An error occurred:

Check: VVoIP 1410 (GENERAL)

Voice Video Services Policy STIG: VVoIP 1410 (GENERAL) (in versions v3 r18 through v3 r15)

Title

VVoIP endpoint configuration files transferred via Cisco TFTP must be encrypted and signed using DoD PKI certificates. (Cat II impact)

Discussion

When VVoIP configuration files traverse a network in an unencrypted state, system information may be used by an adversary, which in the aggregate, may reveal sensitive data. When VVoIP traffic is passed in the clear it is open to sniffing attacks. This vulnerability exists whether the traffic is on a LAN or a WAN. End-to-end encryption of the configuration files mitigates this vulnerability. However, TFTP does not natively encrypt data. The Cisco TFTP implementation for VoIP systems uses encryption to both store and transfer configuration files. Refer to the “CISCO-UCM-TFTP” Vulnerability Analysis report provided by the Protocols, Ports, and Services management site for more details. DoD-to-DoD voice communications are generally considered to contain sensitive information. Local DoD enclaves connect to a DISN SDN via an access circuit. Unless the site is a host to a SDN, or close enough to it to be served by DoD owned facilities, some portion of the access circuit will utilize leased commercial facilities. Additionally, the DISN core network itself may traverse commercial services and facilities. Therefore, DoD voice and data traffic crossing the unclassified DISN must be encrypted.

Check Content

Interview the IAO to confirm compliance with the following requirement: Verify VVoIP endpoint configuration files transferred via Cisco TFTP are encrypted and signed using DoD PKI certificates. NOTE: This requirement is not applicable to systems that do not use Cisco TFTP.

Fix Text

Configure the VVoIP endpoint configuration files transferred via Cisco TFTP to be encrypted and signed using DoD PKI certificates. Refer to the “CISCO-UCM-TFTP” Vulnerability Analysis report provided by the Protocols, Ports, and Services management site for more details.

Additional Identifiers

Rule ID: SV-60611r1_rule

Vulnerability ID: V-47735

Group Title: VVoIP 1410

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
No CCIs are assigned to this check

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
No controls are assigned to this check