From Voice/Video over Internet Protocol (VVoIP) STIG
Part of Deficient Impl’n: Inter interface traffic block
Based on a previously stated requirement, a VVoIP system must have one or more production VLANs containing the VVoIP endpoints and a separate OOB management network or virtual management network (management VLAN). Also previously stated is the requirement that the LAN NEs maintain the separation between management network(s) and the production network VLANs by blocking traffic from passing between them. Maintaining this separation is also incumbent upon the managed devices that are connected to both the management and production VLANs.
Obtain the IP addressing schemes of the production and all management networks and VLANs (one or more) connected to the VVoIP core system/device. Connect a network scanner to each network or interface in sequence. Scan the IP range(s) of the network(s) connected to the other port(s) on the VVoIP core system/device. This is a finding in the event the scanner can reach any host on the scanned network. Procedural example: 1 - Connect the scanner to the production network or connection of the VVoIP core system/device. Scan the address range of the management VLAN or network and any other management network connected to the target. 1A - If the target device has redundant production interfaces, repeat step 1 for the second interface. 2 - Connect the scanner to the management network interface and scan the address ranges of the production network and any other attached management networks. 2A - If there is a second management network connection repeat step 2 for the second management interface. The expected results are that the scanner should not report or reach any host on the scanned network(s). NOTE: While a portion of this test might be performed as part of the scan used to check that the VVoIP production and management VLANs are closed thus validating the ACL requirements (providing the proper address ranges are scanned as noted above) a detailed review of the scan results would be required to identify if the hosts that were reached. Additional applicability of that test to this one is dependant upon where in the production or management VLAN the scanner is placed since the ACLS protecting the target VVoIP core device may mask a problem in the target device itself. Therefore it is recommended that an independent scan of the device be performed.
Configure VVoIP core system/devices and traditional TDM based telecom switches to comply with the following: In the event a target system/device supports separate IP based production and management interfaces (logical or physical), or multiple management interfaces (logical or physical), connected to different networks or VLANs, ensure the target system/device does not rout IP traffic between the networks or VLANs attached / connected to these interfaces. NOTE: this also applies to traditional TDM based telecom switches that are managed via IP networks that connect to the switch via different ports no matter the type of connection (Ethernet or serial). The purpose of this requirement is to ensure that other devices connected to one side of the target device cannot be accessed or compromised through the target device via one of its other interfaces. Configure the target system/device to NOT route between multiple attached management networks and/or its production network whether physically different or only logically different by being connected to different VLANs. NOTE: While this specifically addresses a similar situation addressed in the Network Infrastructure STIG that essentially requires that the production side of a managed device must not be accessible from the management interface and vise versa, this requirement extends that requirement to multiple management interfaces. Many DSN switches and DISN IPVS system core devices are managed from the BCPS network and CCSA NOC via one interface and also monitored and potentially managed by the DISA ADIMSS or other NOC. These are separate enclaves which must be protected from inappropriate access between them. In some cases the connections from these enclaves to the managed devices are via separate interfaces on the managed devices. Ergo the requirement the managed device must not pass traffic between these interfaces.
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer