The organization must design and document the Voice Video system to protect the enclave boundary and connections to external networks.

From Voice Video Policy Security Technical Implementation Guide

Part of SRG-POL-400004

Associated with: CCI-000028

VVSP-01-000020_rule The organization must design and document the Voice Video system to protect the enclave boundary and connections to external networks.

Vulnerability discussion

Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. For Voice Video systems, the enclave boundary protection may be inadequate if not specifically designed to process Voice Video signaling and media. The standard firewall used to protect an enclave supporting data traffic is not capable of properly handling or supporting Voice Video communications. A Voice Video stateful firewall or session border controller (SBC), in parallel with the data firewall, provides the best protection for the enclave.Dynamically opening required UDP ports to permit the flow of the media, performing stateful inspection of UDP media packets and dropping all non-session packets, and then closing the UDP ports at the session's end or after an inactivity timeout greatly increases enclave protection. This configuration provides the capability to decrypt the media streams for inspection and recording. This supports, for purposes of the Communications Assistance for Law Enforcement Act (CALEA), the monitoring and recording of calls that traverse the enclave boundary.When a Voice Video system is a closed system, such as DISN classified networks, the entire address space of the WAN and connected enclaves is managed by a single system manager. A specific limited and segregated address space may be assigned for all Voice Video devices in use across the network. The risk to the enclave is limited when a standard firewall is used with inbound permit statements that are based on the segregated IP address range. When Network Address Translation (NAT) is used, the Voice Video stateful firewall or SBC provides RFC 1918 internal private addressing, allowing packets to traverse the boundary. Although NAT is no longer required to be implemented, it is still a common security best practice.

Check content

If the local enclave Voice Video implementation is a stand-alone system and without connection to external networks, this requirement is not applicable. The enclave must be a closed DISN classified network or an organizational intranet, the PMO must designate and implement a segregated IP address range for use by the Voice Video system, and no dedicated Voice Video firewall function (as defined in the current Unified Capabilities Requirements [UCR]) is implemented to meet this exception. Review the Voice Video system design documents. Visually inspect the enclave boundary protection hardware and connections to verify the implementation is as documented in the design. Interview the ISSO to confirm compliance. The data firewall function must protect the Voice Video sub-enclave and infrastructure by: 1. Blocking all Voice Video traffic to/from the Voice Video production VLANs, except for signaling and media traffic to/from a remote endpoint entering the enclave via a properly authenticated and encrypted tunnel, where Voice Video traffic is blocked from data VLANs. 2. Blocking all non-Voice Video traffic to/from the Voice Video production VLANs. 3. Blocking all non-Voice Video traffic to/from the Voice Video management VLANs, except for Voice Video system management traffic to/from specifically authorized management servers and workstations (local or in a remote NOC). 4. Inspecting all non-Voice Video traffic to/from the Voice Video management VLANs specifically required for Voice Video system management. This may be performed by a separate IDPS function, or an alternate data perimeter may be implemented for this purpose. The Voice Video firewall function must protect the Voice Video sub-enclave and infrastructure by: 1. Blocking all non-Voice Video traffic to/from data production VLANs, data management VLANs, and Voice Video management VLANs. 2. Inspecting all Voice Video traffic to/from the Voice Video production VLANs. 3. Supporting interoperability and Assured Service requirements per the DoD UCR. When PSTN commercial service connects to the enclave, the connection must be through a media gateway function to protect the Voice Video sub-enclave and infrastructure. If the enclave boundary protection network elements and connections are not implemented as documented, this is a finding. If the data firewall function, Voice Video firewall function, IDPS function, and any implemented media gateways do not protect the Voice Video sub-enclave and infrastructure, this is a finding.

Fix text

Design and document enclave boundary protection to provide a data firewall function, Voice Video firewall function, and media gateway in the Voice Video System Security Plan (SSP), Voice Video Access Control Plan (ACP), and other Voice Video design and configuration documentation. Ensure the enclave boundary protection is designed and implemented to protect the Voice Video infrastructure and the data enclave. The data firewall function must protect the Voice Video sub-enclave and infrastructure by: 1. Blocking all Voice Video traffic to/from the Voice Video production VLANs, except for signaling and media traffic to/from a remote endpoint entering the enclave via a properly authenticated and encrypted tunnel, where Voice Video traffic is blocked from data VLANs. 2. Blocking all non-Voice Video traffic to/from the Voice Video production VLANs. 3. Blocking all non-Voice Video traffic to/from the Voice Video management VLANs, except for Voice Video system management traffic to/from specifically authorized management servers and workstations (local or in a remote NOC). 4. Inspecting all non-Voice Video traffic to/from the Voice Video management VLANs specifically required for Voice Video system management. This may be performed by a separate IDPS function or an alternate data perimeter may be implemented for this purpose. The Voice Video firewall function must protect the Voice Video sub-enclave and infrastructure by: 1. Blocking all non-Voice Video traffic to/from data production VLANs, data management VLANs, and Voice Video management VLANs. 2. Inspecting all Voice Video traffic to/from the Voice Video production VLANs. 3. Supporting interoperability and Assured Service requirements per the DoD UCR. When PSTN ISDN or circuit-switched commercial service connects to the enclave, the connection must be through a media gateway function to protect the Voice Video sub-enclave and infrastructure. NOTES: 1. A PSTN media gateway connection is not required when the site is approved for a commercial IP service connection. 2. When the enclave is part of an organizational intranet, and there is no firewall at the local enclave perimeter, configure the perimeter/premise router to provide the required filtering and routing and ensure all inbound and outbound traffic enters the required dedicated circuit or encrypted VPN.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer