Table of Contents
Introduction xxiii
Part I Introduction to Cisco IP Telephony Security 3
Chapter 1 What Is IP Telephony Security and Why Do You Need It? 3
Defining IP Telephony Security 4
What Is IP Telephony? 4
What Is IP Telephony Security? 4
What Is the Rationale Behind Securing an IP Telephony Network? 6
What Can You Do to Safeguard Your IP Telephony Network? 7
IP Telephony Security Threats 8
How Do Hackers Attack an IP Telephony Network? 8
Foot Printing 9
Scanning 9
Enumeration 9
Exploit 9
Covering Tracks 10
What Are IP Telephony Security Threats and Countermeasures? 10
Threats 11
Countermeasures 12
An Insight to VoIP Security Tools 12
IP Telephony Security/Penetration Tools 13
Sniffing Tools 13
Scanning and Enumeration Tools 14
Flooding/DoS Tools 14
Signaling and Media-Manipulation Tools 15
Business Challenges and Cisco IP Telephony Security Responses 15
Common Business Challenges Associated with IP Telephony Security 15
Cisco IP Telephony Security Responses 16
Summary 17
Chapter 2 Cisco IP Telephony Security Building Blocks 19
Introduction to IP Telephony Security Methodology 19
Understanding the IP Telephony Security Methodology 19
Demystifying IP Telephony Security Methodology 21
IP Telephony Security Architecture 22
Exploring IP Telephony Security Methodology and Defining Security Architecture 24
IP Telephony Security Assessment and Security Policy Development 24
IP Telephony Network Security Implementation 26
Physical Security 28
Layer 2 Security 29
Layer 3 Security 29
Perimeter Security 30
IP Telephony Application Security Implementation 31
Defining the IP Telephony Network Components That Should Be Secured 32
IP Telephony Network Elements That Should Be Secured 32
Summary 34
Chapter 3 What Can You Secure and How Can You Secure It? 35
Layered Security Approach for IP Telephony Security 35
IP Telephony Layered Security Approach 36
Case Study 36
Enabling IP Telephony Security: Layer upon Layer 37
Cisco IP Telephony Security Controls 40
Discovering IP Telephony Security Controls 40
Cisco IP Telephony Security Controls 41
Cisco IP Telephony Network Security Controls 41
Cisco IP Telephony Device Security Controls 43
Cisco IP Telephony Application Security Controls 45
Cisco IP Telephony Endpoint Security Controls 48
Cisco IP Telephony Security Overview 50
Discovering End-to-End IP Telephony Security 50
Understanding Each IP Telephony Component and its Relative Security Control 52
XYZ Headquarters (Main Data Center) 52
IP Telephony Data Center Security Insight 54
IP Telephony Remote Data Center Security Insight 54
IP Telephony Remote Site Security Insight 56
Telecommuter Solution Security Insight 56
Summary 57
Chapter 4 Cisco IP Telephony Security Framework 59
Cisco IP Telephony Security Life Cycle 60
Enabling IP Telephony Security 61
Security and Risk Assessment 61
IP Telephony Security Policy Development and Enforcement 62
Planning and Designing 63
IP Telephony Network and Application Security Deployment 63
Operate and Manage 64
Monitor 64
Developing an IP Telephony Security Policy 64
Building an IP Telephony Security Policy/Strategy In line with Your Corporate Security Policy 64
Risk Assessment 65
Components of IP Telephony Security Policy 69
IP Telephony Security Policy/Strategy 70
Core IP Telephony Security Policies 72
Physical Security of IP Telephony Equipment 74
Physical Security Policy 75
Local-Area Network Security Policy 76
Wide-Area Network and Perimeter Security Policy 77
IP Telephony Server Security Policy 78
Voice Application Security Policy 79
Endpoint Security Policy 79
Conclusion 80
Evaluating Cost of Security–Cost Versus Risk 80
Cost of Implementing IP Telephony Security 81
Cost of a Security Breach 81
How to Balance Between Cost and Risk 82
Determining the Level of Security for Your IP Telephony Network 84
Case Study 84
The Riddles Are Over 86
Putting Together All the Pieces 87
IP Telephony Security Framework 87
Summary 92
Part II Cisco IP Telephony Network Security 93
Chapter 5 Cisco IP Telephony Physical Security 95
IP Telephony Physical Security 95
What Is IP Telephony Physical Security All About? 96
Physical Security Issues 97
Restricting Access to IP Telephony Facility 97
Securing the IP Telephony Data Center Perimeter 98
IP Telephony Data Center Internal Security 99
Personnel Training 100
Disaster Recovery and Survivability 100
Locking Down IP Telephony Equipment 101
Environmental Factors 102
Summary 103
Chapter 6 Cisco IP Telephony Layer 2 Security 105
Layer 2 Security Overview 105
Cisco IP Telephony Layer 2 Topology Overview 106
Why Bother with Layer 2 Security? 107
IP Telephony Layer 2 Security Issues and Mitigation 108
VLAN Hopping Attack and Mitigation 109
Attack Details 109
Mitigation 111
Spanning Tree Protocol (STP) Manipulation 112
Attack Details 112
Mitigation 112
DHCP Spoofing 113
Attack Details 113
Mitigation 114
ARP Spoofing 114
Attack Details 115
Mitigation 116
MAC Address Spoofing Attack 116
Attack Details 116
Mitigation 117
IP Spoofing Attack 119
Attack Details 119
Mitigation 120
CAM Table Overflow and DHCP Starvation Attack 120
Attack Details 121
Mitigation 122
Dealing with Rogue Endpoints: 802.1x 123
What Is 802.1x and How Does it Work? 123
EAP Authentication Methods 125
802.1x for IP Telephony 126
Layer 2 Security: Best Practices 131
Summary 133
Chapter 7 Cisco IP Telephony Layer 3 Security 135
Layer 3 Security Fundamentals: Securing Cisco IOS Routers 136
Cisco IOS Platform Security 136
Restricting Management Access 137
Securing the Console Port 138
Securing the Auxiliary Port 139
Securing the VTY Ports 139
Securing the HTTP Interface 140
Disabling Unnecessary IOS Services 142
Small Services 142
Finger Service 143
BootP 143
Cisco Discovery Protocol (CDP) 143
Proxy ARP 145
Directed Broadcast 146
Source Routing 147
Classless Routing 148
Configuration Autoloading 148
Securing TFTP 149
Securing Routing Protocols 150
Routing Information Protocol v2 (RIPv2) 151
Enhanced Interior Gateway Routing Protocol (EIGRP) 152
Open Shortest Path First (OSPF) 152
Border Gateway Protocol (BGP) 153
Securing Hot Standby Routing Protocol (HSRP) 153
Safeguarding Against ICMP Attacks 154
ICMP Unreachables 154
ICMP Mask Reply 154
ICMP Redirects 154
Constraining ICMP 155
Securing User Passwords 156
Controlling User Access and Privilege Levels 157
Enabling Local Authentication and Authorization 157
Enabling External Server-based Authentication, Authorization, and Accounting (AAA) 158
Configuring Cisco TACACS+ Based Authentication 158
Configuring Cisco TACACS+ Based Authorization 159
Configuring Cisco TACACS+ Based Accounting 159
Antispoofing Measures 160
RFC 2827 Filtering 161
Unicast Reverse Packet Forwarding (uRPF) 162
Router Banner Messages 163
Securing Network Time Protocol (NTP) 164
Blocking Commonly Exploited Ports 165
Extending Enterprise Security Policy to Your Cisco Router 165
Password Minimum Length 165
Authentication Failure Rate 166
Block Logins 166
Disable Password Recovery 166
Layer 3 Traffic Protection–Encryption 168
Layer 3 Security–Best Practices 168
Summary 169
Chapter 8 Perimeter Security with Cisco Adaptive Security Appliance 171
IP Telephony Data Center’s Integral Element: Cisco Adaptive Security Appliance 172
An Introduction to Cisco ASA Firewall 172
Cisco ASA Firewall and OSI layers 174
Cisco ASA Basics 175
Cisco ASA: Stateful Firewall 175
Cisco ASA Firewall: Interfaces 175
Cisco ASA Firewall: Security Levels 177
Cisco ASA: Firewall Modes 179
Cisco ASA: Network Address Translation 180
Cisco ASA: UTM Appliance 180
Cisco ASA: IP Telephony Firewall 181
Securing IP Telephony Data Center with Cisco ASA 182
Case Study: Perimeter Security with Cisco ASA 184
Cisco ASA QoS Support 186
Firewall Transiting for Endpoints 186
Cisco ASA Firewall (ACL Port Usage) 188
Introduction to Cisco ASA Proxy Features 201
Cisco ASA TLS Proxy 203
Cisco ASA Phone Proxy 212
Cisco VPN Phone 222
Cisco VPN Phone Prerequisites 223
Implementing VPN Phone 224
Remote Worker and Telecommuter Voice Security 227
Summary 231
Part III Cisco IP Telephony Application and Device Security 233
Chapter 9 Cisco Unified Communications Manager Security 235
Cisco Unified Communications Manager (CUCM) Platform Security 236
CUCM Linux Platform Security 237
Certificate-Based Secure Signaling and Media: Certificate Authority Proxy Function 238
Enabling CUCM Cluster Security: Mixed-Mode 240
Security by Default (SBD) 249
TFTP Download Authentication 249
TFTP Configuration File Encryption 250
Trust Verification Service (Remote Certificate and Signature Verification) 251
Using External Certificate Authority (CA) with CAPF 253
Using External Certificate Authority (CA) with Cisco Tomcat 256
Enabling Secure LDAP (LDAPS) 258
Enabling Secure LDAP Connection Between CUCM and Microsoft Active Directory 259
Securing IP Phone Conversation 261
Securing Cisco IP Phones 262
Identifying Encrypted and Authenticated Phone Calls 264
Securing Third-Party SIP Phones 264
Configuring Third-Party SIP Phone 267
Secure Tone 267
CUCM Trunk Security 271
ICT and H.225 (Gatekeeper Controlled) Secure Trunks 271
SIP Trunk Security 273
Inter Cluster Trunk Security 275
SME Trunk Security 275
Trusted Relay Point (TRP) 277
Preventing Toll Fraud 279
Partitions and Calling Search Spaces 280
Time of Day Routing 280
Block Off-Net to Off-Net Transfers 281
Conference Restrictions 281
Calling Rights for Billing and Tracking 281
Route Filters for Controlled Access 282
Access Restriction for Protocols from User VRF 282
Social Engineering 282
Securing CTI/JTAPI Connections 283
JTAPI Client Config 285
Restricting Administrative Access (User Roles and Groups) 286
Fighting Spam Over Internet Telephony (SPIT) 288
CUCM Security Audit (Logs) 290
Application Log 291
Database Log 291
Operating System Log 291
Remote Support Accounting Log 292
Enabling Audit Logs 292
Collecting and Analyzing CUCM Audit Logs 294
Analyzing Application Audit Logs 294
Single Sign-On (SSO) 295
SSO Overview 296
System Requirements for SSO 296
Configuring OpenAM SSO Server 297
Configuring Windows Desktop SSO Authentication Module Instance 300
Configure J2EE Agent Profile on OpenSSO Server 301
Configuring SSO on CUCM 303
Configuring Client Machine Browsers for SSO 306
Internet Explorer 306
Mozilla Firefox 306
Summary 307
Chapter 10 Cisco Unity and Cisco Unity Connection Security 309
Cisco Unity/Unity Connection Platform Security 310
Cisco Unity Windows Platform Security 311
OS Upgrade and Patches 311
Cisco Security Agent (CSA) 311
Antivirus 312
Server Hardening 312
Cisco Unity Connection Linux Platform Security 313
Securing Cisco Unity/Unity Connection Web Services 313
Securing Cisco Unity Web Services (SA, PCA, and Status Monitor) 313
Securing Cisco Unity Connection Web Services (Web Administration, PCA, and IMAP) 317
Preventing Toll Fraud 317
Secure Voicemail Ports 318
Cisco Unity: Secure Voicemail Ports with CUCM (SCCP) 319
Cisco Unity: Authenticated Voicemail Ports with CUCM (SIP) 321
Cisco Unity Connection: Secure Voicemail Ports with CUCM (SCCP) 323
Cisco Unity Connection: Secure Voicemail Ports with CUCM (SIP) 324
Secure LDAP (LDAPS) for Cisco Unity Connection 327
Securing Cisco Unity/Unity Connection Accounts and Passwords 327
Cisco Unity Account Policies 327
Cisco Unity Authentication 329
Cisco Unity Connection Account Polices 330
Cisco Unity/Unity Connection Class of Service 331
Cisco Unity Class of Service (and Roles) 331
Cisco Unity Connection Class of Service (and Roles) 331
Cisco Unity/Unity Connection Secure Messaging 332
Cisco Unity Secure Messaging 332
Cisco Unity Connection Secure Messaging 334
Cisco Unity/Unity Connection Security Audit (Logs) 335
Cisco Unity Security Audit 335
Cisco Unity Connection Security Audit 337
Cisco Unity Connection Single Sign-On (SSO) 338
Summary 338
Chapter 11 Cisco Unified Presence Security 339
Securing Cisco Unified Presence Server Platform 339
Application and OS Upgrades 340
Cisco Security Agent (CSA) 340
Server Hardening 340
Securing CUPS Integration with CUCM 341
Securing CUPS Integration with LDAP (LDAPS) 345
Securing Presence Federation (SIP and XMPP) 345
CUPS SIP Federation Security 347
Intra-Enterprise/Organization Presence SIP Federation 347
Inter-Enterprise/Organization Presence SIP Federation 354
CUPS XMPP Federation Security 364
Cisco Unified Personal Communicator Security 368
Securing CUPC LDAP Connectivity 368
Securing CUPC Connectivity with Cisco Unified Presence 370
Securing CUPC Connectivity with CUCM 371
Securing CUPC Connectivity with Voicemail (Cisco Unity/Unity Connection) 372
Summary 375
Chapter 12 Cisco Voice Gateway Security 377
Cisco Voice Gateway Platform Security 377
Preventing Toll Fraud on Cisco Voice Gateways 378
Call Source Authentication 378
Voice Gateway Toll Fraud Prevention by Default 379
Class of Restriction (COR) 380
Call Transfer and Forwarding 383
Securing Conference Resources 384
Securing Voice Conversations on Cisco Voice Gateways 390
Configuring MGCP Support for SRTP 391
Configuring H.323 Gateway to Support SRTP 394
Configuring SIP Gateway to Support SRTP 396
Securing Survivable Remote Site Telephony (SRST) 399
Monitoring Cisco Voice Gateways 402
Summary 403
Chapter 13 Cisco Voice Gatekeeper and Cisco Unified Border Element Security 405
Physical and Logical Security of Cisco Gatekeeper and Cisco Unified Border Element 405
Gatekeeper Security–What Is It All About? 406
Securing Cisco Gatekeeper 406
Restricted Subnet Registration 407
Gatekeeper Accounting 407
Gatekeeper Security Option 410
Gatekeeper Intra-Domain Security 410
Gatekeeper Inter-Domain Security 411
Gatekeeper HSRP Security 413
Cisco Unified Border Element Security 414
Filtering Traffic with Access Control List 416
Signaling and Media Encryption 416
Hostname Validation 417
Firewalling CUBE 417
CUBE Inherited SIP Security Features 418
Summary 420
Chapter 14 Cisco Unified Communications Manager Express and Cisco Unity
Express Security 421
Cisco Unified Communications Manager Express Platform Security 422
Preventing Toll Fraud on Cisco Unified Communications Manager Express 422
After-Hours Calling Restrictions 422
Call Transfer Restriction 423
Call Forward Restriction 424
Class of Restriction 425
Cisco Unified CME: AAA Command Accounting and Auditing 425
Cisco IOS Firewall for Cisco Unified CME 426
Cisco Unified CME: Securing GUI Access 426
Cisco Unified CME: Strict ephone Registration 427
Cisco Unified CME: Disable ephone Auto-Registration 428
Cisco Unified CME: Call Logging (CDR) 428
Cisco Unified CME: Securing Voice Traffic (TLS and SRTP) 429
Securing Cisco Unity Express Platform 435
Enabling AAA for Cisco Unity Express 437
Preventing Toll Fraud on Cisco Unity Express 438
Cisco Unity Express: Secure GUI Access 440
Summary 440
Chapter 15 Cisco IP Telephony Endpoint Security 441
Why Is Endpoint Security Important? 442
Cisco Unified IP Phone Security 443
Wired IP Phone: Hardening 443
Speakerphone 444
PC Port 445
Settings Access 445
Gratuitous Address Resolution Protocol ARP (GARP) 445
PC Voice VLAN Access 445
Video Capabilities 446
Web Access 446
Span to PC Port 446
Logging Display 447
Peer Firmware Sharing 447
Link Layer Discovery Protocol: Media Endpoint Discover (LLDP-MED) Switch Port 447
Link Layer Discovery Protocol (LLDP) PC Port 447
Configuring Unified IP Phone Hardening 447
Wired IP Phone: Secure Network Admission 448
Wired IP Phone: Voice Conversation Security 448
Wired IP Phone: Secure TFTP Communication 449
Cisco Unified Wireless IP Phone Security 449
Cisco Wireless LAN Controller (WLC) Security 450
Cisco Wireless Unified IP Phone Security 454
Hardening Cisco Wireless IP Phones 454
Profile 455
Admin Password 455
FIPS Mode 456
Securing a Cisco Wireless IP Phone 456
Securing Cisco Wireless Endpoint Conversation 456
Securing Cisco Wireless Endpoint Network Admission 457
Using Third-Party Certificates for EAP-TLS 457
Wireless IP Phone: Secure TFTP Communication 463
Securing Cisco IP Communicator 463
Hardening the Cisco IP Communicator 464
Encryption (Media and Signaling) 465
Enable Extension Mobility for CIPC 466
Lock Down MAC Address and Device Name Settings 467
Network Access Control (NAC)-Based Secured Network Access 469
VLAN Traversal for CIPC Voice Streams 469
Summary 470
Part IV Cisco IP Telephony Network Management Security 471
Chapter 16 Cisco IP Telephony: Network Management Security 473
Secure IP Telephony Network Management Design 473
In-Band Network Management 474
Securing In-Band Management Deployment 475
Out-of-Band (OOB) Network Management 475
Securing OOB Management Deployment 476
Hybrid Network Management Design 477
Securing a Hybrid Network Management Deployment 477
Securing Network Management Protocols 478
Secure Network Monitoring with SNMPv3 479
Cisco IP Telephony Applications with SNMPv3 Support 480
SNMP for Cisco IOS Routers and Switches 483
SNMP Deployment Best Practices 485
Syslog 485
Secure Syslog for IP Telephony Applications 486
Configuring Syslog in Cisco Network Devices (Cisco IOS Devices and Cisco ASA) 488
Cisco IOS Devices Syslog 488
Cisco ASA Firewall Syslog 489
Syslog Deployment Best Practices 490
Secure Shell (SSH) 491
Configuring SSH on IOS Devices 492
Enabling SSH Access on Cisco ASA 494
SSH Deployment Best Practices 495
HTTP/HTTPS 495
Enabling Cisco CP for Cisco IOS Routers 496
Enabling Cisco ASA ASDM 498
HTTPS Deployment Best Practices 500
Securing VNC Management Access 500
VNC Deployment Best Practices 501
Securing Microsoft Remote Desktop Protocol 501
Configuring IP Telephony Server for Accepting Secure RDP Connections 502
Configuring RDP Client for Initiating Secure RDP Session 504
RDP Deployment Best Practices 506
TFTP/SFTP/SCP 507
TFTP/SFTP/SCP Deployment Best Practices 508
Managing Security Events 508
The Problem 508
The Solution 509
Cisco Prime Unified Operations Manager (CUOM) 512
Cisco Prime Unified Service Monitor (CUSM) 513
Cisco Unified Service Statistics Manager (CUSSM) 514
Cisco Prime Unified Provisioning Manager (CUPM) 515
Summary 515
Part V Cisco IP Telephony Security Essentials 517
Appendix A Cisco IP Telephony: Authentication and Encryption Essentials 519
Appendix B Cisco IP Telephony: Firewalling and Intrusion Prevention 551
Glossary 585