The organization must design, implement, and document the Voice Video system to use a DoD Information Networks (DoDIN) Approved Product List (APL) listed Session Border Controller (SBC) at the DISN NIPRNet boundary.

From Voice Video Policy Security Technical Implementation Guide

Part of SRG-POL-400019

Associated with: CCI-002073

VVSP-01-000041_rule The organization must design, implement, and document the Voice Video system to use a DoD Information Networks (DoDIN) Approved Product List (APL) listed Session Border Controller (SBC) at the DISN NIPRNet boundary.

Vulnerability discussion

Organizations must carefully consider the risks that may be introduced when information systems (i.e., system interconnections) are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing Officials must determine the risk associated with information system connections and the appropriate controls employed. Risk considerations also include information systems sharing the same networks. For Voice Video systems, the enclave boundary protection may be inadequate if not specifically designed to process Voice Video signaling and media. The standard firewall used to protect an enclave supporting data traffic is not capable of properly handling or supporting Voice Video communications. A Voice Video stateful firewall or SBC, in parallel with the data firewall, provides the best protection for the enclave. Dynamically opening required UDP ports to permit the flow of the media, performing stateful inspection of UDP media packets and dropping all non-session packets, and then closing the UDP ports at the session's end or after an inactivity timeout greatly increases enclave protection. This configuration provides the capability to decrypt the media streams for inspection and recording. This supports, for purposes of the Communications Assistance for Law Enforcement Act (CALEA), the monitoring and recording of calls that traverse the enclave boundary.When a Voice Video system is a closed system, such as DISN classified networks, the entire address space of the WAN and connected enclaves is managed by a single system manager. A specific limited and segregated address space may be assigned for all Voice Video devices in use across the network. The risk to the enclave is limited when a standard firewall is used with inbound permit statements that are based on the segregated IP address range. When NAT is used, the Voice Video stateful firewall or SBC provides RFC 1918 internal private addressing, allowing packets to traverse the boundary. Although NAT is no longer required to be implemented, it is still a common security best practice.

Check content

If the local enclave Voice Video implementation is not subscribed to the DISN Voice Internet Service Provider (ISP), this requirement is not applicable. Review each Voice Video system security plan (SSP). Access the DoDIN APL (https://aplits.disa.mil/apl/) and confirm a DoD APL-listed SBC is implemented at the enclave boundary between the Customer Edge (CE) router and the Voice Video session manager. The SBC may be a dedicated device or a function of the required data firewall. If the Voice Video system does not use a DoDIN APL-approved SBC at the DISN NIPRNet boundary, this is a finding.

Fix text

Design, implement, and document the Voice Video system to use a DoDIN APL (https://aplits.disa.mil/apl/) listed SBC at the DISN NIPRNet boundary. The SBC must be implemented at the enclave boundary between the CE router and the Voice Video session manager. The SBC may be a dedicated device or a function of the required data firewall. Each unclassified Voice Video system connecting to any external network must contain full documentation of the SBC used as a boundary protection device in each corresponding Voice Video SSP, to include connection approval.

Pro Tips

Powered by sagemincer