The Voice Video VLAN design for the supporting LAN must provide segmentation of Voice Video services from all other services on the LAN and between Voice Video components.

From Voice Video Policy Security Technical Implementation Guide

Part of SRG-POL-300611

Associated with: CCI-003072

VVSP-01-000153_rule The Voice Video VLAN design for the supporting LAN must provide segmentation of Voice Video services from all other services on the LAN and between Voice Video components.

Vulnerability discussion

The information security architecture at the individual information system level must be consistent with and complement the more global, organization-wide information security architecture that is integral to and developed as part of the enterprise architecture. The information security architecture includes an architectural description, the placement/allocation of security functionality (including security controls), security-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface.In addition, the security architecture can include other important security-related information, for example, user roles and access privileges assigned to each role; unique security requirements; the types of information processed, stored, and transmitted by the information system; restoration priorities of information and information system services; and any other specific protection needs.Voice video traffic must be isolated from data traffic using separate physical LANs or VLANs. VLAN technology is an effective method for grouping users into workgroups to share a specific network address space and broadcast domain regardless of their physical location on the network. Hosts within the same VLAN communicate with other hosts in the same VLAN. To communicate with other VLANs, traffic must be routed at Layer 3. VLANs can offer significant benefits in a multi-service network by providing a convenient way of isolating Voice Video equipment and traffic from the data traffic. When VLANs are deployed, excessive broadcast and multicast packets present in the normal data traffic will not disrupt Voice Video services. As with data networks, Voice Video equipment and endpoints should be logically grouped using multiple VLANs so that Voice Video endpoints share their VLANs only with other Voice Video endpoints. Each type of Voice Video device should have mutually exclusive VLANs.

Check content

Review each Voice Video system security plan (SSP). Confirm the Voice Video system and the supporting LAN are designed and implemented using multiple VLANs to segregate the Voice Video core equipment, endpoints, and services from all other hosts and services (including data, management, and other Voice Video systems) running on the LAN. Verify that VLANs and subnets are provided and equipment separated for devices that are implemented in the system, as follows: - Hardware Endpoints: Multiple VLANs generally in parallel with data VLANs, the number of which is dependent on the size of the LAN and as required for the reduction of broadcast domains per good LAN design. For small networks there will be a minimum of one. - Soft client endpoints: Multiple VLANs generally in parallel with data VLANs. Voice and data traffic may coexist on the data VLAN when leaving the workstation. The soft client must tag its signaling and media traffic with the proper Differentiated Service Code Point (DSCP). The LAN access switch port must route the soft client traffic to the Voice Video VLAN. - Voice Video system core equipment containing the session manager, endpoint configuration server, and other support servers used. - Media gateways (MG) to the DSN and PSTN. - Signaling gateways (SG) to the DSN. - Session border controller (SBC) to the DoD WAN. - Voicemail and Unified Messaging Servers: These may need to be accessible from both the voice and data VLANs. If the Voice Video system uses the default VLAN (VLAN 0 or 1), this is a finding. If the Voice Video VLAN design for the supporting LAN does not segment Voice Video services from all other services on the LAN, this is a finding. If the Voice Video VLAN design does not segment Voice Video services between Voice Video components, this is a finding. If the Voice Video system does not have a minimum of two VLANs, one for Voice Video endpoints and one for core equipment, this is a finding. NOTE: The Voice Video system core VLANs may be replaced by direct connections so the Access Control Lists (ACLs) may be implemented on the physical interface to the device. This requires that such direct physical connections be given a discrete subnet.

Fix text

Document in each Voice Video SSP the Voice Video VLAN design for the supporting LAN, providing segmentation of Voice Video services from all other services on the LAN and between Voice Video components. Design the Voice Video system and the supporting LAN to use multiple VLAN/subnets to segregate the Voice Video core equipment, endpoints, and services from all other hosts and services (including data, management, and other Voice Video systems) running on the LAN. VLANs and subnets will be provided and equipment separated for devices that are implemented in the system, as follows: - Hardware Endpoints: Multiple VLANs generally in parallel with data VLANs, the number of which is dependent on the size of the LAN and as required for the reduction of broadcast domains per good LAN design. For small networks there will be a minimum of one. - Soft client endpoints: Multiple VLANs generally in parallel with data VLANs. Voice and data traffic may coexist on the data VLAN when leaving the workstation. The soft client must tag its signaling and media traffic with the proper DSCP. The LAN access switch port must route the soft client traffic to the Voice Video VLAN. - Voice Video system core equipment containing the session manager, endpoint configuration server, and other support servers used. - MG to the DSN and PSTN. - SG to the DSN. - SBC to the DoD WAN. - Voicemail and Unified Messaging Servers: These may need to be accessible from both the voice and data VLANs. The VLAN/subnets and associated ACLs must be configured for elements in the Voice Video system. The VLAN/ACL design may change depending on the location and physical makeup of the Voice Video core equipment. For example, when an MG and SG reside on the same platform and both use the same Ethernet LAN connections, separate VLANs are not needed for the MG and SG, but the ACL protecting them may need to be adjusted accordingly. NOTE: The Voice Video system core VLANs may be replaced by direct connections so the ACLs may be implemented on the physical interface to the device. This requires that such direct physical connections be given a discrete subnet.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer