The organization must document the Voice Video VLAN Access Control List (ACL) design controlling Voice Video system access and traffic flow.
From Voice Video Policy Security Technical Implementation Guide
Part of SRG-POL-400002
Associated with:
CCI-001548
VVSP-01-000015_rule
The organization must document the Voice Video VLAN Access Control List (ACL) design controlling Voice Video system access and traffic flow.
Vulnerability discussion
Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data.The use of ACLs on LAN routers and switches manages the flow of media and signaling traffic between Voice Video VLANs and subnets. The VLANs are defined as follows:- Hardware Voice Video endpoints: VLANs normally in parallel with data LAN VLANs- Software Unified Capability (UC) and Video Conferencing (VC) soft clients on workstations: VLANs normally in parallel with data LAN VLANs- Voice Video core equipment consisting of session managers, soft switches, registration authentication server, and network services: single VLAN- Voice Video border equipment consisting of media gateways (MG), signaling gateways (SG), and session border controllers (SBC): single VLAN- Voice Video system management: management VLAN (can be combined with other LAN management VLAN)- Voicemail, UC services servers, and UC web servers: accessible to Voice Video and data VLANsThe VLANs and associated ACLs for the Voice Video system must segregate from the other VLANs. The ACL design may change depending on the location and makeup of the Voice Video equipment. For instance, an MG and SG residing on the same platform use the same Ethernet LAN connection and do not need separate VLANs, but the ACL may need to be adjusted accordingly. In general, the defined ACLs are deny-by-default, limiting protocols and traffic to only those specifically allowed.
Check content
Review the Voice Video system design documents. Confirm the Voice Video VLAN ACL design must control Voice Video system access and traffic flow. The defined ACLs must use a deny-by-default configuration, allowing only the protocols and traffic required to reach the device. The ACLs must filter on VLAN, IP address, subnet, protocol type, and associated standard IP port for the protocol. The ACLs are enclave egress filters on the VLAN interfaces.
If the Voice Video system design documents do not control Voice Video system access and traffic flow, this is a finding.
Fix text
Develop and document the Voice Video VLAN ACL design for the supporting LAN that properly controls Voice Video system access and traffic flow.
Pro Tips
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer