Enterprise Voice, Video, and Messaging Policy Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-VOIP-000460
Group -
Sufficient backup power must be provided for LAN infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints to support non-command and control (C2) user accessible endpoints for emergency life safety and security calls.
Unified Capabilities (UC) users require different levels of capability depending on command and control needs. Special-C2 decision makers requiring Flash or Flash Override precedence must have eigh...Rule Low Severity -
SRG-VOIP-000470
Group -
The Session Border Controller (SBC) must filter inbound SIP and AS-SIP traffic based on the IP addresses of the internal Enterprise Session Controller (ESC), Local Session Controller (LSC), or Multifunction Soft Switch (MFSS).
The SBC is in the VVoIP signaling between the LSC and MFSS. To limit exposure to compromise and denial of service, the SBC must only exchange signaling messages using the designated protocol (AS-SI...Rule Medium Severity -
SRG-VOIP-000480
Group -
SRG-VOIP-000500
Group -
The Session Border Controller (SBC) must be configured to only process signaling packets whose integrity is validated.
The validation of signaling packet integrity is required to ensure the packet has not been altered in transit. Packets can be altered during uncontrollable network events, such as bit errors and pa...Rule Medium Severity -
SRG-VOIP-000510
Group -
SRG-VOIP-000520
Group -
The Session Border Controller (SBC) must drop all SIP and AS-SIP packets except those secured with TLS.
DISN NIPRNet IPVS PMO and the Unified Capabilities Requirements (UCR) require all session signaling across the DISN WAN and between the Local Session Controller (LSC) and EBC to be secured with TLS...Rule Medium Severity -
SRG-VOIP-000530
Group -
SRG-VOIP-000540
Group -
The Session Border Controller (SBC) (or similar firewall type device) must perform stateful inspection and packet authentication for all VVoIP traffic (inbound and outbound) and deny all other packets.
Once a pinhole is opened in the enclave boundary for a known session, the packets that are permitted to pass must be managed. If they are not properly managed, packets that are not part of a known ...Rule High Severity -
SRG-VOIP-000550
Group -
The Session Border Controller (SBC) (or similar firewall type device) must deny all packets traversing the enclave boundary (inbound or outbound) through the IP port pinholes opened for VVoIP sessions, except RTP/RTCP, SRTP/SRTCP, or other protocol/flow established by signaling messages.
Once a pinhole is opened in the enclave boundary for a known session, the packets that are permitted to pass must be managed. If they are not properly managed, packets that are not part of a known ...Rule High Severity -
SRG-VOIP-000560
Group -
The Session Border Controller (SBC) must be configured to notify system administrators and the information system security officer (ISSO) when attempts to cause a denial of service (DoS) or other suspicious events are detected.
Action cannot be taken to thwart an attempted DOS or compromise if the system administrators responsible for the operation of the SBC and/or the network defense operators are not alerted to the occ...Rule Medium Severity -
SRG-VOIP-000570
Group -
SRG-VOIP-000590
Group -
A MAC Authentication Bypass policy must be implemented for 802.1x unsupported devices that connect to the Enterprise Voice, Video, and Messaging system.
MAC Authentication Bypass (MAB) is not a sufficient stand-alone authentication mechanism for non-802.1x supplicant endpoints. Additional policy-based validation techniques must be developed to ensu...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.