Enterprise Voice, Video, and Messaging Policy Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
When soft-phones are implemented as the primary voice endpoint in the user's workspace, a policy must be defined to supplement with physical hardware-based phones near all such workspaces.
This and several other requirements discuss the implementation of PC soft-phones or UC applications as the primary and only communications device in the user's workspace. While this degrades the ...Rule Medium Severity -
SRG-VOIP-000270
Group -
Implementing Unified Capabilities (UC) soft clients as the primary voice endpoint must have authorizing official (AO) approval.
The AO responsible for the implementation of a voice system that uses UC soft clients for its endpoints must be made aware of the risks and benefits. In addition, the commander of an organization w...Rule Medium Severity -
SRG-VOIP-000280
Group -
Deploying Unified Capabilities (UC) soft clients on DOD networks must have authorizing official (AO) approval.
This use case addresses situations in which UC soft client applications on workstations are not the primary voice communications device in the work area. This means there is a validated mission nee...Rule Medium Severity -
SRG-VOIP-000290
Group -
SRG-VOIP-000310
Group -
The LAN hardware supporting VVoIP services must provide redundancy to support command and control (C2) assured services and Fire and Emergency Services (FES) communications.
Voice services in support of high-priority military command and control precedence must meet minimum requirements for reliability and survivability of the supporting infrastructure. Design requirem...Rule Medium Severity -
SRG-VOIP-000320
Group -
The LAN hardware supporting VVoIP services must provide physically diverse pathways for redundant links supporting command and control (C2) assured services and Fire and Emergency Services (FES) communications.
Voice services in support of high-priority military command and control precedence must meet minimum requirements for reliability and survivability of the supporting infrastructure. Design requirem...Rule Medium Severity -
SRG-VOIP-000330
Group -
The site's enclave boundary protection must route commercial VoIP traffic via a local Media Gateway (MG) connected to a commercial service provider using PRI, CAS, or POTS analog trunks.
There are several reasons VVoIP system access to local voice services must use a locally implemented MG connected to commercial voice services, including: - The implementation or receipt of commer...Rule Medium Severity -
SRG-VOIP-000340
Group -
SRG-VOIP-000350
Group -
The enclave must be dual homed to two geographically diverse DISN SDNs and DISN WAN Service (NIPRNet or SIPRNet) Aggregation Routers (AR) or DISN Provider Edge (PE) routers.
Redundancy and dual homing is used within the DISN core to provide for continuity of operations (COOP) if a piece of equipment, circuit path, or an entire service delivery node is lost. DOD polic...Rule Medium Severity -
SRG-VOIP-000360
Group -
The dual homed DISN core access circuits must be implemented so that each one can support the full bandwidth engineered for the enclave plus additional bandwidth to support surge conditions in time of crisis.
Providing dual-homed access circuits from a command and control (C2) enclave to the DISN core is useless unless both circuits provide the same capacity to include enough overhead to support surge c...Rule Medium Severity -
SRG-VOIP-000370
Group -
SRG-VOIP-000380
Group -
SRG-VOIP-000390
Group -
Enclaves with commercial VoIP connections must be approved by the DODIN Waiver Panel and signed by DOD CIO for a permanent alternate connection to the Internet Telephony Service Provider (ITSP).
The DOD requires the use of DISN services as the first choice to meet core communications needs. When additional services for SIP trunks are necessary, an ITSP may provide an "alternate connection"...Rule Medium Severity -
SRG-VOIP-000400
Group -
The Fire and Emergency Services (FES) communications over a site's telephone system must be configured to support the Department of Defense Instruction (DODI) 6055.06 telecommunication capabilities.
Emergency communications must include requests for fire, police, and medical assistance. In DOD, these communications can also include requests for Aircraft Rescue and Fire Fighting (ARFF), explosi...Rule Medium Severity -
SRG-VOIP-000410
Group -
SRG-VOIP-000420
Group -
The Fire and Emergency Services (F&ES) communications over a site's private telephone system must provide a direct callback telephone number and physical location of an F&ES caller to the emergency services answering point or call center through a transfer of Automatic Number Identification (ANI) and extended Automatic Location Identification (ALI) information or access to an extended ALI database.
Under Federal Communication Commission (FCC) rules and the laws of some states, the implementation of Enhanced F&ES telecommunications services requires that the emergency services answering point ...Rule Medium Severity -
SRG-VOIP-000430
Group -
The Fire and Emergency Services (F&ES) communications over a site's private telephone system must route emergency calls as a priority call in a nonblocking manner.
When calling the designated F&ES telephone number, the call must go through regardless of the state of other calls in the system. Emergency calls must be treated as a priority call by the system. ...Rule Medium Severity -
SRG-VOIP-000490
Group -
SRG-VOIP-000450
Group -
SRG-VOIP-000460
Group -
Sufficient backup power must be provided for LAN infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints to support non-command and control (C2) user accessible endpoints for emergency life safety and security calls.
Unified Capabilities (UC) users require different levels of capability depending on command and control needs. Special-C2 decision makers requiring Flash or Flash Override precedence must have eigh...Rule Low Severity -
SRG-VOIP-000470
Group -
The Session Border Controller (SBC) must filter inbound SIP and AS-SIP traffic based on the IP addresses of the internal Enterprise Session Controller (ESC), Local Session Controller (LSC), or Multifunction Soft Switch (MFSS).
The SBC is in the VVoIP signaling between the LSC and MFSS. To limit exposure to compromise and denial of service, the SBC must only exchange signaling messages using the designated protocol (AS-SI...Rule Medium Severity -
SRG-VOIP-000480
Group -
SRG-VOIP-000500
Group -
The Session Border Controller (SBC) must be configured to only process signaling packets whose integrity is validated.
The validation of signaling packet integrity is required to ensure the packet has not been altered in transit. Packets can be altered during uncontrollable network events, such as bit errors and pa...Rule Medium Severity -
SRG-VOIP-000510
Group -
SRG-VOIP-000520
Group -
The Session Border Controller (SBC) must drop all SIP and AS-SIP packets except those secured with TLS.
DISN NIPRNet IPVS PMO and the Unified Capabilities Requirements (UCR) require all session signaling across the DISN WAN and between the Local Session Controller (LSC) and EBC to be secured with TLS...Rule Medium Severity -
SRG-VOIP-000530
Group -
SRG-VOIP-000540
Group -
The Session Border Controller (SBC) (or similar firewall type device) must perform stateful inspection and packet authentication for all VVoIP traffic (inbound and outbound) and deny all other packets.
Once a pinhole is opened in the enclave boundary for a known session, the packets that are permitted to pass must be managed. If they are not properly managed, packets that are not part of a known ...Rule High Severity -
SRG-VOIP-000550
Group -
The Session Border Controller (SBC) (or similar firewall type device) must deny all packets traversing the enclave boundary (inbound or outbound) through the IP port pinholes opened for VVoIP sessions, except RTP/RTCP, SRTP/SRTCP, or other protocol/flow established by signaling messages.
Once a pinhole is opened in the enclave boundary for a known session, the packets that are permitted to pass must be managed. If they are not properly managed, packets that are not part of a known ...Rule High Severity -
SRG-VOIP-000560
Group -
The Session Border Controller (SBC) must be configured to notify system administrators and the information system security officer (ISSO) when attempts to cause a denial of service (DoS) or other suspicious events are detected.
Action cannot be taken to thwart an attempted DOS or compromise if the system administrators responsible for the operation of the SBC and/or the network defense operators are not alerted to the occ...Rule Medium Severity -
SRG-VOIP-000570
Group -
SRG-VOIP-000590
Group -
A MAC Authentication Bypass policy must be implemented for 802.1x unsupported devices that connect to the Enterprise Voice, Video, and Messaging system.
MAC Authentication Bypass (MAB) is not a sufficient stand-alone authentication mechanism for non-802.1x supplicant endpoints. Additional policy-based validation techniques must be developed to ensu...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.