The organization must design and document the Voice Video system to prevent exfiltration of data.

From Voice Video Policy Security Technical Implementation Guide

Part of SRG-POL-400004

Associated with: CCI-000028

VVSP-01-000021_rule The organization must design and document the Voice Video system to prevent exfiltration of data.

Vulnerability discussion

Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. For Voice Video systems, the enclave boundary protection may be inadequate if not specifically designed to process Voice Video signaling and media. The standard firewall used to protect an enclave supporting data traffic is not capable of properly handling or supporting Voice Video communications. A Voice Video stateful firewall or session border controller (SBC), in parallel with the data firewall, provides the best protection for the enclave.Dynamically opening required UDP ports to permit the flow of the media, performing stateful inspection of UDP media packets and dropping all non-session packets, and then closing the UDP ports at the session's end or after an inactivity timeout greatly increases enclave protection. This configuration provides the capability to decrypt the media streams for inspection and recording. This supports, for purposes of the Communications Assistance for Law Enforcement Act (CALEA), the monitoring and recording of calls that traverse the enclave boundary. At network boundaries, the threat of sensitive enterprise data exfiltration must be monitored and mitigated to address the various methods and exploits.

Check content

Review the Voice Video system design documents. The design must prevent exfiltration of data. Data exfiltration monitors must be incorporated at the boundary under the following conditions: - PSTN or ISDN trunks are connected to the Voice Video system through a media gateway (MG); the data exfiltration device must monitor media sessions between the MG and the Voice Video endpoints. - External IP trunks (commercial or DoD) are connected to the Voice Video system through an SBC; the data exfiltration device must reside within the SBC or monitor media sessions between the SBC and the Voice Video endpoints. Further, the data exfiltration events must be logged and alerts sent to network security personnel and administrators for appropriate action. If the Voice Video system design does not prevent exfiltration of data at the boundary, this is a finding. If the data exfiltration device does not audit events and alert appropriate personnel, this is a finding.

Fix text

Design and document the Voice Video system to prevent exfiltration of data. The data exfiltration monitor must be incorporated at the boundary as follows: - PSTN or ISDN trunks connecting to the Voice Video system through an MG must monitor media sessions between the MG and the Voice Video endpoints. - External IP trunks (commercial or DoD) connecting to the Voice Video system through an SBC must reside within the SBC or monitor media sessions between the SBC and the Voice Video endpoints. Enable the data exfiltration monitor to audit events and alert network security personnel and administrators for appropriate action.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer