Unnecessary PPS have not been disabled or removed from VVoIP system devices or servers.

From Voice Video Services Policy STIG

Part of Deficient Security: Unnecessary PPS disablement

SV-23733r1_rule Unnecessary PPS have not been disabled or removed from VVoIP system devices or servers.

Vulnerability discussion

The availability of applications and services that are not necessary for the OAM&P of the VVoIP system’s devices and servers, running or not as well as the existence of their code, places them at risk of being attacked and these avenues exploited. As such they should be removed if possible or minimally disabled so they cannot run and be exploited.For VVoIP and UC servers and endpoints, remove the software for or minimally disable PPS that are not necessary for the operation or maintenance of the system. Limit production PPS to production interfaces and management PPS to the OAM&P interfaces.

Check content

Scan the VVoIP system VLANs with a network scanner to determine the PPS running on the system and what protocols system devices are listening for, and on what IP ports. This is a finding in the event ports are open or protocols are found that are not required by the system to effect system OAM&P in the specific implementation of the system. For example if HTTP is evident, and the system is not managed via HTTP and HTTP is not required for other system functions, then this is an unnecessary PPS resulting in a finding under this requirement.

Fix text

Disable all PPS on all VVoIP or UC system servers and sevices that are not required to support OAM&P in the specific VVoIP system implementation. Additionally, if possible, remove the software for the unnecessary PPS.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer