The organization must implement DISN Voice over Secret IP (VoSIP) IP addresses/blocks assigned by the VoSIP PMO.

From Voice Video Policy Security Technical Implementation Guide

Part of SRG-POL-300447

Associated with: CCI-001973

VVSP-01-000094_rule The organization must implement DISN Voice over Secret IP (VoSIP) IP addresses/blocks assigned by the VoSIP PMO.

Vulnerability discussion

Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, device-unique identifiers, and phone numbers. Preventing reuse of identifiers implies preventing the assignment of previously used identifiers to different devices. For Voice Video systems, the importance of preventing reuse must also consider fire and emergency services (FES) requirements for life safety and Command and Control (C2) requirements mandating communications among top-level officials. Location (PS-ALI) and phone number (ANI) databases are often used with VoIP systems to identify the precise location of a Voice Video endpoint. When endpoints are reused, these databases must also be updated. Adversaries can use improperly maintained databases as a way of mobilizing security and emergency personnel to a faux site to weaken responses in another area.The SIPRNet PMO designates specific IP address ranges for use by the DISN VoSIP service and assigns them to the VoSIP PMO for VoSIP address management and assignment. The VoSIP service provides VoIP-based communications between VoIP systems within the customer's classified LANs operating at the secret level while using the SIPRNet WAN for the inter-enclave transport. The SIPRNet PMO requires network-wide IP address accountability or traceability based on assigned IP address. SIPRNet-connected secret LANs use IP addresses assigned by the SIPRNet PMO. Therefore, customers of the DISN VoSIP service must use IP addresses assigned to them by the VoSIP PMO for Voice Video session manager, session border controllers, and endpoints within their LANs. This maintains segregation of the voice and data environments on the customer's secret LANs and facilitates proper routing and flow control over the traffic between VoSIP addresses.

Check content

Review each Voice Video system security plan (SSP) for DISN VoSIP service. Ensure the organization uses IP addresses assigned for the DISN VoSIP service by the VoSIP PMO when defining the required dedicated address space for the Voice Video session managers and endpoints within their secret LANs. If a VoIP communications system operated on a secret LAN does not use the worldwide DISN VoSIP service, communicate with other enclaves that use the DISN VoSIP service, or have any access to the DRSN, this is not applicable. Voice Video systems implemented in this manner must use their own dedicated IP address space carved out of the address space assigned to their LAN by the SIPRNet PMO. If a video conferencing (VC) system consisting of dedicated IP-based hardware endpoints uses the secret LAN and SIPRNet for transport, this is not applicable. If the organizational secret LAN connects to SIPRNet, supports VoIP communications (not dedicated IP-based VC), and uses the DISN VoSIP service (interconnects with other enclaves using DISN VoSIP service), but does not exclusively use IP addresses assigned by the VoSIP PMO, this is a finding. If the Voice Video SSP does not contain documented evidence the VoSIP PMO assigned these addresses to the organization, this is a finding.

Fix text

Obtain and assign IP addresses as provided by the VoSIP PMO for the required dedicated address space on the LAN. Document in each Voice Video SSP for systems using the DISN VoSIP service the IP addresses/blocks assigned to the organization by the VoSIP PMO.

Pro Tips

Powered by sagemincer