Unencrypted and unsigned VVoIP endpoint configuration files traversing the DISN must be protected within a VPN between enclaves.

From Voice Video Services Policy STIG

Part of VVoIP 1415

Associated with IA controls: ECSC-1

SV-60629r1_rule Unencrypted and unsigned VVoIP endpoint configuration files traversing the DISN must be protected within a VPN between enclaves.

Vulnerability discussion

When VVoIP configuration files traverse a network in an unencrypted state, system information may be used by an adversary, which in the aggregate, may reveal sensitive data. When VVoIP traffic is passed in the clear it is open to sniffing attacks. This vulnerability exists whether the traffic is on a LAN or a WAN. Unencrypted and unsigned configuration files must be wrapped within an encrypted VPN to mitigate this risk.DoD-to-DoD voice communications are generally considered to contain sensitive information. Local DoD enclaves connect to a DISN SDN via an access circuit. Unless the site is a host to a SDN, or close enough to it to be served by DoD owned facilities, some portion of the access circuit will utilize leased commercial facilities. Additionally, the DISN core network itself may traverse commercial services and facilities. Therefore, DoD voice and data traffic crossing the unclassified DISN must be encrypted.

Check content

Interview the IAO to confirm compliance with the following requirement: Verify VVoIP endpoint configuration files traversing the DISN must be protected within a VPN secured using FIPS 140-2 or NSA approved encryption between enclaves. The reviewer may downgrade to CAT 3 when vendor provided PKI or x.509 certs are used rather than DoD PKI certificates. NOTE: This requirement is not applicable to systems that use Cisco TFTP.

Fix text

Configure the VVoIP endpoint configuration files traversing the DISN to be protected within a VPN secured using FIPS 140-2 or NSA approved encryption between enclaves.

Pro Tips

Powered by sagemincer