The organizational Voice Video security architecture must restrict Media Gateway Control Protocol (MGCP) and H.248 (MEGACO) to Voice Video VLANs on local networks and encrypted VPNs.

From Voice Video Policy Security Technical Implementation Guide

Part of SRG-POL-300611

Associated with: CCI-003072

VVSP-01-000143_rule The organizational Voice Video security architecture must restrict Media Gateway Control Protocol (MGCP) and H.248 (MEGACO) to Voice Video VLANs on local networks and encrypted VPNs.

Vulnerability discussion

The information security architecture at the individual information system level must be consistent with and complement the more global, organization-wide information security architecture that is integral to and developed as part of the enterprise architecture. The information security architecture includes an architectural description, the placement/allocation of security functionality (including security controls), security-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface.In addition, the security architecture can include other important security-related information, for example, user roles and access privileges assigned to each role; unique security requirements; the types of information processed, stored, and transmitted by the information system; restoration priorities of information and information system services; and any other specific protection needs.MGCP is used between Media Gateway Controllers (MGCs), Media Gateways (MGs), and other MGs to exchange sensitive gateway status and zone information and establish sessions via the MG. MGCP is a clear-text, human-readable protocol. This information is critical in the setup and completion of voice calls from one VoIP zone to another VoIP zone or, more typically, from a VoIP zone to a TDM zone. If this information is poisoned or collected and used by an unauthorized, unscrupulous individual, the effects to the VoIP environment could be detrimental. Denial of service or fraudulent system use are only two of the potential compromises. Therefore, MGCP messages must be protected from eavesdropping, man-in-the-middle, and replay attacks. To protect MGCP, Request for Comment (RFC) 2705, which defines MGCP, outlines and recommends the use of IPsec for encryption and authentication between gateways. This recommendation primarily applies to the use of MGCP across unprotected WANs such as the Internet. This extends to use on NIPRNet as well. A follow-on protocol defined jointly by the IETF in RFC 3435 and the ITU-T in Recommendation H.248.1 is MEGACO/H.248, which provides the same general functionality as MGCP. RFC 3435 also requires that H.248 packets be authenticated and/or encrypted using IPsec. Unfortunately, there is not widespread support by MGCs and MGs for IPsec protection, and therefore reliance is on external IPsec VPNs when traversing the WAN. When confined within the LAN, MGCP can be protected in a number of ways without IPsec.

Check content

Review site documentation, network diagrams, and design information to confirm the MGCP or MEGACO/H.248 is restricted to Voice Video VLANs on local networks and encrypted VPNs. Verify the following: - When the MG and session manager are colocated in the same protected VLAN, Access Control Lists (ACLs) must be established on all VLAN egress points to block the MGCP or MEGACO/H.248 from exiting the VLAN. - When the MG and session manager are located in adjacent protected VLANs, ACLs must be established to permit MGCP or MEGACO/H.248 between the MG and session manager but block MGCP or MEGACO/H.248 from exiting these VLANs. - When MGCP or MEGACO/H.248 is used to control any MG across a WAN, an encrypted VPN must be used to protect the MGCP traffic. - Ensure the source of MGCP or MEGACO/H.248 packets is authenticated to originate from a valid source and/or minimally filter acceptance on source IP address. If the MGCP or MEGACO/H.248 is not restricted to Voice Video VLANs on local networks and encrypted VPNs, this is a finding.

Fix text

Implement and document the architecture of the LAN supporting the Voice Video system using MGCP or MEGACO/H.248 to restrict these to the Voice Video VLANs on local networks and encrypted VPNs. Implement MGCP or MEGACO/H.238 as follows: - When the MG and session manager are colocated in the same protected VLAN, ACLs must be established on all VLAN egress points to block the MGCP or MEGACO/H.248 from exiting the VLAN. - When the MG and session manager are located in adjacent protected VLANs, ACLs must be established to permit MGCP or MEGACO/H.248 between the MG and session manager but block MGCP or MEGACO/H.248 from exiting these VLANs. - When MGCP or MEGACO/H.248 is used to control any MG across a WAN, an encrypted VPN must be used to protect the MGCP traffic. - Ensure the source of MGCP or MEGACO/H.248 packets is authenticated to originate from a valid source and/or minimally filter acceptance on source IP address.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer