I - Mission Critical Sensitive
Rules and Groups employed by this XCCDF Profile
-
SRG-VOIP-000350
<GroupDescription></GroupDescription>Group -
The enclave must be dual homed to two geographically diverse DISN SDNs and DISN WAN Service (NIPRNet or SIPRNet) Aggregation Routers (AR) or DISN Provider Edge (PE) routers.
<VulnDiscussion>Redundancy and dual homing is used within the DISN core to provide for continuity of operations (COOP) if a piece of equipmen...Rule Medium Severity -
SRG-VOIP-000360
<GroupDescription></GroupDescription>Group -
The dual homed DISN core access circuits must be implemented so that each one can support the full bandwidth engineered for the enclave plus additional bandwidth to support surge conditions in time of crisis.
<VulnDiscussion>Providing dual-homed access circuits from a command and control (C2) enclave to the DISN core is useless unless both circuits...Rule Medium Severity -
SRG-VOIP-000370
<GroupDescription></GroupDescription>Group -
The required dua- homed DISN Core or NIPRNet access circuits must follow geographically diverse paths from the CER(s) along the entire route to the geographically diverse SDNs.
<VulnDiscussion>One way to provide the greatest reliability and availability for DISN services is to provide redundancy in the network pathwa...Rule Medium Severity -
SRG-VOIP-000380
<GroupDescription></GroupDescription>Group -
Critical network equipment must be redundant and in geographically diverse locations for a site supporting command and control (C2) users.
<VulnDiscussion>The enhanced reliability and availability achieved by the implementation of redundancy and geographic diversity throughout th...Rule Low Severity -
SRG-VOIP-000390
<GroupDescription></GroupDescription>Group -
Enclaves with commercial VoIP connections must be approved by the DODIN Waiver Panel and signed by DOD CIO for a permanent alternate connection to the Internet Telephony Service Provider (ITSP).
<VulnDiscussion>The DOD requires the use of DISN services as the first choice to meet core communications needs. When additional services for...Rule Medium Severity -
SRG-VOIP-000400
<GroupDescription></GroupDescription>Group -
The Fire and Emergency Services (FES) communications over a site's telephone system must be configured to support the Department of Defense Instruction (DODI) 6055.06 telecommunication capabilities.
<VulnDiscussion>Emergency communications must include requests for fire, police, and medical assistance. In DOD, these communications can als...Rule Medium Severity -
SRG-VOIP-000410
<GroupDescription></GroupDescription>Group -
The Fire and Emergency Services (F&ES) communications over a site's private telephone system must provide the originating telephone number to the emergency services answering point or call center through a transfer of Automatic Number Identification (ANI) or Automatic Location Identification (ALI) information.
<VulnDiscussion>The implementation of Enhanced F&ES telecommunications services requires that the emergency services answering point or c...Rule Medium Severity -
SRG-VOIP-000420
<GroupDescription></GroupDescription>Group -
The Fire and Emergency Services (F&ES) communications over a site's private telephone system must provide a direct callback telephone number and physical location of an F&ES caller to the emergency services answering point or call center through a transfer of Automatic Number Identification (ANI) and extended Automatic Location Identification (ALI) information or access to an extended ALI database.
<VulnDiscussion>Under Federal Communication Commission (FCC) rules and the laws of some states, the implementation of Enhanced F&ES telec...Rule Medium Severity -
SRG-VOIP-000430
<GroupDescription></GroupDescription>Group -
The Fire and Emergency Services (F&ES) communications over a site's private telephone system must route emergency calls as a priority call in a nonblocking manner.
<VulnDiscussion>When calling the designated F&ES telephone number, the call must go through regardless of the state of other calls in the...Rule Medium Severity -
SRG-VOIP-000440
<GroupDescription></GroupDescription>Group -
Eight hours of backup power must be provided for LAN Infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints to support Special-C2 users.
<VulnDiscussion>Unified Capabilities (UC) users require different levels of capability depending on command and control needs. Special-C2 dec...Rule Medium Severity -
SRG-VOIP-000450
<GroupDescription></GroupDescription>Group -
Two hours of backup power must be provided for LAN Infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints to support Immediate or Priority precedence C2 users.
<VulnDiscussion>Unified Capabilities (UC) users require different levels of capability depending upon command and control (C2) needs. Special...Rule Medium Severity -
SRG-VOIP-000460
<GroupDescription></GroupDescription>Group -
Sufficient backup power must be provided for LAN infrastructure, WAN boundary, VVoIP infrastructure, and VVoIP endpoints to support non-command and control (C2) user accessible endpoints for emergency life safety and security calls.
<VulnDiscussion>Unified Capabilities (UC) users require different levels of capability depending on command and control needs. Special-C2 dec...Rule Low Severity -
SRG-VOIP-000470
<GroupDescription></GroupDescription>Group -
The Session Border Controller (SBC) must filter inbound SIP and AS-SIP traffic based on the IP addresses of the internal Enterprise Session Controller (ESC), Local Session Controller (LSC), or Multifunction Soft Switch (MFSS).
<VulnDiscussion>The SBC is in the VVoIP signaling between the LSC and MFSS. To limit exposure to compromise and denial of service, the SBC mu...Rule Medium Severity -
SRG-VOIP-000480
<GroupDescription></GroupDescription>Group -
The Session Border Controller (SBC) must be configured to terminate and decrypt inbound and outbound SIP and AS-SIP sessions to ensure proper management for the transition of the SRTP/SRTCP streams.
<VulnDiscussion>The function of the SBC is to manage SIP and AS-SIP signaling messages. To perform its proper function in the enclave boundar...Rule Medium Severity -
SRG-VOIP-000490
<GroupDescription></GroupDescription>Group -
The Session Border Controller (SBC) must be configured to only process packets authenticated from an authorized source within the DISN IPVS network.
<VulnDiscussion>The function of the SBC is to manage SIP and AS-SIP signaling messages. The SBC also authenticates SIP and AS-SIP signaling m...Rule Medium Severity -
SRG-VOIP-000500
<GroupDescription></GroupDescription>Group -
The Session Border Controller (SBC) must be configured to only process signaling packets whose integrity is validated.
<VulnDiscussion>The validation of signaling packet integrity is required to ensure the packet has not been altered in transit. Packets can be...Rule Medium Severity -
SRG-VOIP-000510
<GroupDescription></GroupDescription>Group -
The Session Border Controller (SBC) must be configured to validate the structure and validity of SIP and AS-SIP messages so that malformed messages or messages containing errors are dropped before action is taken on the contents.
<VulnDiscussion>Malformed SIP and AS_SIP messages, as well as messages containing errors, could be an indication that an adversary is attempt...Rule Low Severity -
SRG-VOIP-000520
<GroupDescription></GroupDescription>Group -
The Session Border Controller (SBC) must drop all SIP and AS-SIP packets except those secured with TLS.
<VulnDiscussion>DISN NIPRNet IPVS PMO and the Unified Capabilities Requirements (UCR) require all session signaling across the DISN WAN and b...Rule Medium Severity -
SRG-VOIP-000530
<GroupDescription></GroupDescription>Group -
The Session Border Controller (SBC) must be configured to manage IP port pinholes for the SRTP/SRTCP bearer streams based on the information in the SIP and AS-SIP messages.
<VulnDiscussion>The function of the SBC is to manage SIP and AS-SIP signaling messages. The SBC also manages the SRTP/SRTCP bearer streams. T...Rule Medium Severity -
SRG-VOIP-000540
<GroupDescription></GroupDescription>Group -
The Session Border Controller (SBC) (or similar firewall type device) must perform stateful inspection and packet authentication for all VVoIP traffic (inbound and outbound) and deny all other packets.
<VulnDiscussion>Once a pinhole is opened in the enclave boundary for a known session, the packets that are permitted to pass must be managed....Rule High Severity -
SRG-VOIP-000550
<GroupDescription></GroupDescription>Group -
The Session Border Controller (SBC) (or similar firewall type device) must deny all packets traversing the enclave boundary (inbound or outbound) through the IP port pinholes opened for VVoIP sessions, except RTP/RTCP, SRTP/SRTCP, or other protocol/flow established by signaling messages.
<VulnDiscussion>Once a pinhole is opened in the enclave boundary for a known session, the packets that are permitted to pass must be managed....Rule High Severity -
SRG-VOIP-000560
<GroupDescription></GroupDescription>Group -
The Session Border Controller (SBC) must be configured to notify system administrators and the information system security officer (ISSO) when attempts to cause a denial of service (DoS) or other suspicious events are detected.
<VulnDiscussion>Action cannot be taken to thwart an attempted DOS or compromise if the system administrators responsible for the operation of...Rule Medium Severity -
SRG-VOIP-000570
<GroupDescription></GroupDescription>Group -
The Enterprise Voice, Video, and Messaging system connecting with a DISN IPVS must be configured to signal with a backup Multifunction Soft Switch (MFSS) (or SS) if the primary cannot be reached.
<VulnDiscussion>Redundancy of equipment and associations is used in an IP network to increase the availability of a system. Multiple MFSSs in...Rule Medium Severity -
SRG-VOIP-000580
<GroupDescription></GroupDescription>Group -
The Multifunction Soft Switch (MFSS) must be configured to synchronize with at minimum a paired MFSS and/or others so that each may serve as a backup for the other when signaling with its assigned Local Session Controller (LSC), thus improving the reliability and survivability of the DISN IPVS network.
<VulnDiscussion>MFSSs are critical to the operation of the DISN NIPRNet IPVS network. They broker the establishment of calls between enclaves...Rule Medium Severity -
SRG-VOIP-000590
<GroupDescription></GroupDescription>Group -
A MAC Authentication Bypass policy must be implemented for 802.1x unsupported devices that connect to the Enterprise Voice, Video, and Messaging system.
<VulnDiscussion>MAC Authentication Bypass (MAB) is not a sufficient stand-alone authentication mechanism for non-802.1x supplicant endpoints....Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.