The implementation of Unified Mail services degrades the separation between the voice and data protection zones (VLANs).

From Voice/Video over Internet Protocol (VVoIP) STIG

Part of Deficient imp'n: UM degrades voice/data separation

SV-21786r2_rule The implementation of Unified Mail services degrades the separation between the voice and data protection zones (VLANs).

Vulnerability discussion

Voice mail services in a VoIP environment are available in several different configurations. A legacy voice mail platform can connect to a VoIP environment to provide voice mail services for VoIP users. In the same respect, a VoIP voice mail platform can provide voice mail services to the legacy voice users and the VoIP users. Some voice mail systems are also capable of providing unified mail by interacting with email messaging systems. Voicemails when recorded are converted to a .wav or similar digital audio file and sent to the email server as an attachment to an email. The subject line will typically contain the caller ID information if available. The email user can then open the attachment and listen to the voicemail on their PC or whatever device that provides properly authenticated access to the user’s email. Since the voicemail server must access the voice network (which, in a VoIP system is the VoIP VLAN system), and the data network (data VLANs) to send the email, caution and control must be exercised to not degrade the separation between the voice and data VLANs. Additionally, if the email server is part of or collocated with the voicemail server, user access to email must also not degrade the separation between the voice and data VLANs. Since this server may have 2 NICs and be connected to both voice and data VLANs, the server must not act as a bridge between the voice and data VLANs.

Check content

Perform a network penetration test from the data VLAN(s) to the Voice VLAN(s). Direct the scan at the unified mail connection on the data VLAN(s). Perform a similar scan in the opposite direction. This is a finding in the event the hosts on the VLAN(s) opposite the one the scanner is connected to are accessible.

Fix text

Ensure the implementation of a unified mail system does not degrade the separation and traffic filtering between the voice and data security zones or VLANs. Configure unified mail services with access to both the data and voice VLANs to NOT bridge the two environments together.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer