From Voice Video Services Policy STIG
Part of Deficient Design: MGCP / MEGACO/H.248 Protection
Media Gateway Control Protocol (MGCP) is a protocol that is used between Media Gateway Controllers (MGCs), Media Gateways (MGs), and other MGs to exchange sensitive gateway status and zone information as well as establish sessions via the MG. MGCP is a clear text human readable protocol. This information is critical in the setup and completion of voice calls from one VoIP zone to another VoIP zone or more typically from a VoIP zone to a TDM zone. If this information is poisoned or if collected and used by an unauthorized unscrupulous individual, the effects to the VoIP environment could be detrimental. Denial-of-service or fraudulent system use are only two of the potential compromises. As such, MGCP messages must be protected from eavesdropping, man in the middle, and replay attacks. To protect MGCP, Request for Comment (RFC) 2705 which defines MGCP outlines and recommends the use of IPSec for encryption and authentication between gateways. This recommendation primarily applies to the use of MGCP across unprotected WANs like the Internet. This extends to use on NIPRNet as well. A follow-on protocol defined jointly by the IETF in RFC 3435 and the ITU-T in Recommendation H.248.1 is MEGACO/H.248 which provides the same general functionality as MGCP. RFC 3435 also requires that H.248 packets be authenticated and/or encrypted using IPSec. Unfortunately there is not widespread support by MGCs and MGs for IPSec protection and therefore we must rely on external IPSec VPNs when traversing the WAN. When confined within the LAN, we can protect MGCP in a number of ways without IPSec.
Interview the IAO and review/inspect site network/facilities diagrams and documentation to confirm compliance with the following requirement: In the event MGCP or MEGACO/H.248 is used to control Media Gateways (MGs) or other devices (e.g., endpoints), ensure the following: > The LSC/MGC and MG are located in the same protected LSC VLAN and ACLs are established on all VLAN egress points to block the MGCP or MEGACO/H.248 from exiting the VLAN; OR > the LSC/MGC and MG are located in adjacent protected VLANs and ACLs are established to permit MGCP or MEGACO/H.248 between the LSC/MGC and MG but block the MGCP or MEGACO/H.248 from exiting these VLANs; AND > In the event MGCP or MEGACO/H.248 is used to control a MG or a distributed set of MGs across a WAN, ensure an encrypted VPN is used to protect the MGCP traffic. > Additionally, ensure the source of MGCP or MEGACO/H.248 packets is authenticated to originate from a valid source and/or minimally filter acceptance on source IP address.
In the event MGCP or MEGACO/H.248 is used to control Media Gateways (MGs) or other devices (e.g., endpoints), ensure the following: > the LSC/MGC and MG are located in the same protected LSC VLAN and ACLs are established on all VLAN egress points to block the MGCP or MEGACO/H.248 from exiting the VLAN; OR > the LSC/MGC and MG are located in adjacent protected VLANs and ACLs are established to permit MGCP or MEGACO/H.248 between the LSC/MGC and MG but block the MGCP or MEGACO/H.248 from exiting these VLANs; AND > In the event MGCP or MEGACO/H.248 is used to control a MG or a distributed set of MGs across a WAN, ensure an encrypted VPN is used to protect the MGCP traffic. > Additionally, ensure the source of MGCP or MEGACO/H.248 packets is authenticated to originate from a valid source and/or minimally filter acceptance on source IP address.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer