Level 2

Description:

VoIP has different requirements, features, functionality, availability, and service limitations when compared with the Plain Old Telephone Service (POTS) (i.e., the standard telephone service). In contrast, other telephone services are based on high-speed, digital communications lines, such as Integrated Services Digital Network (ISDN) and Fiber Distributed Data Interface (FDDI). The main distinctions between POTS and non-POTS services are speed and bandwidth. To address the threats associated with VoIP, usage restrictions and implementation guidelines are based on the potential for the VoIP technology to cause damage to the system if it is used maliciously. Threats to VoIP are similar to those inherent with any Internet-based application.  [SP 800-58] provides guidance on Voice Over IP Systems.


Priority: High

Domain:  SYSTEM AND COMMUNICATIONS PROTECTION (SC) 


Category
Baseline Security Configurations 


Services Associated with AWS:

  • Amazon Chime
  • AWS CloudTrail
  • Amazon GuardDuty


Services Associated with Azure: 

  • Azure Active Directory (Azure AD)
  • Azure Security Center
  • Azure Monitor


Objective Evidence:  

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Technical: screen shot of configuration settings

Possible Technology Considerations : 

  • Secure Baseline Configurations (SBC)
  • Intrusion Prevention System (IPS)
  • Access Control List (ACL) 


What needs to be answered?

Is the use of VoIP controlled? Is the use of VoIP authorized, and monitored?

Checks for AWS 

  • VoIP Usage Restriction Check

    Description: This check ensures that there are appropriate usage restrictions in place for VoIP technologies in use within the system. The check verifies that there is a policy for controlling the use of VoIP and that these policies are adhered to, helping to prevent potential misuse.

  •  VoIP Monitoring Check
    Description: This check ensures that all usage of VoIP within the system is properly monitored. The check verifies that monitoring tools are in place and functioning as expected to detect any unauthorized or potentially harmful usage of VoIP.

Checks for Azure 

  • VoIP Usage Restriction Check:
    Description: This check ensures that VoIP systems are not used within the organization. It verifies that there are appropriate restrictions in place to prevent the deployment or usage of VoIP technologies within the Azure environment. By disallowing VoIP usage, potential security risks and threats associated with this technology can be mitigated.


More Details:

VOIP systems not used within organization.