Check: VVoIP 6125 (DISN-IPVS)
Voice Video Services Policy STIG:
VVoIP 6125 (DISN-IPVS)
(in versions v3 r18 through v3 r15)
Title
The network IDS is not configured or implemented such that it can monitor the traffic to/from the required VVoIP firewall/EBC (function) as well as the traffic to/from the data firewall (function). (Cat II impact)
Discussion
The purpose of the Internal Network IDS is to provide a backup for the enclave firewall(s) in the event they are compromised or mis-configured such that traffic which is normally blocked ends up being passed as well as to detect other malicious activity entering (or leaving) the enclave. As such the NIDS must be implemented in such a manner that it monitors all traffic flowing through the data and VVoIP firewalls. Minimally, it will detect improper data protocol traffic coming through the VVoIP firewall. While the NIDS will not be able to inspect the VVoIP signaling and bearer packet payload due to its encryption, it could detect anomalous behavior in the flow of these packets. Additionally, per the NI STIG, the NIDS is required to be a separate device from the firewall for reliability reasons. If the common firewall/IDS platform is compromised, both the firewall and IDS is vulnerable.
Check Content
Interview the IAO to confirm compliance with the following requirement: In the event the VVoIP system within the enclave is interconnected with other VVoIP systems across the WAN, ensure the required internal Network IDS (NIDS) is implemented such that it monitors the traffic to/from both the data firewall (function) and the required VVoIP firewall/EBC (function). NOTE: This is applicable whether the VVoIP system is integrated with the DISN IPVS or not. This is a finding in the event the NIDS is not implemented such that it sees traffic from the VVoIP firewall (EBC or other) as well as the data firewall. NOTE: The NIDS monitoring the VVoIP firewall may be the same device that monitors the data firewall or it may be a separate device. In the event it is a separate device, it is subject to all Network Infrastructure STIG requirements to include CNDSP monitoring if applicable. NOTE: The Network Infrastructure STIG recognizes that many of today’s NIDS are also intrusion prevention devices. The NI STIG refers to the required NIDS as an Intrusion detection/Prevention System (IDPS).
Fix Text
In the event the VVoIP system within the enclave is interconnected with other VVoIP systems across the WAN, ensure the required internal Network IDS (NIDS) is implemented such that it monitors the traffic to/from both the data firewall (function) and the required VVoIP firewall/EBC (function). NOTE: This is applicable whether the VVoIP system is integrated with the DISN IPVS or not.
Additional Identifiers
Rule ID: SV-21739r1_rule
Vulnerability ID: V-19598
Group Title: Deficient design: NIDS protection for VVoIP
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |