Skip to content
Log In

I - Mission Critical Sensitive

Rules and Groups employed by this XCCDF Profile

  • SRG-VOIP-000500

    Group
    Show

  • The Session Border Controller (SBC) must be configured to only process signaling packets whose integrity is validated.

    The validation of signaling packet integrity is required to ensure the packet has not been altered in transit. Packets can be altered during uncontrollable network events, such as bit errors and pa...
    Rule Medium Severity
    Show

  • SRG-VOIP-000510

    Group
    Show

  • The Session Border Controller (SBC) must be configured to validate the structure and validity of SIP and AS-SIP messages so that malformed messages or messages containing errors are dropped before action is taken on the contents.

    Malformed SIP and AS_SIP messages, as well as messages containing errors, could be an indication that an adversary is attempting some form of attack or denial of service. Such an attack is called f...
    Rule Low Severity
    Show

  • SRG-VOIP-000520

    Group
    Show

  • The Session Border Controller (SBC) must drop all SIP and AS-SIP packets except those secured with TLS.

    DISN NIPRNet IPVS PMO and the Unified Capabilities Requirements (UCR) require all session signaling across the DISN WAN and between the Local Session Controller (LSC) and EBC to be secured with TLS...
    Rule Medium Severity
    Show

  • SRG-VOIP-000530

    Group
    Show

  • The Session Border Controller (SBC) must be configured to manage IP port pinholes for the SRTP/SRTCP bearer streams based on the information in the SIP and AS-SIP messages.

    The function of the SBC is to manage SIP and AS-SIP signaling messages. The SBC also manages the SRTP/SRTCP bearer streams. The DISN IPVS PMO has determined that the SBC will pass the negotiated an...
    Rule Medium Severity
    Show

  • SRG-VOIP-000540

    Group
    Show

  • The Session Border Controller (SBC) (or similar firewall type device) must perform stateful inspection and packet authentication for all VVoIP traffic (inbound and outbound) and deny all other packets.

    Once a pinhole is opened in the enclave boundary for a known session, the packets that are permitted to pass must be managed. If they are not properly managed, packets that are not part of a known ...
    Rule High Severity
    Show

  • SRG-VOIP-000550

    Group
    Show

  • The Session Border Controller (SBC) (or similar firewall type device) must deny all packets traversing the enclave boundary (inbound or outbound) through the IP port pinholes opened for VVoIP sessions, except RTP/RTCP, SRTP/SRTCP, or other protocol/flow established by signaling messages.

    Once a pinhole is opened in the enclave boundary for a known session, the packets that are permitted to pass must be managed. If they are not properly managed, packets that are not part of a known ...
    Rule High Severity
    Show

  • SRG-VOIP-000560

    Group
    Show

  • The Session Border Controller (SBC) must be configured to notify system administrators and the information system security officer (ISSO) when attempts to cause a denial of service (DoS) or other suspicious events are detected.

    Action cannot be taken to thwart an attempted DOS or compromise if the system administrators responsible for the operation of the SBC and/or the network defense operators are not alerted to the occ...
    Rule Medium Severity
    Show

  • SRG-VOIP-000570

    Group
    Show

  • The Enterprise Voice, Video, and Messaging system connecting with a DISN IPVS must be configured to signal with a backup Multifunction Soft Switch (MFSS) (or SS) if the primary cannot be reached.

    Redundancy of equipment and associations is used in an IP network to increase the availability of a system. Multiple MFSSs in the DISN NIPRNet IPVS network and multiple SSs in the DISN SIPRNet IPVS...
    Rule Medium Severity
    Show

  • SRG-VOIP-000580

    Group
    Show

  • The Multifunction Soft Switch (MFSS) must be configured to synchronize with at minimum a paired MFSS and/or others so that each may serve as a backup for the other when signaling with its assigned Local Session Controller (LSC), thus improving the reliability and survivability of the DISN IPVS network.

    MFSSs are critical to the operation of the DISN NIPRNet IPVS network. They broker the establishment of calls between enclaves. An MFSS provides the following functions: - Receives AS-SIP-TLS messa...
    Rule Medium Severity
    Show

  • SRG-VOIP-000590

    Group
    Show

  • A MAC Authentication Bypass policy must be implemented for 802.1x unsupported devices that connect to the Enterprise Voice, Video, and Messaging system.

    MAC Authentication Bypass (MAB) is not a sufficient stand-alone authentication mechanism for non-802.1x supplicant endpoints. Additional policy-based validation techniques must be developed to ensu...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules