From Voice Video Policy Security Technical Implementation Guide
Part of SRG-POL-300611
Associated with: CCI-003072
The information security architecture at the individual information system level must be consistent with and complement the more global, organization-wide information security architecture that is integral to and developed as part of the enterprise architecture. The information security architecture includes an architectural description, the placement/allocation of security functionality (including security controls), security-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface.
Review each Voice Video system security plan (SSP). Confirm the Voice Video system and the supporting LAN are designed and implemented using multiple VLANs to segregate the Voice Video core equipment, endpoints, and services from all other hosts and services (including data, management, and other Voice Video systems) running on the LAN. Verify that VLANs and subnets are provided and equipment separated for devices that are implemented in the system, as follows: - Hardware Endpoints: Multiple VLANs generally in parallel with data VLANs, the number of which is dependent on the size of the LAN and as required for the reduction of broadcast domains per good LAN design. For small networks there will be a minimum of one. - Soft client endpoints: Multiple VLANs generally in parallel with data VLANs. Voice and data traffic may coexist on the data VLAN when leaving the workstation. The soft client must tag its signaling and media traffic with the proper Differentiated Service Code Point (DSCP). The LAN access switch port must route the soft client traffic to the Voice Video VLAN. - Voice Video system core equipment containing the session manager, endpoint configuration server, and other support servers used. - Media gateways (MG) to the DSN and PSTN. - Signaling gateways (SG) to the DSN. - Session border controller (SBC) to the DoD WAN. - Voicemail and Unified Messaging Servers: These may need to be accessible from both the voice and data VLANs. If the Voice Video system uses the default VLAN (VLAN 0 or 1), this is a finding. If the Voice Video VLAN design for the supporting LAN does not segment Voice Video services from all other services on the LAN, this is a finding. If the Voice Video VLAN design does not segment Voice Video services between Voice Video components, this is a finding. If the Voice Video system does not have a minimum of two VLANs, one for Voice Video endpoints and one for core equipment, this is a finding. NOTE: The Voice Video system core VLANs may be replaced by direct connections so the Access Control Lists (ACLs) may be implemented on the physical interface to the device. This requires that such direct physical connections be given a discrete subnet.
Document in each Voice Video SSP the Voice Video VLAN design for the supporting LAN, providing segmentation of Voice Video services from all other services on the LAN and between Voice Video components. Design the Voice Video system and the supporting LAN to use multiple VLAN/subnets to segregate the Voice Video core equipment, endpoints, and services from all other hosts and services (including data, management, and other Voice Video systems) running on the LAN. VLANs and subnets will be provided and equipment separated for devices that are implemented in the system, as follows: - Hardware Endpoints: Multiple VLANs generally in parallel with data VLANs, the number of which is dependent on the size of the LAN and as required for the reduction of broadcast domains per good LAN design. For small networks there will be a minimum of one. - Soft client endpoints: Multiple VLANs generally in parallel with data VLANs. Voice and data traffic may coexist on the data VLAN when leaving the workstation. The soft client must tag its signaling and media traffic with the proper DSCP. The LAN access switch port must route the soft client traffic to the Voice Video VLAN. - Voice Video system core equipment containing the session manager, endpoint configuration server, and other support servers used. - MG to the DSN and PSTN. - SG to the DSN. - SBC to the DoD WAN. - Voicemail and Unified Messaging Servers: These may need to be accessible from both the voice and data VLANs. The VLAN/subnets and associated ACLs must be configured for elements in the Voice Video system. The VLAN/ACL design may change depending on the location and physical makeup of the Voice Video core equipment. For example, when an MG and SG reside on the same platform and both use the same Ethernet LAN connections, separate VLANs are not needed for the MG and SG, but the ACL protecting them may need to be adjusted accordingly. NOTE: The Voice Video system core VLANs may be replaced by direct connections so the ACLs may be implemented on the physical interface to the device. This requires that such direct physical connections be given a discrete subnet.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer