The Session Border Controller (SBC) must be configured to notify system administrators and the information system security officer (ISSO) when attempts to cause a denial of service (DoS) or other suspicious events are detected.
An XCCDF Rule
Description
<VulnDiscussion>Action cannot be taken to thwart an attempted DOS or compromise if the system administrators responsible for the operation of the SBC and/or the network defense operators are not alerted to the occurrence in real time.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-259936r948782_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Ensure the DISN NIPRNet IPVS SBC is configured to notify system administrators and the ISSO when the following conditions occur:
- Any number of malformed SIP, AS-SIP, or SRTP/SRTCP messages are received that could indicate an attempt to compromise the SBC.
- Excessive numbers of SIP or AS-SIP messages are received from any given IP address that could indicate an attempt to cause a DoS.
- Excessive numbers of messages are dropped due to authentication or integrity check failures, potentially indicating an attempt to cause a DoS or an attempt to effect a man-in-the-middle attack.
NOTE: The VVoIP system may allow SIP and SRTP traffic encrypted and encapsulated on port 443 from cloud service providers.