soft Switch [MFSS] and its backup LSC within the enclave. - Authenticate inbound SIP and AS-SIP messages as being from the SBC at the enclave's assigned primary and secondary (backup) MFSS sites. Inspect sites. - Authenticate SIP and AS-SIP messages as compliant with FCC STIR/SHAKEN regulations. Inspect the configurations of the EBC to determine compliance with the requirement. If the SBC does not use DOD DOD-approved PKI to authenticate the source of SIP and AS-SIP packets, this is a finding. If the SBC is not configured to validate sending the appliance's public PKI certificate against the DOD DOD-approved PKI registry and CRLs, this is a finding. If the SBC is not configured compliant with FCC STIR/SHAKEN regulations, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.

Discussion

The function of the SBC is to manage SIP and AS-SIP signaling messages. The SBC also authenticates SIP and AS-SIP signaling messages, ensuring they are from an authorized source. DOD policy dictates that authentication be performed using DOD PKI certificates. This also applies to network hosts and elements. SIP and AS-SIP are not secure protocols. The information passed during a call session is in human-readable plain text. To secure SIP and AS-SIP, TLS is used. TLS is PKI certificate-based and is used for AS-SIP message encryption, authentication, and integrity validation. NOTE: Authentication is provided by validating the sending appliance's public PKI certificate used to establish the TLS session. AS-SIP messages are not sent until the authenticated TLS session is established.

Fix

Ensure the DISN NIPRNet IPVS SBC is configured to only process packets authenticated from an authorized source as follows: - Authenticate outbound SIP and AS-SIP messages as being from the primary or backup LSC (or the site's MFSS and is its backup LSC) within the enclave. - Authenticate inbound SIP and AS-SIP messages as being from the SBC at the enclave's assigned primary and secondary (backup) MFSS sites. NOTE: sites. - Authenticate SIP and AS-SIP messages as compliant with FCC STIR/SHAKEN regulations. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.