Posted by: Mudassir Ali | February 16, 2011

Securing your voice network

Securing your voice network

 Protect IP Telephony Endpoints

    • Network Hardening for Phones
    • Phone Hardening
    • Securing TFTP
    • Encrypted Communications
    • 802.1X and IP Phones
    • Phones over the Internet
    • Protect IP Telephony Servers
      • Firewall Traversal
      • Cisco CallManager and IPSec
      • Windows for Cisco CallManager 4.x and Other Apps
      • Appliance Model for Cisco CallManager 5.x
      • Protect IP Telephony Applications
        • Cisco CallManager
        • Cisco Unity
        • IPCC Enterprise
        • Attacks against
          • IP Telephony endpoints
          • Reconnaissance
          • DHCP starvation
          • Eavesdropping/Man-in-the-middle
          • Directed TCP and ICMP attacks
          • Attacks against
            • IP Telephony servers
            • Worms, viruses and trojans
            • DoS and DDoS
            • Directed probes, floods
            • Attacks against IP Telephony applications
              • Intercept administration and user traffic
              • Exploit programming weakness
              • Rogue servers
              • Toll fraud

 

IP Telephony Endpoints
Protect IP Telephony Endpoints Attacks against Endpoints
  • Network Hardening for Phones
  • Phone Hardening
  • Securing TFTP
  • Encrypted Communications
  • 802.1X and IP Phones
  • Phones over the Internet
  • Reconnaissance
  • DHCP starvation
  • Eavesdropping/Man-in-the-middle
  • Directed TCP and ICMP attacks
 
Network Hardening for Phones
Secure Voice by First Securing the Network

General Security Practices

  • Out-of-band management
  • SSH/HTTPS
  • Permit lists
  • Routing auth
  • NIDS
  • Security Management
  • Firewall or ACL in front of telephony servers
  • Rate Limiting Micro Flow Policing in 6K
Separate Voice and Data VLANs Telephony

  • VLAN Access Control Lists (VACLs)
  • 802.1AE Link-Layer Integrity will

require it

Stop Man-in-the-Middle Attacks

  • Built on DHCP snooping binding table
  • Dynamic ARP inspection watches ARP/GARP for violations
  • IP source guard examines every IP packet
  • Will drop packets or disable port
Phone Hardening Securing TFTP Encrypted Communications IP Phones over the Big I
  • Signed firmware
  • Signed config files
  • Disable PC port
  • Settings button
  • Speakerphone
  • Web access
  • TFTP is used to download firmware and configurations into phones
  • Many companies disallow TFTP
  • as an insecure protocol
  • Cisco solves that by securing the payload that TFTP carries
  • Encrypted Configuration File Keys
  • Encrypted Configuration Parameter
  • TLS—Transport Layer Security (RFC 2246) protects signaling between Cisco CallManager and endpoints
  • SRTP—Secure RTP (rfc3711) protects media between endpoints
  • Certificate-Based Authentication and Encryption in CCM 5.0 and above
  • Use V3PNs with IPSec to protect all traffic from SOHO location, not just voice
  • Robust telecommuter solutions
  • Terminate at HQ end in VPN concentrator or large router
  • VPN Client in phones under consideration
     
IP Telephony Servers
Protect IP Telephony Servers Attacks against Servers
  • Firewall Traversal
  • Cisco CallManager and IPSec
  • Windows for Cisco CallManager 4.x
  • Appliance Model for Cisco CallManager 5.x
  • Worms, viruses and trojans
  • DoS and DDoS
  • Directed probes, floods
 
Firewall Traversal IPSec Windows for Cisco CallManager 4.x Appliance Model for Cisco CallManager 5.x
  • Need a network mechanism to isolate and protect telephony servers
  • Consistent with data center SRND
  • Firewalls provide stateful inspection of protocols that use ephemeral port ranges; otherwise, have to open entire port range in static ACL
  • LLQ and Rate Limiting now available in PIX®& ASA 7.0
  • Use IPSec to protect all traffic, not just voice
  • Easier to get through FW than defining all ports in an ACL
  • Remember clustering-
over-the-WAN metrics

IP

  • Contradictory documentation–Gateway config guide says to configure IPSec in CCM–CCM config guide says to configure IPSec in a network device
  • Better to terminate in VPN concentrator or large router as needed on inside of FW or ACL–Performance–Configuration complexity–Organizational boundaries
  •  

 

  • Hardened Win2K OS shipped by default used by most Cisco IPT applications
  • Aggressive security patch and hotfixpolicy
  • Cisco Security Agent (CSA) on all telephony apps
  • AV from McAfee, Symantec, or Trend Micro
  • Site-specific Optional Security features documented
  • Appliance model makes file system and OS apps inaccessible
  • Only allows images to be installed that have been signed by Cisco
  • SSH / SFTP / SNMPv3 / Security Passphrase/ Password Recovery
  • Industry-recommended security practices followed
  • Security events logged
 
Protect IP Telephony Applications
IP Telephony Applications Attacks against applications
  • Cisco CallManager
  • Cisco Unity
  • IPCC Enterprise
  • Intercept administration and user traffic
  • Exploit programming weakness
  • Rogue servers
  • Toll fraud
 
           
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: