Telephony Best Practices

IP networks are a prime target for intruders and hackers. Traditionally, voice networks were secure because the PBXs in place did not have any IP connectivity. In today's Voice over IP (VoIP) telephony-based networks, every IP phone contains a routable IP address and thus is a prime target. For example, a hacker could program the Cisco Call Manager (CCM) to make every IP phone call the number 911 (or 000, depending on what part of the world you are in). If you do not secure the voice networks from attacks like these, then not only is your IP data network a potential target, but so is your VoIP network. It must also be stressed that legacy phone networks are subjected to toll fraud very easily. Having said that, VoIP also is subject to loss of privacy, loss of integrity, impersonation, and denial of service. Latest hardware releases by Cisco and the Integrated Services Routers (ISR) platforms have addressed these issues somewhat with new Cisco IOS Software.

This section covers some of the core recommendations made by the "SAFE: IP Telephony Security in Depth" white paper, which can be viewed at ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a00801b7a50.shtml. The CCIE Security written exam covers this subject only very lightly; in fact, the lab portion of the exam does not even test VoIP best practices as of this writing. This section ensures that you understand the details that are required for the written exam, knowledge of which will also help you in the real world.

Establishing the identity of every IP phone is the key to VoIP security. The handset identifies itself with the CCM via the MAC address. If auto registration is enabled on the CCM, then any rogue IP phone can be installed and operated. Thus, you should disable auto registration or place the phone in a partition whereby only local internal calls can be made, for instance. You should also disable the switched port to the PC until the phone is correctly identified and reregistered with the correct access rights, such as a calling search space (CSS).

A CSS comprises an ordered list of route partitions (logical groupings of directory numbers and route patterns, not to be confused with IP routing) that is typically assigned to devices such as IP phones. CSSs determine the partitions where calling devices search when they are attempting to complete a call. If an intruder places a rogue device in an incorrect partition, then that intruder could potentially call any number around the globe and discover the IP subnet the phone is allocated, the CCM, the DHCP server, the TFTP server, and so forth. The intruder can simply press the Settings button on the phone and select Network Configuration to view the IP address of these core devices, such as the CCM's IP address. This information can then be used to attach to the main component of a VoIP network—the CCM(s).

A common best practice is to disable all unused network ports in a switched Layer 2 environment; this prevents deployment of any rogue IP phones. You could also consider statically defining IP addresses so that DHCP does not allocate a valid routable IP address in your network to rogue IP phones. You can secure the network by placing phones in a voice VLAN (isolated, that is) and permitting only that particular VLAN access to the CCM and associated servers and ports. In this way, you can enable DHCP for IP phones.

This leads to the best practice of all—securing the network where the CCMs reside. The call processing of VoIP networks means that the RTP stream is vital and can be hijacked by potential intruders. Call gateways and CCMs are the most vulnerable devices in your network. Hence, Cisco advises that you use network intrusion detection systems, along with well-defined access lists, to ensure that the core devices in your VoIP are secure.

The "SAFE: IP Telephony Security in Depth" white paper recommends the following for all VoIP installations:

■ Use host-based virus checking. This is common antivirus software.

■ Use a host-based IDS (HIDS). Cisco Security Agent network shimmy needs to be installed.

■ Use network-based intrusion detection systems (NIDSs).

■ Prevent toll fraud by not allowing unregistered phones to register. Typically, implementations leave auto registration in place although unregistered phones are placed in a partition. This partition can be configured to permit only internal calls, for example, thus preventing toll fraud.

■ Prevent denial of service (DoS) attacks by using separate voice and data networks.

■ Use access lists to prevent unauthorized access.

Table 1-17 defines the common TCP and UDP ports used in an IP telephony environment when deploying access list security.

Table 1-17 Common TCP/UDP Ports in VoIP













TAPI/JTAPI (Softphone if present)



Cisco Softphone Directory Lookup



Cisco skinny



HIDS management



Directory access (DCD)



IDSs can be easily deployed in chassis-based switches, making their integration fairly easy, as discussed in Chapter 5, "Operating Systems and Cisco Security Applications."

Other common best practices include securing Internet Information Server (IIS) on the CCMs, disabling Windows services, locking down SQL, and using IPS and virus protection on CCMs.

Cisco has recently released IP wireless phones. Any network that has VoIP installed must secure the wireless networks as well, as the following section discusses.

0 0

Post a comment