Without an applicable exception the site’s enclave boundary protection is not designed or implemented to route all voice traffic to/from a DSN number via a locally implemented Media Gateway (MG) connected to a DSN EO or MFSS using the appropriate type of trunk based on the site’s need to support C2 communications via the DSN.

From Voice Video Services Policy STIG

Part of Deficient design: DSN access for VVoIP systems

SV-8824r1_rule Without an applicable exception the site’s enclave boundary protection is not designed or implemented to route all voice traffic to/from a DSN number via a locally implemented Media Gateway (MG) connected to a DSN EO or MFSS using the appropriate type of trunk based on the site’s need to support C2 communications via the DSN.

Vulnerability discussion

There are several reasons why voice traffic to/from the DSN must use a locally implemented Media Gateway (MG) connected to a DSN EO or MFSS via the appropriate type of trunk based on the site’s need to support C2 communications via the DSN if exceptions do not apply. These reasons are as follows: > VVoIP has the potential to significantly degrade the standard data enclave boundary protection afforded by the required data enclave firewall unless the firewall is designed to properly handle VVoIP traffic. Based on this degradation, VVoIP must not traverse a standard data firewall except under certain circumstances. > VVoIP aware/capable firewalls are being developed and few are deployed. > DoD must purchase and use VVoIP/UC devices and firewalls that meet UC requirements as defined in the UCR. > Confidentiality and integrity: Legacy (early) VoIP systems could not encrypt VoIP signaling or media to protect it for confidentiality and from various attacks while traversing a publicly accessible WAN (e.g., NIPRNet or Internet). This is changing due to the DoD’s efforts to develop interoperable VVoIP encryption standards with vendor assistance. The use of a MG eliminates the need for encryption on an IP WAN by placing the voice traffic on a traditional TDM network where the communications are more secure in general even though they are not encrypted. Physical access to the wire or TDM switch is required to compromise TDM communication whereas compromise could be effected from anywhere on an IP network. > Availability and C2 support between sites via interoperability: VoIP systems from different vendors are typically not directly interoperable via IP. This is primarily due to the lack of fully defined standards leaving vendors to develop their own extensions to the available protocols in support of unique feature sets. This is changing due to the DoD’s efforts to develop interoperable usage of the standards with vendor assistance. The use of a MG converts each vendor’s implementation to a common interoperable system, the TDM DSN.

Check content

Inspect the network documentation, device configuration documentation, and network diagrams to determine if the DSN voice traffic is routed via a MG connected to a DSN EO or MFS

Fix text

Unless one of the following exceptions apply: • The VVoIP system within a site enclave is approved for DISN NIPRNet IP Voice Services (VS) (IP enabled DSN VoIP on NIPRNet). • The VVoIP system within a site enclave is subtended to a larger enclave and tethered (connected) to it via a direct cable, or a dedicated TDM or optical circuit (e.g., a T1, DS2, OCx ). (This connection would be typical of a GSU located in relative close proximity to its MOB. This would be similar to a MAN.) • The enclave is part of an organizational Intranet whose enclaves (MOBs and GSUs and regional service/computing centers or server farms) are interconnected across the DISN using dedicated TDM or optical circuits or encrypted VPN tunnels, whether site-to-site or meshed. Ensure all DSN access for intra DoD dialup services (voice, video, fax, data) to/from a VVoIP system within a site enclave and a DSN number is via a local (on site) Media Gateway (MG) and one or more T619A trunks for C2 enclaves (MLPP support) or one or more PRI or CAS trunks for NON-C2 enclaves with a IP-PBX-2 (NO MLPP support) to a DSN EO or MFS: NOTE: This does not apply to approved remote VoIP instruments or Soft Phones that connect to the VVoIP system enclave via an encrypted VPN and are therefore part of the enclave’s LAN. NOTE: TDM or optical circuits should be bulk encrypted if using a commercial provider to supply any portion of the complete circuit. This will most likely be the case for the “last mile” connection to a DISN SDN since DoD owned facilities do not touch most sites. NOTE: organizational Intranets using encrypted site-to-site or meshed VPN tunnels across a DISN IP routed network must block local access to/from the DISN IP routed network (e.g., NIPRNet) at the VPN termination points unless a full boundary protection suite of equipment is implemented locally.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer