An error occurred:

Check: VVoIP 6325

Voice/Video over Internet Protocol (VVoIP) STIG: VVoIP 6325 (in versions v3 r15 through v3 r12)

Title

The Session Border Controller (SBC) must drop all SIP and AS-SIP packets except those secured with TLS. (Cat II impact)

Discussion

DISN NIPRNet IPVS PMO and the UCR require all session signaling across the DISN WAN and between the LSC and EBC to be secured with TLS. The standard IANA assigned IP port for SIP protected by TLS (SIP-TLS) is 5061. DoD PPSM requires that protocols traversing the DISN and DoD enclave boundaries use the standard IP ports for the specific protocol. Since AS-SIP is a standardized extension of the SIP protocol and since AS-SIP must be protected by TLS, AS-SIP-TLS must use IP port 5061. The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated using TLS on port 443 from Cloud Service Providers.

Check Content

Interview the ISSO to confirm compliance with the following requirement: Ensure the DISN NIPRNet IPVS SBC is configured to drop the following signaling packets: - SIP packets arriving on IP port 5060 or 5061 - SIP packets arriving on IP port 443 not secured with TLS - AS-SIP packets arriving on IP port 5060 - AS-SIP packets arriving on IP port 5061 not secured with TLS If all SIP and AS-SIP packets are not dropped except AS-SIP packets secured with TLS arriving on IP Port 5061 and SIP packets secured with TLS arriving on IP Port 443 secured with TLS, this is a finding. NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

Fix Text

Ensure the DISN NIPRNet IPVS SBC is configured to drop the following signaling packets: - SIP packets arriving on IP port 5060 or 5061 - SIP packets arriving on IP port 443 not secured with TLS - AS-SIP packets arriving on IP port 5060 - AS-SIP packets arriving on IP port 5061 not secured with TLS NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud Service Providers.

Additional Identifiers

Rule ID: SV-21811r3_rule

Vulnerability ID: V-19670

Group Title: VVoIP 6325

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
No CCIs are assigned to this check

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
No controls are assigned to this check