From Voice/Video over Internet Protocol (VVoIP) STIG
Part of Deficient EBC config: Signaling Authentication
We previously discussed the reasons why a special firewall function is needed to protect the enclave if VVoIP is to traverse the boundary (see VVoIP 1005 under VVoIP policy). This requirement addresses the function of the EBC which authenticates the AS-SIP-TLS signaling messages as being from an authorized source.
Inspect the configurations of the EBC to determine compliance with the requirement. This is a finding in the event the EBC is not configured to validate sending appliance’s public PKI certificate against the DoD PKI registry and CRLs.
Ensure the DISN NIPRNet IPVS firewall (EBC) is configured to drop (and not process) all packets except those that are authenticated as being from an authorized source as follows: > Authenticate outbound AS-SIP-TLS messages (packets) as being from the primary or backup LSC (or the site’s MFSS and is backup LSC) within the enclave. > Authenticate inbound AS-SIP-TLS messages (packets) as being from the EBC at the enclave’s assigned primary and secondary (backup) MFSS sites. NOTE: Authentication is provided by validating the sending appliance’s public PKI certificate used to establish the TLS session. AS-SIP messages are not sent until the authenticated TLS session is established.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer