Critical network equipment must be redundant and in geographically diverse locations for a site supporting command and control (C2) users.
An XCCDF Rule
Description
<VulnDiscussion>The enhanced reliability and availability achieved by the implementation of redundancy and geographic diversity throughout the DISN Core, along with the implementation of dual-homed circuits via geographically diverse pathways and facilities, is negated if both access circuits enter the enclave via the same facility containing a single Customer Edge Router (CER) connected to a single Session Border Controller (SBC). The reliability, redundancy, and robustness of the CER, SBC, and power source are subverted when the facility represents a single point of failure. For a small number of C2 users this may be less concerning, but with more C2 users supported by the system, the greater the issue. Even less severe eventualities may limit the capability of the system to support reliable communications. The mitigation for this systemwide vulnerability is to implement redundant facilities to which the geographically diverse pathways containing the dual-homed access circuits can run and terminate on redundant, geographically separated sets of CERs, SBCs, and core LAN equipment. Session controllers can also be separated in this manner. This mitigation is costly, and facilities housing critical communications infrastructure are not lost very often. However, the cost of mitigating this vulnerability must be weighed against the loss of critical communications, particularly in time of crisis. If the site supports large numbers of high-level C2 users or Special-C2 users, the cost of losing communications may outweigh the cost of providing redundant facilities. Another consideration should be that access to emergency services via the communications system would also be lost. The threat to strategic facilities is greater from natural causes than from damage due to acts of war or terrorism. However, all threats must be considered. Tactical facilities have a higher vulnerability to acts of war, on a par with or exceeding the vulnerability posed by natural events.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-259918r948764_rule
- Severity
- Low
- References
- Updated
Remediation - Manual Procedure
Implement and document critical network equipment as redundant and in geographically diverse locations for a site supporting C2 users. Critical network equipment includes CERs, SBCs, and session controllers (or Soft Switches in combination with session controllers).
NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.