The Session Border Controller (SBC) must drop all SIP and AS-SIP packets except those secured with TLS.

An XCCDF Rule

Description

<VulnDiscussion>DISN NIPRNet IPVS PMO and the Unified Capabilities Requirements (UCR) require all session signaling across the DISN WAN and between the Local Session Controller (LSC) and EBC to be secured with TLS. The standard IANA assigned IP port for SIP protected by TLS (SIP-TLS) is 5061. DOD PPSM requires that protocols traversing the DISN and DOD enclave boundaries use the standard IP ports for the specific protocol. Because AS-SIP is a standardized extension of the SIP protocol and AS-SIP must be protected by TLS, AS-SIP-TLS must use IP port 5061. The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated using TLS on port 443 from cloud service providers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-259932r948778_rule
Severity: Medium
References: CCI-001548
Updated: 23 days ago

Ensure the DISN NIPRNet IPVS SBC is configured to drop the following signaling packets:
- SIP packets arriving on IP port 5060 or 5061.
- SIP packets arriving on IP port 443 not secured with TLS.
- AS-SIP packets arriving on IP port 5060.
- AS-SIP packets arriving on IP port 5061 not secured with TLS.
NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from Cloud service providers.

The Session Border Controller (SBC) must drop all SIP and AS-SIP packets except those secured with TLS.

Description

Remediation - Manual Procedure