Securing Cisco IP Telephony Networks
The real-world guide to securing Cisco-based IP telephony applications, devices, and networksCisco IP telephony leverages converged networks to dramatically reduce TCO and improve ROI. However, its critical importance to business communications and deep integration with enterprise IP networks make it susceptible to attacks that legacy telecom systems did not face. Now, there's a comprehensive guide to securing the IP telephony components that ride atop data network infrastructures-and thereby providing IP telephony services that are safer, more resilient, more stable, and more scalable.Securing Cisco IP Telephony Networks provides comprehensive, up-to-date details for securing Cisco IP telephony equipment, underlying infrastructure, and telephony applications. Drawing on ten years of experience, senior network consultant Akhil Behl offers a complete security framework for use in any Cisco IP telephony environment. You'll find best practices and detailed configuration examples for securing Cisco Unified Communications Manager (CUCM), Cisco Unity/Unity Connection, Cisco Unified Presence, Cisco Voice Gateways, Cisco IP Telephony Endpoints, and many other Cisco IP Telephony applications. The book showcases easy-to-follow Cisco IP Telephony applications and network security-centric examples in every chapter.This guide is invaluable to every technical professional and IT decision-maker concerned with securing Cisco IP telephony networks, including network engineers, administrators, architects, managers, security analysts, IT directors, and consultants. Recognize vulnerabilities caused by IP network integration, as well as VoIP's unique security requirementsDiscover how hackers target IP telephony networks and proactively protect against each facet of their attacksImplement a flexible, proven methodology for end-to-end Cisco IP Telephony securityUse a layered (defense-in-depth) approach that builds on underlying network security designSecure CUCM, Cisco Unity/Unity Connection, CUPS, CUCM Express, and Cisco Unity Express platforms against internal and external threatsEstablish physical security, Layer 2 and Layer 3 security, and Cisco ASA-based perimeter securityComplete coverage of Cisco IP Telephony encryption and authentication fundamentalsConfigure Cisco IOS Voice Gateways to help prevent toll fraud and deter attacksSecure Cisco Voice Gatekeepers and Cisco Unified Border Element (CUBE) against rogue endpoints and other attack vectorsSecure Cisco IP telephony endpoints-Cisco Unified IP Phones (wired, wireless, and soft phone) from malicious insiders and external threats This IP communications book is part of the Cisco Press (R) Networking Technology Series. IP communications titles from Cisco Press help networking professionals understand voice and IP telephony technologies, plan and design converged networks, and implement network solutions for increased productivity.
- Paperback | 696 pages
- 187.96 x 228.6 x 38.1mm | 1,179.33g
- 24 Oct 2012
- Pearson Education (US)
- Cisco Press
- Indianapolis, United States
About Akhil Behl
Akhil Behl , CCIE No. 19564, is a Senior Network Consultant in Cisco Services, focusing on Cisco Collaboration and Security Architectures. He leads collaboration and security projects worldwide for Cisco Services and the Collaborative Professional Services (CPS) portfolio for the commercial segment. Prior to his current role, he spent ten years working in various roles at Linksys as a Technical Support Lead, as an Escalation Engineer at Cisco Technical Assistance Center (TAC), and as a Network Consulting Engineer in Cisco Advanced Services. Akhil has a bachelor of technology degree in electronics and telecommunications from IP University, India, and a master's degree in business administration from Symbiosis Institute, India. He is a dual Cisco Certified Internetwork Expert (CCIE) in Voice and Security. He also holds many other industry certifications, such as Project Management Professional (PMP), Information Technology Infrastructure Library (ITIL) professional, VMware Certified Professional (VCP), and Microsoft Certified Professional (MCP). Over the course of his career, he has presented and contributed in various industry forums such as Interop, Enterprise Connect, Cloud Connect, Cloud Summit, Computer Society of India (CSI), Cisco Networkers, and Cisco SecCon. He also has several research papers published to his credit in various international journals.
Table of contents
Introduction xxiii Part I Introduction to Cisco IP Telephony Security 3 Chapter 1 What Is IP Telephony Security and Why Do You Need It? 3 Defining IP Telephony Security 4 What Is IP Telephony? 4 What Is IP Telephony Security? 4 What Is the Rationale Behind Securing an IP Telephony Network? 6 What Can You Do to Safeguard Your IP Telephony Network? 7 IP Telephony Security Threats 8 How Do Hackers Attack an IP Telephony Network? 8 Foot Printing 9 Scanning 9 Enumeration 9 Exploit 9 Covering Tracks 10 What Are IP Telephony Security Threats and Countermeasures? 10 Threats 11 Countermeasures 12 An Insight to VoIP Security Tools 12 IP Telephony Security/Penetration Tools 13 Sniffing Tools 13 Scanning and Enumeration Tools 14 Flooding/DoS Tools 14 Signaling and Media-Manipulation Tools 15 Business Challenges and Cisco IP Telephony Security Responses 15 Common Business Challenges Associated with IP Telephony Security 15 Cisco IP Telephony Security Responses 16 Summary 17 Chapter 2 Cisco IP Telephony Security Building Blocks 19 Introduction to IP Telephony Security Methodology 19 Understanding the IP Telephony Security Methodology 19 Demystifying IP Telephony Security Methodology 21 IP Telephony Security Architecture 22 Exploring IP Telephony Security Methodology and Defining Security Architecture 24 IP Telephony Security Assessment and Security Policy Development 24 IP Telephony Network Security Implementation 26 Physical Security 28 Layer 2 Security 29 Layer 3 Security 29 Perimeter Security 30 IP Telephony Application Security Implementation 31 Defining the IP Telephony Network Components That Should Be Secured 32 IP Telephony Network Elements That Should Be Secured 32 Summary 34 Chapter 3 What Can You Secure and How Can You Secure It? 35 Layered Security Approach for IP Telephony Security 35 IP Telephony Layered Security Approach 36 Case Study 36 Enabling IP Telephony Security: Layer upon Layer 37 Cisco IP Telephony Security Controls 40 Discovering IP Telephony Security Controls 40 Cisco IP Telephony Security Controls 41 Cisco IP Telephony Network Security Controls 41 Cisco IP Telephony Device Security Controls 43 Cisco IP Telephony Application Security Controls 45 Cisco IP Telephony Endpoint Security Controls 48 Cisco IP Telephony Security Overview 50 Discovering End-to-End IP Telephony Security 50 Understanding Each IP Telephony Component and its Relative Security Control 52 XYZ Headquarters (Main Data Center) 52 IP Telephony Data Center Security Insight 54 IP Telephony Remote Data Center Security Insight 54 IP Telephony Remote Site Security Insight 56 Telecommuter Solution Security Insight 56 Summary 57 Chapter 4 Cisco IP Telephony Security Framework 59 Cisco IP Telephony Security Life Cycle 60 Enabling IP Telephony Security 61 Security and Risk Assessment 61 IP Telephony Security Policy Development and Enforcement 62 Planning and Designing 63 IP Telephony Network and Application Security Deployment 63 Operate and Manage 64 Monitor 64 Developing an IP Telephony Security Policy 64 Building an IP Telephony Security Policy/Strategy In line with Your Corporate Security Policy 64 Risk Assessment 65 Components of IP Telephony Security Policy 69 IP Telephony Security Policy/Strategy 70 Core IP Telephony Security Policies 72 Physical Security of IP Telephony Equipment 74 Physical Security Policy 75 Local-Area Network Security Policy 76 Wide-Area Network and Perimeter Security Policy 77 IP Telephony Server Security Policy 78 Voice Application Security Policy 79 Endpoint Security Policy 79 Conclusion 80 Evaluating Cost of Security-Cost Versus Risk 80 Cost of Implementing IP Telephony Security 81 Cost of a Security Breach 81 How to Balance Between Cost and Risk 82 Determining the Level of Security for Your IP Telephony Network 84 Case Study 84 The Riddles Are Over 86 Putting Together All the Pieces 87 IP Telephony Security Framework 87 Summary 92 Part II Cisco IP Telephony Network Security 93 Chapter 5 Cisco IP Telephony Physical Security 95 IP Telephony Physical Security 95 What Is IP Telephony Physical Security All About? 96 Physical Security Issues 97 Restricting Access to IP Telephony Facility 97 Securing the IP Telephony Data Center Perimeter 98 IP Telephony Data Center Internal Security 99 Personnel Training 100 Disaster Recovery and Survivability 100 Locking Down IP Telephony Equipment 101 Environmental Factors 102 Summary 103 Chapter 6 Cisco IP Telephony Layer 2 Security 105 Layer 2 Security Overview 105 Cisco IP Telephony Layer 2 Topology Overview 106 Why Bother with Layer 2 Security? 107 IP Telephony Layer 2 Security Issues and Mitigation 108 VLAN Hopping Attack and Mitigation 109 Attack Details 109 Mitigation 111 Spanning Tree Protocol (STP) Manipulation 112 Attack Details 112 Mitigation 112 DHCP Spoofing 113 Attack Details 113 Mitigation 114 ARP Spoofing 114 Attack Details 115 Mitigation 116 MAC Address Spoofing Attack 116 Attack Details 116 Mitigation 117 IP Spoofing Attack 119 Attack Details 119 Mitigation 120 CAM Table Overflow and DHCP Starvation Attack 120 Attack Details 121 Mitigation 122 Dealing with Rogue Endpoints: 802.1x 123 What Is 802.1x and How Does it Work? 123 EAP Authentication Methods 125 802.1x for IP Telephony 126 Layer 2 Security: Best Practices 131 Summary 133 Chapter 7 Cisco IP Telephony Layer 3 Security 135 Layer 3 Security Fundamentals: Securing Cisco IOS Routers 136 Cisco IOS Platform Security 136 Restricting Management Access 137 Securing the Console Port 138 Securing the Auxiliary Port 139 Securing the VTY Ports 139 Securing the HTTP Interface 140 Disabling Unnecessary IOS Services 142 Small Services 142 Finger Service 143 BootP 143 Cisco Discovery Protocol (CDP) 143 Proxy ARP 145 Directed Broadcast 146 Source Routing 147 Classless Routing 148 Configuration Autoloading 148 Securing TFTP 149 Securing Routing Protocols 150 Routing Information Protocol v2 (RIPv2) 151 Enhanced Interior Gateway Routing Protocol (EIGRP) 152 Open Shortest Path First (OSPF) 152 Border Gateway Protocol (BGP) 153 Securing Hot Standby Routing Protocol (HSRP) 153 Safeguarding Against ICMP Attacks 154 ICMP Unreachables 154 ICMP Mask Reply 154 ICMP Redirects 154 Constraining ICMP 155 Securing User Passwords 156 Controlling User Access and Privilege Levels 157 Enabling Local Authentication and Authorization 157 Enabling External Server-based Authentication, Authorization, and Accounting (AAA) 158 Configuring Cisco TACACS+ Based Authentication 158 Configuring Cisco TACACS+ Based Authorization 159 Configuring Cisco TACACS+ Based Accounting 159 Antispoofing Measures 160 RFC 2827 Filtering 161 Unicast Reverse Packet Forwarding (uRPF) 162 Router Banner Messages 163 Securing Network Time Protocol (NTP) 164 Blocking Commonly Exploited Ports 165 Extending Enterprise Security Policy to Your Cisco Router 165 Password Minimum Length 165 Authentication Failure Rate 166 Block Logins 166 Disable Password Recovery 166 Layer 3 Traffic Protection-Encryption 168 Layer 3 Security-Best Practices 168 Summary 169 Chapter 8 Perimeter Security with Cisco Adaptive Security Appliance 171 IP Telephony Data Center's Integral Element: Cisco Adaptive Security Appliance 172 An Introduction to Cisco ASA Firewall 172 Cisco ASA Firewall and OSI layers 174 Cisco ASA Basics 175 Cisco ASA: Stateful Firewall 175 Cisco ASA Firewall: Interfaces 175 Cisco ASA Firewall: Security Levels 177 Cisco ASA: Firewall Modes 179 Cisco ASA: Network Address Translation 180 Cisco ASA: UTM Appliance 180 Cisco ASA: IP Telephony Firewall 181 Securing IP Telephony Data Center with Cisco ASA 182 Case Study: Perimeter Security with Cisco ASA 184 Cisco ASA QoS Support 186 Firewall Transiting for Endpoints 186 Cisco ASA Firewall (ACL Port Usage) 188 Introduction to Cisco ASA Proxy Features 201 Cisco ASA TLS Proxy 203 Cisco ASA Phone Proxy 212 Cisco VPN Phone 222 Cisco VPN Phone Prerequisites 223 Implementing VPN Phone 224 Remote Worker and Telecommuter Voice Security 227 Summary 231 Part III Cisco IP Telephony Application and Device Security 233 Chapter 9 Cisco Unified Communications Manager Security 235 Cisco Unified Communications Manager (CUCM) Platform Security 236 CUCM Linux Platform Security 237 Certificate-Based Secure Signaling and Media: Certificate Authority Proxy Function 238 Enabling CUCM Cluster Security: Mixed-Mode 240 Security by Default (SBD) 249 TFTP Download Authentication 249 TFTP Configuration File Encryption 250 Trust Verification Service (Remote Certificate and Signature Verification) 251 Using External Certificate Authority (CA) with CAPF 253 Using External Certificate Authority (CA) with Cisco Tomcat 256 Enabling Secure LDAP (LDAPS) 258 Enabling Secure LDAP Connection Between CUCM and Microsoft Active Directory 259 Securing IP Phone Conversation 261 Securing Cisco IP Phones 262 Identifying Encrypted and Authenticated Phone Calls 264 Securing Third-Party SIP Phones 264 Configuring Third-Party SIP Phone 267 Secure Tone 267 CUCM Trunk Security 271 ICT and H.225 (Gatekeeper Controlled) Secure Trunks 271 SIP Trunk Security 273 Inter Cluster Trunk Security 275 SME Trunk Security 275 Trusted Relay Point (TRP) 277 Preventing Toll Fraud 279 Partitions and Calling Search Spaces 280 Time of Day Routing 280 Block Off-Net to Off-Net Transfers 281 Conference Restrictions 281 Calling Rights for Billing and Tracking 281 Route Filters for Controlled Access 282 Access Restriction for Protocols from User VRF 282 Social Engineering 282 Securing CTI/JTAPI Connections 283 JTAPI Client Config 285 Restricting Administrative Access (User Roles and Groups) 286 Fighting Spam Over Internet Telephony (SPIT) 288 CUCM Security Audit (Logs) 290 Application Log 291 Database Log 291 Operating System Log 291 Remote Support Accounting Log 292 Enabling Audit Logs 292 Collecting and Analyzing CUCM Audit Logs 294 Analyzing Application Audit Logs 294 Single Sign-On (SSO) 295 SSO Overview 296 System Requirements for SSO 296 Configuring OpenAM SSO Server 297 Configuring Windows Desktop SSO Authentication Module Instance 300 Configure J2EE Agent Profile on OpenSSO Server 301 Configuring SSO on CUCM 303 Configuring Client Machine Browsers for SSO 306 Internet Explorer 306 Mozilla Firefox 306 Summary 307 Chapter 10 Cisco Unity and Cisco Unity Connection Security 309 Cisco Unity/Unity Connection Platform Security 310 Cisco Unity Windows Platform Security 311 OS Upgrade and Patches 311 Cisco Security Agent (CSA) 311 Antivirus 312 Server Hardening 312 Cisco Unity Connection Linux Platform Security 313 Securing Cisco Unity/Unity Connection Web Services 313 Securing Cisco Unity Web Services (SA, PCA, and Status Monitor) 313 Securing Cisco Unity Connection Web Services (Web Administration, PCA, and IMAP) 317 Preventing Toll Fraud 317 Secure Voicemail Ports 318 Cisco Unity: Secure Voicemail Ports with CUCM (SCCP) 319 Cisco Unity: Authenticated Voicemail Ports with CUCM (SIP) 321 Cisco Unity Connection: Secure Voicemail Ports with CUCM (SCCP) 323 Cisco Unity Connection: Secure Voicemail Ports with CUCM (SIP) 324 Secure LDAP (LDAPS) for Cisco Unity Connection 327 Securing Cisco Unity/Unity Connection Accounts and Passwords 327 Cisco Unity Account Policies 327 Cisco Unity Authentication 329 Cisco Unity Connection Account Polices 330 Cisco Unity/Unity Connection Class of Service 331 Cisco Unity Class of Service (and Roles) 331 Cisco Unity Connection Class of Service (and Roles) 331 Cisco Unity/Unity Connection Secure Messaging 332 Cisco Unity Secure Messaging 332 Cisco Unity Connection Secure Messaging 334 Cisco Unity/Unity Connection Security Audit (Logs) 335 Cisco Unity Security Audit 335 Cisco Unity Connection Security Audit 337 Cisco Unity Connection Single Sign-On (SSO) 338 Summary 338 Chapter 11 Cisco Unified Presence Security 339 Securing Cisco Unified Presence Server Platform 339 Application and OS Upgrades 340 Cisco Security Agent (CSA) 340 Server Hardening 340 Securing CUPS Integration with CUCM 341 Securing CUPS Integration with LDAP (LDAPS) 345 Securing Presence Federation (SIP and XMPP) 345 CUPS SIP Federation Security 347 Intra-Enterprise/Organization Presence SIP Federation 347 Inter-Enterprise/Organization Presence SIP Federation 354 CUPS XMPP Federation Security 364 Cisco Unified Personal Communicator Security 368 Securing CUPC LDAP Connectivity 368 Securing CUPC Connectivity with Cisco Unified Presence 370 Securing CUPC Connectivity with CUCM 371 Securing CUPC Connectivity with Voicemail (Cisco Unity/Unity Connection) 372 Summary 375 Chapter 12 Cisco Voice Gateway Security 377 Cisco Voice Gateway Platform Security 377 Preventing Toll Fraud on Cisco Voice Gateways 378 Call Source Authentication 378 Voice Gateway Toll Fraud Prevention by Default 379 Class of Restriction (COR) 380 Call Transfer and Forwarding 383 Securing Conference Resources 384 Securing Voice Conversations on Cisco Voice Gateways 390 Configuring MGCP Support for SRTP 391 Configuring H.323 Gateway to Support SRTP 394 Configuring SIP Gateway to Support SRTP 396 Securing Survivable Remote Site Telephony (SRST) 399 Monitoring Cisco Voice Gateways 402 Summary 403 Chapter 13 Cisco Voice Gatekeeper and Cisco Unified Border Element Security 405 Physical and Logical Security of Cisco Gatekeeper and Cisco Unified Border Element 405 Gatekeeper Security-What Is It All About? 406 Securing Cisco Gatekeeper 406 Restricted Subnet Registration 407 Gatekeeper Accounting 407 Gatekeeper Security Option 410 Gatekeeper Intra-Domain Security 410 Gatekeeper Inter-Domain Security 411 Gatekeeper HSRP Security 413 Cisco Unified Border Element Security 414 Filtering Traffic with Access Control List 416 Signaling and Media Encryption 416 Hostname Validation 417 Firewalling CUBE 417 CUBE Inherited SIP Security Features 418 Summary 420 Chapter 14 Cisco Unified Communications Manager Express and Cisco Unity Express Security 421 Cisco Unified Communications Manager Express Platform Security 422 Preventing Toll Fraud on Cisco Unified Communications Manager Express 422 After-Hours Calling Restrictions 422 Call Transfer Restriction 423 Call Forward Restriction 424 Class of Restriction 425 Cisco Unified CME: AAA Command Accounting and Auditing 425 Cisco IOS Firewall for Cisco Unified CME 426 Cisco Unified CME: Securing GUI Access 426 Cisco Unified CME: Strict ephone Registration 427 Cisco Unified CME: Disable ephone Auto-Registration 428 Cisco Unified CME: Call Logging (CDR) 428 Cisco Unified CME: Securing Voice Traffic (TLS and SRTP) 429 Securing Cisco Unity Express Platform 435 Enabling AAA for Cisco Unity Express 437 Preventing Toll Fraud on Cisco Unity Express 438 Cisco Unity Express: Secure GUI Access 440 Summary 440 Chapter 15 Cisco IP Telephony Endpoint Security 441 Why Is Endpoint Security Important? 442 Cisco Unified IP Phone Security 443 Wired IP Phone: Hardening 443 Speakerphone 444 PC Port 445 Settings Access 445 Gratuitous Address Resolution Protocol ARP (GARP) 445 PC Voice VLAN Access 445 Video Capabilities 446 Web Access 446 Span to PC Port 446 Logging Display 447 Peer Firmware Sharing 447 Link Layer Discovery Protocol: Media Endpoint Discover (LLDP-MED) Switch Port 447 Link Layer Discovery Protocol (LLDP) PC Port 447 Configuring Unified IP Phone Hardening 447 Wired IP Phone: Secure Network Admission 448 Wired IP Phone: Voice Conversation Security 448 Wired IP Phone: Secure TFTP Communication 449 Cisco Unified Wireless IP Phone Security 449 Cisco Wireless LAN Controller (WLC) Security 450 Cisco Wireless Unified IP Phone Security 454 Hardening Cisco Wireless IP Phones 454 Profile 455 Admin Password 455 FIPS Mode 456 Securing a Cisco Wireless IP Phone 456 Securing Cisco Wireless Endpoint Conversation 456 Securing Cisco Wireless Endpoint Network Admission 457 Using Third-Party Certificates for EAP-TLS 457 Wireless IP Phone: Secure TFTP Communication 463 Securing Cisco IP Communicator 463 Hardening the Cisco IP Communicator 464 Encryption (Media and Signaling) 465 Enable Extension Mobility for CIPC 466 Lock Down MAC Address and Device Name Settings 467 Network Access Control (NAC)-Based Secured Network Access 469 VLAN Traversal for CIPC Voice Streams 469 Summary 470 Part IV Cisco IP Telephony Network Management Security 471 Chapter 16 Cisco IP Telephony: Network Management Security 473 Secure IP Telephony Network Management Design 473 In-Band Network Management 474 Securing In-Band Management Deployment 475 Out-of-Band (OOB) Network Management 475 Securing OOB Management Deployment 476 Hybrid Network Management Design 477 Securing a Hybrid Network Management Deployment 477 Securing Network Management Protocols 478 Secure Network Monitoring with SNMPv3 479 Cisco IP Telephony Applications with SNMPv3 Support 480 SNMP for Cisco IOS Routers and Switches 483 SNMP Deployment Best Practices 485 Syslog 485 Secure Syslog for IP Telephony Applications 486 Configuring Syslog in Cisco Network Devices (Cisco IOS Devices and Cisco ASA) 488 Cisco IOS Devices Syslog 488 Cisco ASA Firewall Syslog 489 Syslog Deployment Best Practices 490 Secure Shell (SSH) 491 Configuring SSH on IOS Devices 492 Enabling SSH Access on Cisco ASA 494 SSH Deployment Best Practices 495 HTTP/HTTPS 495 Enabling Cisco CP for Cisco IOS Routers 496 Enabling Cisco ASA ASDM 498 HTTPS Deployment Best Practices 500 Securing VNC Management Access 500 VNC Deployment Best Practices 501 Securing Microsoft Remote Desktop Protocol 501 Configuring IP Telephony Server for Accepting Secure RDP Connections 502 Configuring RDP Client for Initiating Secure RDP Session 504 RDP Deployment Best Practices 506 TFTP/SFTP/SCP 507 TFTP/SFTP/SCP Deployment Best Practices 508 Managing Security Events 508 The Problem 508 The Solution 509 Cisco Prime Unified Operations Manager (CUOM) 512 Cisco Prime Unified Service Monitor (CUSM) 513 Cisco Unified Service Statistics Manager (CUSSM) 514 Cisco Prime Unified Provisioning Manager (CUPM) 515 Summary 515 Part V Cisco IP Telephony Security Essentials 517 Appendix A Cisco IP Telephony: Authentication and Encryption Essentials 519 Appendix B Cisco IP Telephony: Firewalling and Intrusion Prevention 551 Glossary 585