The organization must implement a dedicated DNS server to the Voice Video system within the LAN with restrictions.

From Voice Video Policy Security Technical Implementation Guide

Part of SRG-POL-300447

Associated with: CCI-001973

VVSP-01-000096_rule The organization must implement a dedicated DNS server to the Voice Video system within the LAN with restrictions.

Vulnerability discussion

Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, device-unique identifiers, and phone numbers. Preventing reuse of identifiers implies preventing the assignment of previously used identifiers to different devices. For Voice Video systems, the importance of preventing reuse must also consider fire and emergency services (FES) requirements for life safety and Command and Control (C2) requirements mandating communications among top-level officials. Location (PS-ALI) and phone number (ANI) databases are often used with VoIP systems to identify the precise location of a voice Video endpoint. When endpoints are reused, these databases must also be updated. Adversaries can use improperly maintained databases as a way of mobilizing security and emergency personnel to a faux site to weaken responses in another area.Voice Video endpoint configuration includes one or more URLs pointing to the locations of the registration servers they associate with. These URLs translate to IP addresses by DNS servers. The use of URLs permits endpoints to find the Voice Video system component when the IP address has changed. This provides system flexibility but also exposes the endpoint and system to DNS vulnerabilities. The Voice Video system exposes critical IP address and domain information to the DNS system. When the DNS system is exposed to DNS servers supporting the enterprise data network or the Internet, this information and exposure of the system may be extended to the global networks, which can be used to attack or compromise the Voice Video system.

Check content

Review each Voice Video system security plan (SSP) for DNS service. Ensure the organization implements a dedicated DNS server to the Voice Video system within the LAN and that any DNS server interaction with other DNS servers is limited. Examine the DNS server configuration for the Voice Video system. Ensure internal system information and URLs are not published to the enterprise WAN or the Internet. If the Voice Video system DNS server is not dedicated to the Voice Video system, this is a finding. If the Voice Video system DNS server freely interacts with other DNS servers outside the Voice Video system, this is a finding. If the Voice Video system information is published to the enterprise WAN or the Internet, this is a finding. If a restricted URL that should not be published outside the system is reachable from outside the restriction zone, this is a finding.

Fix text

Document in each Voice Video SSP the organizations implementation of a dedicated DNS server to the Voice Video system within the LAN and that any DNS server interaction with other DNS servers is limited. Ensure internal system information and URLs are not published to the enterprise WAN or the Internet.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer