Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Enterprise Voice, Video, and Messaging Policy Security Requirements Guide
SRG-VOIP-000240
SRG-VOIP-000240
An XCCDF Group - A logical subset of the XCCDF Benchmark
Details
Profiles
Prose
SRG-VOIP-000240
1 Rule
<GroupDescription></GroupDescription>
Customers of the DISN VoSIP service must use address blocks assigned by the DRSN/VoSIP PMO.
Low Severity
<VulnDiscussion>Ensure different, dedicated, address blocks or ranges are defined for the VVoIP system within the LAN (Enclave) that are separate from the address blocks/ranges used by the rest of the LAN for non-VVoIP system devices, thus allowing traffic and access control using firewalls and router ACLs. NOTE: This is applicable to a classified LAN connected to a classified WAN (such as the SIPRNet). In the case of a classified WAN where networkwide address-based accountability or traceability is required by the network PMO, the PMO must provide segregated, networkwide address block(s) so the attached classified LANs can meet this requirement. DISA provides a worldwide VoIP-based voice communications service called the DISN Voice over Secret IP (VoSIP). This service is managed by the DRSN PMO. This service also provides gateways into the DRSN. In support of the above requirement, the SIPRNet PMO has designated specific dedicated address ranges for use by the DISN VoSIP service and assigned these address blocks to the DRSN/VoSIP PMO for VoSIP address management and assignment. The VoSIP service provides VoIP-based communications between VoIP systems within the customer's classified LANs (C-LANs) operating at the secret level while using the SIPRNet WAN for the inter-enclave (inter-LAN) transport. Additionally, the SIPRNet PMO requires networkwide address-based accountability or traceability based on assigned IP address. The customer's SIPRNet-connected secret C-LANs use addresses assigned by the SIPRNet PMO. Therefore, customers of the DISN VoSIP service must use IP addresses assigned to them by the DRSN/VoSIP PMO when addressing the VoIP controllers and endpoints within their C-LANs. This is to maintain the segregation of the voice and data environments on the customer's secret C-LANs as required by this SRG. This also facilitates proper routing and flow control over the traffic between VoSIP addresses. The DISN service is designated DISN Voice over Secret IP but uses an acronym (VoSIP), which also means Voice over Secure IP. Voice over Secure IP relates to any VoIP-based service on a secure or classified IP network. While the DISN VoSIP service is the preferred means to interconnect SIPRNet-connected secret C-LANs for VoIP service, there may be a need for an organization to implement a VoIP-based voice or video communications system within their organization or with close partners. If such a system has no need or potential need to communicate with other enclaves that use the DISN VoSIP service, they must use their own dedicated IP address space carved out of the address space assigned to their C-LANs by the SIPRNet PMO.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>