Lesson 13 SAFE IP Telephony Security in Depth © 2005 Cisco Systems, Inc. All rights reserved. CSI v

IP Telephony Concepts © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v The Need for IP Telephony The convergence of voice and data traffic on a single IP network is revolutionizing communications.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v IP telephony devices Call-processing manager Voic system Voice gateway There are four main voice-specific components: IP Telephony Concepts: Network Components

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Register with call-processing manager Configure IP telephony devices Open connection is maintained between the IP telephony device and the call-processing manager Devices place a call Channel uses the RTP to allow the conversation to commence Service locator is responsible for contacting the call-processing manager to determine authorized services available IP Telephony Component Interactions: Skinny Station Protocol Call Setup Flow

© 2005 Cisco Systems, Inc. All rights reserved. CSI v IP Telephony Deployment Models Three deployment models for enterprise IP telephony networks: Single-site campus WAN centralized call processing WAN distributed call processing IP telephony devices: Call-processing manager cluster and voice services Remote SiteHeadend Site Voice Services Call-Processing and Voice Services Private WAN Private WAN

© 2005 Cisco Systems, Inc. All rights reserved. CSI v MGCPSIPH.323 VoIP Protocols The three proposed VoIP standards are:

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Threats to IP Telephony Networks The following attacks can be expected: Packet sniffers and call interception Viruses and Trojan horse applications Unauthorized access Caller-identity spoofing Toll fraud Repudiation IP spoofing DoS Application-layer attacks Trust exploitation

IP Telephony Caveats © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v SAFE IP Telephony Caveats SAFE guidelines do not guarantee a secure environment. Several technologies related to IP telephony are not covered. A security policy should be in place.

SAFE IP Telephony Design Considerations (Axioms) © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v SAFE IP Telephony Design Considerations (Axioms) Voice networks are targets. Data and voice segmentation is key. Telephony devices do not support confidentiality. IP phones provide access to the data-voice segments. PC-based IP phones require open access. PC-based IP phones are especially susceptible to attacks. Controlling the voice-to-data segment interaction is key. Establishing identity is key. Rogue devices pose serious threats. All voice servers and segments must be secured and monitored.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Voice Networks Are Targets The main issue with voice networks is that they are generally wide open, and little or no authentication is required to gain access. Voice VLAN IP Telephony Devices and Users ISP

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Segment Data and Voice Traffic The following technologies provide voice and data segmentation: VLANs ACLs Stateful firewalls Voice VLAN Data VLAN

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Telephony Devices Do Not Support Confidentiality Following are the SAFE recommendations for securing confidentiality: Data and voice segmentation Switched infrastructure Use of NIDS to monitor voice servers and segments

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Following are the SAFE recommendations for securing IP phones: Implement VLANs for network separation. Follow layered security. Implement Layer 3 access control in the distribution layer into which the IP phone connects. IP Phones Provide Access to Data-Voice Segments

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Voice VLAN Data VLAN For PC-based IP phones, SAFE recommends deploying a stateful firewall to broker data-voice interaction. Stateful Firewall PC-Based IP Phones Require Open Access

© 2005 Cisco Systems, Inc. All rights reserved. CSI v PC-based IP phones are not as resilient under attack as their IP phone counterparts because of the following reasons: Operating system vulnerabilities Application vulnerabilities Service vulnerabilities Viruses PC-Based IP Phones Are Susceptible to Attacks

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Control the Voice-to-Data Segment Interaction Controlling access between the data and voice segments is important. The SAFE white paper discusses eight legitimate flows between the data and voice segments that are monitored by a firewall. A stateful firewall is deployed at specific locations in the network where the segments are allowed to interact. A stateful firewall provides: –Host-based DoS protection –Dynamic per-port granular access –Spoof mitigation –General filtering

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Establishing Identity Is Key Following are the SAFE recommendations for establishing identity in a VoIP network: Use MAC address to establish device identity. Implement username/password/PIN combination to establish user identity. Enable call control logging.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Rogue Devices Pose Serious Threats The following techniques help mitigate toll fraud by not allowing unknown devices to gain access to the call-processing manager: Statically assign IP addresses to known MAC addresses. Turn off the automatic phone registration feature. Monitor MAC-to-IP address pairings. Filter all segments.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Secure and Monitor All Voice Servers and Segments The following are the SAFE recommendations for securing voice servers and segments: Deploy NIDS. Secure the voic and call-processing manager systems. Segment and secure services on voice servers. Ensure secure management of voice servers.

Cisco IP Telephony Product Portfolio © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Video Telephony Virtual PBX/ Blended Enterprise Multimedia Collaboration Unified Communi- cations Customer Interaction Network Intelligent Network Infrastructure: Security, QoS, Availability, Management, Administration Partner Applications Voice Mail and UM Emergency Responder 911 Personal Assistant Customer Contact Conferencing Center Cisco IOS-based Call Control Windows-based Call Control Hosted Call Control Wireless PhonesVideo EndpointsSoft Phones Desk Phones Solutions Applications Endpoints Call Control Infrastructure Cisco IP Communications

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco IP Telephony Portfolio Cisco IP phones Cisco voice gateways Cisco call control Cisco voice services Cisco voice applications Cisco voice mail and unified messaging Cisco voice network management

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco IP Phones Cisco IP Phone Series: Cisco 7900 Series IP Phones Cisco ATA 180 Series Analog Telephone Adaptors Cisco IP Communicator Cisco IP SoftPhone Cisco SIP IP Phone 7960 Software Cisco VT Advantage Cisco IP Conference Station 7935 Cisco IP Phone 7960G Cisco Wireless IP Phone 7920

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco Voice Gateways Cisco voice gateways are: Cisco 800, 1700, 2600, 3600, 3700, 7200, 7400, and 7500 Series routers Cisco AS5300, AS5400 and AS5800 Series universal gateways Cisco Catalyst 4000 Series switches Cisco Conferencing and Transcoding Feature for Voice Gateway routers Cisco DPA 7600 Series gateways Cisco IAD2400 Series integrated access devices Cisco MGX 8000 Series carrier voice gateways Cisco Multiservice IP-to-IP gateway software Cisco TCL Scripts for IOS gateways Cisco VG200 Series gateways

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco Call Control Cisco BTS Softswitch Cisco CallManager Cisco CallManager Express Cisco EGW 2200 Enterprise Gateway Cisco Gatekeeper/Multimedia Conference Manager Cisco Media Gateway Controller Software Cisco PGW 2200 Softswitch Cisco Signaling Controllers Cisco SIP Proxy Server Cisco SRST

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco Voice Servers Cisco MSC 7800 Series Cisco ICS 7700 Series

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco Voice Applications Cisco Billing and Measurements Server Cisco CallManager Attendant Console Cisco Conference Connection Cisco Emergency Responder Cisco IP Manager Assistant Cisco WebAttendant

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco Voice Mail and Unified Messaging Cisco Personal Assistant Cisco Unity Cisco Unity Express

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco Voice Network Management Cisco Remote Monitoring Suite CiscoWorks IP Telephony Environment Monitor CiscoWorks QoS Policy Manager

SAFE IP Telephony Design Fundamentals © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v IP Telephony Design Fundamentals The following are design objectives: Security and attack mitigation based on policy QoS Reliability, performance, and scalability Authentication Availability options Secure management

© 2005 Cisco Systems, Inc. All rights reserved. CSI v IP Telephony Deployment Considerations Branch versus headend considerations Small network IP telephony design Branch versus standalone considerations Medium network IP telephony design Large network IP telephony design

Small Network IP Telephony Design © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Small Network IP Telephony Design Service-Provider Edge Small Network/Branch Edge Small Network/Branch Campus Corporate Internet ModuleCampus Module Management Server Corporate Users Corporate Servers Call-Processing Manager Proxy Server Public Services ISP PSTN V

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Small Network Corporate Internet Module: Key Device Key Device: Voice-Enabled Firewall Router Stateful packet filtering Basic Layer 7 filtering Host DoS mitigation Spoof mitigation Inter-VLAN filtering Public/Content Services To PSTN (WAN Backup, Local Calls) ISP To Campus V

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Small Network Corporate Internet Module: Expected Threats and Mitigation Unauthorized access: Firewall Toll fraud: ACLs DoS: TCP setup controls IP spoofing: RFC 2827 and RFC 1918

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Small Network Corporate Internet Module: Design Guidelines General –Cisco IOS Firewall versus dedicated firewall –Separate VLANs for data and voice segments Access control and packet inspection –Router performs access control and stateful inspection –Limited IDS functionality

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Small Standalone Network: Campus Module Management Servers Voice Application Users Corporate Servers To Corporate Internet Module IP Phone Users Call-Processing Manager

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Small Network Campus Module: Key Devices Key IP telephony devices are: Layer 2 switch Corporate servers User workstations IP phones Call-processing manager Proxy server

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Packet sniffers and call interception: A switched infrastructure Viruses and Trojan horses: Virus scanning Unauthorized access: HIDS or HIPS Application-layer attacks: HIDS or HIPS Caller-identity spoofing: Arpwatch Toll fraud: Call-processing manager DoS: Separate voice and data segments Repudiation: User authentication Trust exploitation: Restrictive trust model and PVLANs Small Network Campus Module: Expected Threats and Mitigation Roles

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Small Network Campus Module: Design Guidelines The following are guidelines and available alternatives: General –Implement VLANs and either HIDS or HIPS –Unified voic / server Access control and packet inspection –Separate VLANs for data and voice segments –HIDS or HIPS for application and host security –Firewall between data and voice segments –Proxy server located on same VLAN as call-processing manager; however, PVLANs enabled Performance and scalability limits Secure management –Layer 3 and Layer 4 filtering –Application-level security Alternatives –Deploy two separate voice segments –Place the voic / server in the voice segment

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Small Branch Network: Campus Module Management Servers Voice Application Users Corporate Servers Proxy Server To Corporate Internet Module IP Phone Users

Medium Network IP Telephony Design © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Medium Network IP Telephony Design Service-Provider EdgeMedium Network/Branch EdgeMedium Network/Branch Campus Public Services WAN Module Campus ModuleCorporate Internet Module ISP Edge Module Frame Relay/ATM Module Call-Processing Manager Corporate Servers Corporate Users Proxy Server Management Servers ISP PSTN Frame Relay/ ATM V

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Medium Network: Corporate Internet Module ISP PSTN Public Services Frame Relay/ATM To Internet To Campus Module To Campus Module

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Medium Network: Campus Module Management Servers Corporate Servers ( , Voice Mail) Call-Processing Manager Proxy Server To PSTN (WAN Backup, Local Calls) To Corporate Internet Module To WAN Module IP Phone Users Voice Application Users V

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Medium Network Campus Module: Key Devices Key IP telephony devices are: Layer 3 switch Layer 2 switch Corporate servers User workstations NIDS appliance IP phones Call-processing manager Stateful firewall Proxy server

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Medium Network Campus Module: Expected Threats and Mitigation Roles Packet sniffers and call interception: Switched infrastructure Viruses and Trojan horses: Virus scanning Unauthorized access: HIDS or HIPS Application-layer attacks: HIDS or HIPS Caller-identity spoofing: Arpwatch Toll fraud: Call-processing manager DoS: Separate voice and data segments Repudiation: User authentication IP spoofing: RFC 2827 and RFC 1918 filters

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Medium Network Campus Module: Design Guidelines The following are guidelines and available alternatives: General –PVLANs –Filtering with Layer 3 switch and stateful firewall Access control and packet inspection –Layer 3 switch controls access between segments –Filtering with stateful firewall –Implement NIDS and either HIDS or HIPS Performance and scalability limits Secure management –Layer 3 and Layer 4 filtering –Application-level security Alternatives –Additional call-processing manager –Place voic system in an additional DMZ

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Medium Branch Network Campus Module Management Servers Corporate Servers ( , Voice Mail) Call-Processing Manager Proxy Server To PSTN (WAN Backup, Local Calls) To Corporate Internet Module To WAN Module IP Phone Users Voice Application Users V

Large Network IP Telephony Design © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Large Network IP Telephony Design Server Core Building Distribution Management Building Edge Distribution ISP B ISP A PSTN Frame/ ATM Campus Enterprise EdgeService Provider Edge E-Commerce Corporate Internet VPN & Remote Access Extranet WAN

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Large Network Campus Building Module Voice Application UsersIP Phone Users To Core Module

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Large Network Campus Building Module: Key Devices Key devices are: Layer 2 switch User workstations IP phones

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Large Network Campus Building Module: Expected Threats and Mitigation Packet sniffers and call interception: A switched infrastructure Viruses and Trojan horses: Virus scanning Unauthorized access: HIDS or HIPS Caller-identity spoofing: Arpwatch Toll fraud: ACL Repudiation: Call-processing manager IP spoofing: RFC 2827 and RFC 1918 filters

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Large Network Campus Building Module: Design Guidelines The following are guidelines and available alternatives: General –Layer 3 filtering and PVLANs –Recommendations for wireless users segment Access control and packet inspection –PVLANs –Layer 3 filtering –Virus scanning

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Large Network Campus Server Module Call-Processing Manager Call-Processing Manager To Core Module Server Module Department Server Corporate Server Proxy Server Internal Voice Mail

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Large Network Campus Server Module: Key Devices Key devices are: Layer 3 switch Corporate servers Call-processing manager Stateful firewall Proxy server

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Packet sniffers and call interception: A switched infrastructure Unauthorized access: HIDS or HIPS Caller-identity spoofing: Arpwatch Toll fraud: ACL Repudiation: Call-processing manager IP spoofing: RFC 2827 and RFC 1918 filters Application-layer attacks: HIDS or HIPS DoS: Separate voice and data segments Trust exploitation: Restrictive trust model and PVLANs Large Network Campus Server Module: Expected Threats and Mitigation

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Large Network Campus Server Module: Design Guidelines The following are guidelines and available alternatives: General –Separate segments –HIDS or HIPS –Layer 3 switch provides IDS Access control and packet inspection –Segment services with VLANs –Implement NIDS and either HIDS or HIPS –Proxy server located on same VLAN as call-processing manager; however, PVLANs enabled Performance and scalability High availability and resiliency –Layer 2 and 3 resiliency with firewalls, switches, and call-processing managers Secure management –Out-of-band secure management is an option Alternative –Voic system in an additional DMZ

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Summary There are four main voice-specific components: –IP telephony devices –Call-processing manager –Voic system –Voice gateway SAFE Enterprise IP telephony networks can be deployed in three ways: –Single-site campus –WAN centralized call-processing –WAN distributed call-processing There are numerous attacks against the IP telephony network.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Summary (Cont.) Branch versus headend considerations and branch versus standalone considerations were discussed for small, medium, and large IP telephony networks. The mitigation roles identified for each threat in the SAFE white paper are integral to a successful VoIP network implementation. The design process is often a series of trade-offs. Some of these trade-offs are made at the module level, whereas others are made at the component level.