The organization must document the Voice Video VLAN Access Control List (ACL) design controlling Voice Video system access and traffic flow.

From Voice Video Policy Security Technical Implementation Guide

Part of SRG-POL-400002

Associated with: CCI-001548

VVSP-01-000015_rule The organization must document the Voice Video VLAN Access Control List (ACL) design controlling Voice Video system access and traffic flow.

Vulnerability discussion

Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data.The use of ACLs on LAN routers and switches manages the flow of media and signaling traffic between Voice Video VLANs and subnets. The VLANs are defined as follows:- Hardware Voice Video endpoints: VLANs normally in parallel with data LAN VLANs- Software Unified Capability (UC) and Video Conferencing (VC) soft clients on workstations: VLANs normally in parallel with data LAN VLANs- Voice Video core equipment consisting of session managers, soft switches, registration authentication server, and network services: single VLAN- Voice Video border equipment consisting of media gateways (MG), signaling gateways (SG), and session border controllers (SBC): single VLAN- Voice Video system management: management VLAN (can be combined with other LAN management VLAN)- Voicemail, UC services servers, and UC web servers: accessible to Voice Video and data VLANsThe VLANs and associated ACLs for the Voice Video system must segregate from the other VLANs. The ACL design may change depending on the location and makeup of the Voice Video equipment. For instance, an MG and SG residing on the same platform use the same Ethernet LAN connection and do not need separate VLANs, but the ACL may need to be adjusted accordingly. In general, the defined ACLs are deny-by-default, limiting protocols and traffic to only those specifically allowed.

Check content

Review the Voice Video system design documents. Confirm the Voice Video VLAN ACL design must control Voice Video system access and traffic flow. The defined ACLs must use a deny-by-default configuration, allowing only the protocols and traffic required to reach the device. The ACLs must filter on VLAN, IP address, subnet, protocol type, and associated standard IP port for the protocol. The ACLs are enclave egress filters on the VLAN interfaces. If the Voice Video system design documents do not control Voice Video system access and traffic flow, this is a finding.

Fix text

Develop and document the Voice Video VLAN ACL design for the supporting LAN that properly controls Voice Video system access and traffic flow.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer