The real-world guide to securing Cisco-based IP telephony applications, devices, and networks Cisco IP telephony leverages converged networks to dramatically reduce TCO and improve ROI. However, its critical importance to business communications and deep integration with enterprise IP networks make it susceptible to attacks that legacy telecom systems did not face. Now, there’s a comprehensive guide to securing the IP telephony components that ride atop data network infrastructures–and thereby providing IP telephony services that are safer, more resilient, more stable, and more scalable. Securing Cisco IP Telephony Networks provides comprehensive, up-to-date details for securing Cisco IP telephony equipment, underlying infrastructure, and telephony applications. Drawing on ten years of experience, senior network consultant Akhil Behl offers a complete security framework for use in any Cisco IP telephony environment. You’ll find best practices and detailed configuration examples for securing Cisco Unified Communications Manager (CUCM), Cisco Unity/Unity Connection, Cisco Unified Presence, Cisco Voice Gateways, Cisco IP Telephony Endpoints, and many other Cisco IP Telephony applications. The book showcases easy-to-follow Cisco IP Telephony applications and network security-centric examples in every chapter. This guide is invaluable to every technical professional and IT decision-maker concerned with securing Cisco IP telephony networks, including network engineers, administrators, architects, managers, security analysts, IT directors, and consultants. Recognize vulnerabilities caused by IP network integration, as well as VoIP’s unique security requirements Discover how hackers target IP telephony networks and proactively protect against each facet of their attacks Implement a flexible, proven methodology for end-to-end Cisco IP Telephony security Use a layered (defense-in-depth) approach that builds on underlying network security design Secure CUCM, Cisco Unity/Unity Connection, CUPS, CUCM Express, and Cisco Unity Express platforms against internal and external threats Establish physical security, Layer 2 and Layer 3 security, and Cisco ASA-based perimeter security Complete coverage of Cisco IP Telephony encryption and authentication fundamentals Configure Cisco IOS Voice Gateways to help prevent toll fraud and deter attacks Secure Cisco Voice Gatekeepers and Cisco Unified Border Element (CUBE) against rogue endpoints and other attack vectors Secure Cisco IP telephony endpoints–Cisco Unified IP Phones (wired, wireless, and soft phone) from malicious insiders and external threats This IP communications book is part of the Cisco Press® Networking Technology Series. IP communications titles from Cisco Press help networking professionals understand voice and IP telephony technologies, plan and design converged networks, and implement network solutions for increased productivity.  

Table of Contents:
Introduction xxiii   Part I Introduction to Cisco IP Telephony Security 3   Chapter 1 What Is IP Telephony Security and Why Do You Need It? 3 Defining IP Telephony Security 4     What Is IP Telephony? 4     What Is IP Telephony Security? 4     What Is the Rationale Behind Securing an IP Telephony Network? 6     What Can You Do to Safeguard Your IP Telephony Network? 7 IP Telephony Security Threats 8     How Do Hackers Attack an IP Telephony Network? 8         Foot Printing 9         Scanning 9         Enumeration 9         Exploit 9         Covering Tracks 10     What Are IP Telephony Security Threats and Countermeasures? 10     Threats 11     Countermeasures 12 An Insight to VoIP Security Tools 12     IP Telephony Security/Penetration Tools 13         Sniffing Tools 13         Scanning and Enumeration Tools 14         Flooding/DoS Tools 14         Signaling and Media-Manipulation Tools 15 Business Challenges and Cisco IP Telephony Security Responses 15     Common Business Challenges Associated with IP Telephony Security 15     Cisco IP Telephony Security Responses 16 Summary 17   Chapter 2 Cisco IP Telephony Security Building Blocks 19 Introduction to IP Telephony Security Methodology 19     Understanding the IP Telephony Security Methodology 19     Demystifying IP Telephony Security Methodology 21 IP Telephony Security Architecture 22 Exploring IP Telephony Security Methodology and Defining Security Architecture 24     IP Telephony Security Assessment and Security Policy Development 24     IP Telephony Network Security Implementation 26         Physical Security 28         Layer 2 Security 29         Layer 3 Security 29         Perimeter Security 30     IP Telephony Application Security Implementation 31 Defining the IP Telephony Network Components That Should Be Secured 32     IP Telephony Network Elements That Should Be Secured 32 Summary 34   Chapter 3 What Can You Secure and How Can You Secure It? 35 Layered Security Approach for IP Telephony Security 35     IP Telephony Layered Security Approach 36         Case Study 36     Enabling IP Telephony Security: Layer upon Layer 37 Cisco IP Telephony Security Controls 40     Discovering IP Telephony Security Controls 40     Cisco IP Telephony Security Controls 41         Cisco IP Telephony Network Security Controls 41         Cisco IP Telephony Device Security Controls 43         Cisco IP Telephony Application Security Controls 45         Cisco IP Telephony Endpoint Security Controls 48 Cisco IP Telephony Security Overview 50     Discovering End-to-End IP Telephony Security 50     Understanding Each IP Telephony Component and its Relative Security Control 52         XYZ Headquarters (Main Data Center) 52         IP Telephony Data Center Security Insight 54         IP Telephony Remote Data Center Security Insight 54         IP Telephony Remote Site Security Insight 56         Telecommuter Solution Security Insight 56 Summary 57   Chapter 4 Cisco IP Telephony Security Framework 59 Cisco IP Telephony Security Life Cycle 60     Enabling IP Telephony Security 61         Security and Risk Assessment 61         IP Telephony Security Policy Development and Enforcement 62         Planning and Designing 63         IP Telephony Network and Application Security Deployment 63         Operate and Manage 64         Monitor 64 Developing an IP Telephony Security Policy 64     Building an IP Telephony Security Policy/Strategy In line with Your Corporate Security Policy 64     Risk Assessment 65     Components of IP Telephony Security Policy 69         IP Telephony Security Policy/Strategy 70         Core IP Telephony Security Policies 72     Physical Security of IP Telephony Equipment 74     Physical Security Policy 75     Local-Area Network Security Policy 76     Wide-Area Network and Perimeter Security Policy 77     IP Telephony Server Security Policy 78     Voice Application Security Policy 79     Endpoint Security Policy 79     Conclusion 80 Evaluating Cost of Security–Cost Versus Risk 80     Cost of Implementing IP Telephony Security 81     Cost of a Security Breach 81     How to Balance Between Cost and Risk 82 Determining the Level of Security for Your IP Telephony Network 84     Case Study 84         The Riddles Are Over 86 Putting Together All the Pieces 87     IP Telephony Security Framework 87 Summary 92   Part II Cisco IP Telephony Network Security 93   Chapter 5 Cisco IP Telephony Physical Security 95 IP Telephony Physical Security 95     What Is IP Telephony Physical Security All About? 96 Physical Security Issues 97     Restricting Access to IP Telephony Facility 97         Securing the IP Telephony Data Center Perimeter 98         IP Telephony Data Center Internal Security 99     Personnel Training 100     Disaster Recovery and Survivability 100 Locking Down IP Telephony Equipment 101 Environmental Factors 102 Summary 103   Chapter 6 Cisco IP Telephony Layer 2 Security 105 Layer 2 Security Overview 105     Cisco IP Telephony Layer 2 Topology Overview 106     Why Bother with Layer 2 Security? 107 IP Telephony Layer 2 Security Issues and Mitigation 108     VLAN Hopping Attack and Mitigation 109         Attack Details 109         Mitigation 111     Spanning Tree Protocol (STP) Manipulation 112         Attack Details 112         Mitigation 112     DHCP Spoofing 113         Attack Details 113         Mitigation 114     ARP Spoofing 114         Attack Details 115         Mitigation 116     MAC Address Spoofing Attack 116         Attack Details 116         Mitigation 117     IP Spoofing Attack 119         Attack Details 119         Mitigation 120     CAM Table Overflow and DHCP Starvation Attack 120         Attack Details 121         Mitigation 122 Dealing with Rogue Endpoints: 802.1x 123     What Is 802.1x and How Does it Work? 123     EAP Authentication Methods 125     802.1x for IP Telephony 126 Layer 2 Security: Best Practices 131 Summary 133   Chapter 7 Cisco IP Telephony Layer 3 Security 135 Layer 3 Security Fundamentals: Securing Cisco IOS Routers 136 Cisco IOS Platform Security 136 Restricting Management Access 137     Securing the Console Port 138     Securing the Auxiliary Port 139     Securing the VTY Ports 139     Securing the HTTP Interface 140 Disabling Unnecessary IOS Services 142     Small Services 142     Finger Service 143     BootP 143     Cisco Discovery Protocol (CDP) 143     Proxy ARP 145     Directed Broadcast 146     Source Routing 147     Classless Routing 148     Configuration Autoloading 148     Securing TFTP 149 Securing Routing Protocols 150     Routing Information Protocol v2 (RIPv2) 151     Enhanced Interior Gateway Routing Protocol (EIGRP) 152     Open Shortest Path First (OSPF) 152     Border Gateway Protocol (BGP) 153 Securing Hot Standby Routing Protocol (HSRP) 153 Safeguarding Against ICMP Attacks 154     ICMP Unreachables 154     ICMP Mask Reply 154     ICMP Redirects 154     Constraining ICMP 155 Securing User Passwords 156 Controlling User Access and Privilege Levels 157     Enabling Local Authentication and Authorization 157     Enabling External Server-based Authentication, Authorization, and Accounting (AAA) 158         Configuring Cisco TACACS+ Based Authentication 158         Configuring Cisco TACACS+ Based Authorization 159         Configuring Cisco TACACS+ Based Accounting 159 Antispoofing Measures 160     RFC 2827 Filtering 161     Unicast Reverse Packet Forwarding (uRPF) 162 Router Banner Messages 163 Securing Network Time Protocol (NTP) 164 Blocking Commonly Exploited Ports 165 Extending Enterprise Security Policy to Your Cisco Router 165     Password Minimum Length 165     Authentication Failure Rate 166     Block Logins 166     Disable Password Recovery 166 Layer 3 Traffic Protection–Encryption 168 Layer 3 Security–Best Practices 168 Summary 169   Chapter 8 Perimeter Security with Cisco Adaptive Security Appliance 171 IP Telephony Data Center’s Integral Element: Cisco Adaptive Security Appliance 172     An Introduction to Cisco ASA Firewall 172         Cisco ASA Firewall and OSI layers 174     Cisco ASA Basics 175         Cisco ASA: Stateful Firewall 175         Cisco ASA Firewall: Interfaces 175         Cisco ASA Firewall: Security Levels 177         Cisco ASA: Firewall Modes 179         Cisco ASA: Network Address Translation 180         Cisco ASA: UTM Appliance 180         Cisco ASA: IP Telephony Firewall 181 Securing IP Telephony Data Center with Cisco ASA 182     Case Study: Perimeter Security with Cisco ASA 184         Cisco ASA QoS Support 186         Firewall Transiting for Endpoints 186         Cisco ASA Firewall (ACL Port Usage) 188     Introduction to Cisco ASA Proxy Features 201 Cisco ASA TLS Proxy 203 Cisco ASA Phone Proxy 212 Cisco VPN Phone 222     Cisco VPN Phone Prerequisites 223     Implementing VPN Phone 224 Remote Worker and Telecommuter Voice Security 227 Summary 231   Part III Cisco IP Telephony Application and Device Security 233   Chapter 9 Cisco Unified Communications Manager Security 235 Cisco Unified Communications Manager (CUCM) Platform Security 236     CUCM Linux Platform Security 237 Certificate-Based Secure Signaling and Media: Certificate Authority Proxy Function 238     Enabling CUCM Cluster Security: Mixed-Mode 240 Security by Default (SBD) 249     TFTP Download Authentication 249     TFTP Configuration File Encryption 250     Trust Verification Service (Remote Certificate and Signature Verification) 251 Using External Certificate Authority (CA) with CAPF 253 Using External Certificate Authority (CA) with Cisco Tomcat 256 Enabling Secure LDAP (LDAPS) 258     Enabling Secure LDAP Connection Between CUCM and Microsoft Active Directory 259 Securing IP Phone Conversation 261     Securing Cisco IP Phones 262     Identifying Encrypted and Authenticated Phone Calls 264     Securing Third-Party SIP Phones 264     Configuring Third-Party SIP Phone 267 Secure Tone 267 CUCM Trunk Security 271     ICT and H.225 (Gatekeeper Controlled) Secure Trunks 271     SIP Trunk Security 273     Inter Cluster Trunk Security 275     SME Trunk Security 275 Trusted Relay Point (TRP) 277 Preventing Toll Fraud 279     Partitions and Calling Search Spaces 280     Time of Day Routing 280     Block Off-Net to Off-Net Transfers 281     Conference Restrictions 281     Calling Rights for Billing and Tracking 281     Route Filters for Controlled Access 282     Access Restriction for Protocols from User VRF 282     Social Engineering 282 Securing CTI/JTAPI Connections 283     JTAPI Client Config 285 Restricting Administrative Access (User Roles and Groups) 286 Fighting Spam Over Internet Telephony (SPIT) 288 CUCM Security Audit (Logs) 290     Application Log 291     Database Log 291     Operating System Log 291     Remote Support Accounting Log 292         Enabling Audit Logs 292         Collecting and Analyzing CUCM Audit Logs 294     Analyzing Application Audit Logs 294 Single Sign-On (SSO) 295     SSO Overview 296     System Requirements for SSO 296     Configuring OpenAM SSO Server 297     Configuring Windows Desktop SSO Authentication Module Instance 300     Configure J2EE Agent Profile on OpenSSO Server 301     Configuring SSO on CUCM 303     Configuring Client Machine Browsers for SSO 306         Internet Explorer 306         Mozilla Firefox 306 Summary 307   Chapter 10 Cisco Unity and Cisco Unity Connection Security 309 Cisco Unity/Unity Connection Platform Security 310     Cisco Unity Windows Platform Security 311         OS Upgrade and Patches 311         Cisco Security Agent (CSA) 311         Antivirus 312         Server Hardening 312     Cisco Unity Connection Linux Platform Security 313 Securing Cisco Unity/Unity Connection Web Services 313     Securing Cisco Unity Web Services (SA, PCA, and Status Monitor) 313     Securing Cisco Unity Connection Web Services (Web Administration, PCA, and IMAP) 317 Preventing Toll Fraud 317 Secure Voicemail Ports 318     Cisco Unity: Secure Voicemail Ports with CUCM (SCCP) 319     Cisco Unity: Authenticated Voicemail Ports with CUCM (SIP) 321     Cisco Unity Connection: Secure Voicemail Ports with CUCM (SCCP) 323     Cisco Unity Connection: Secure Voicemail Ports with CUCM (SIP) 324 Secure LDAP (LDAPS) for Cisco Unity Connection 327 Securing Cisco Unity/Unity Connection Accounts and Passwords 327     Cisco Unity Account Policies 327     Cisco Unity Authentication 329     Cisco Unity Connection Account Polices 330 Cisco Unity/Unity Connection Class of Service 331     Cisco Unity Class of Service (and Roles) 331     Cisco Unity Connection Class of Service (and Roles) 331 Cisco Unity/Unity Connection Secure Messaging 332 Cisco Unity Secure Messaging 332     Cisco Unity Connection Secure Messaging 334     Cisco Unity/Unity Connection Security Audit (Logs) 335 Cisco Unity Security Audit 335     Cisco Unity Connection Security Audit 337 Cisco Unity Connection Single Sign-On (SSO) 338 Summary 338   Chapter 11 Cisco Unified Presence Security 339 Securing Cisco Unified Presence Server Platform 339     Application and OS Upgrades 340     Cisco Security Agent (CSA) 340     Server Hardening 340 Securing CUPS Integration with CUCM 341 Securing CUPS Integration with LDAP (LDAPS) 345 Securing Presence Federation (SIP and XMPP) 345     CUPS SIP Federation Security 347         Intra-Enterprise/Organization Presence SIP Federation 347         Inter-Enterprise/Organization Presence SIP Federation 354         CUPS XMPP Federation Security 364 Cisco Unified Personal Communicator Security 368     Securing CUPC LDAP Connectivity 368     Securing CUPC Connectivity with Cisco Unified Presence 370     Securing CUPC Connectivity with CUCM 371     Securing CUPC Connectivity with Voicemail (Cisco Unity/Unity Connection) 372 Summary 375   Chapter 12 Cisco Voice Gateway Security 377 Cisco Voice Gateway Platform Security 377 Preventing Toll Fraud on Cisco Voice Gateways 378     Call Source Authentication 378     Voice Gateway Toll Fraud Prevention by Default 379     Class of Restriction (COR) 380     Call Transfer and Forwarding 383 Securing Conference Resources 384 Securing Voice Conversations on Cisco Voice Gateways 390     Configuring MGCP Support for SRTP 391     Configuring H.323 Gateway to Support SRTP 394     Configuring SIP Gateway to Support SRTP 396 Securing Survivable Remote Site Telephony (SRST) 399 Monitoring Cisco Voice Gateways 402 Summary 403   Chapter 13 Cisco Voice Gatekeeper and Cisco Unified Border Element Security 405 Physical and Logical Security of Cisco Gatekeeper and Cisco Unified Border Element 405 Gatekeeper Security–What Is It All About? 406 Securing Cisco Gatekeeper 406     Restricted Subnet Registration 407     Gatekeeper Accounting 407     Gatekeeper Security Option 410     Gatekeeper Intra-Domain Security 410     Gatekeeper Inter-Domain Security 411     Gatekeeper HSRP Security 413 Cisco Unified Border Element Security 414     Filtering Traffic with Access Control List 416     Signaling and Media Encryption 416     Hostname Validation 417     Firewalling CUBE 417     CUBE Inherited SIP Security Features 418 Summary 420   Chapter 14 Cisco Unified Communications Manager Express and Cisco Unity Express Security 421 Cisco Unified Communications Manager Express Platform Security 422 Preventing Toll Fraud on Cisco Unified Communications Manager Express 422     After-Hours Calling Restrictions 422     Call Transfer Restriction 423     Call Forward Restriction 424     Class of Restriction 425 Cisco Unified CME: AAA Command Accounting and Auditing 425 Cisco IOS Firewall for Cisco Unified CME 426 Cisco Unified CME: Securing GUI Access 426 Cisco Unified CME: Strict ephone Registration 427 Cisco Unified CME: Disable ephone Auto-Registration 428 Cisco Unified CME: Call Logging (CDR) 428 Cisco Unified CME: Securing Voice Traffic (TLS and SRTP) 429 Securing Cisco Unity Express Platform 435 Enabling AAA for Cisco Unity Express 437 Preventing Toll Fraud on Cisco Unity Express 438 Cisco Unity Express: Secure GUI Access 440 Summary 440   Chapter 15 Cisco IP Telephony Endpoint Security 441 Why Is Endpoint Security Important? 442 Cisco Unified IP Phone Security 443     Wired IP Phone: Hardening 443         Speakerphone 444         PC Port 445         Settings Access 445         Gratuitous Address Resolution Protocol ARP (GARP) 445         PC Voice VLAN Access 445         Video Capabilities 446         Web Access 446         Span to PC Port 446         Logging Display 447         Peer Firmware Sharing 447         Link Layer Discovery Protocol: Media Endpoint Discover (LLDP-MED) Switch Port 447         Link Layer Discovery Protocol (LLDP) PC Port 447     Configuring Unified IP Phone Hardening 447     Wired IP Phone: Secure Network Admission 448     Wired IP Phone: Voice Conversation Security 448     Wired IP Phone: Secure TFTP Communication 449 Cisco Unified Wireless IP Phone Security 449     Cisco Wireless LAN Controller (WLC) Security 450     Cisco Wireless Unified IP Phone Security 454     Hardening Cisco Wireless IP Phones 454         Profile 455         Admin Password 455         FIPS Mode 456     Securing a Cisco Wireless IP Phone 456     Securing Cisco Wireless Endpoint Conversation 456     Securing Cisco Wireless Endpoint Network Admission 457         Using Third-Party Certificates for EAP-TLS 457     Wireless IP Phone: Secure TFTP Communication 463 Securing Cisco IP Communicator 463     Hardening the Cisco IP Communicator 464     Encryption (Media and Signaling) 465     Enable Extension Mobility for CIPC 466     Lock Down MAC Address and Device Name Settings 467     Network Access Control (NAC)-Based Secured Network Access 469     VLAN Traversal for CIPC Voice Streams 469 Summary 470   Part IV Cisco IP Telephony Network Management Security 471   Chapter 16 Cisco IP Telephony: Network Management Security 473 Secure IP Telephony Network Management Design 473     In-Band Network Management 474         Securing In-Band Management Deployment 475     Out-of-Band (OOB) Network Management 475         Securing OOB Management Deployment 476     Hybrid Network Management Design 477         Securing a Hybrid Network Management Deployment 477 Securing Network Management Protocols 478 Secure Network Monitoring with SNMPv3 479     Cisco IP Telephony Applications with SNMPv3 Support 480     SNMP for Cisco IOS Routers and Switches 483     SNMP Deployment Best Practices 485 Syslog 485     Secure Syslog for IP Telephony Applications 486     Configuring Syslog in Cisco Network Devices (Cisco IOS Devices and Cisco ASA) 488         Cisco IOS Devices Syslog 488         Cisco ASA Firewall Syslog 489     Syslog Deployment Best Practices 490 Secure Shell (SSH) 491     Configuring SSH on IOS Devices 492     Enabling SSH Access on Cisco ASA 494     SSH Deployment Best Practices 495 HTTP/HTTPS 495     Enabling Cisco CP for Cisco IOS Routers 496     Enabling Cisco ASA ASDM 498     HTTPS Deployment Best Practices 500 Securing VNC Management Access 500     VNC Deployment Best Practices 501 Securing Microsoft Remote Desktop Protocol 501     Configuring IP Telephony Server for Accepting Secure RDP Connections 502     Configuring RDP Client for Initiating Secure RDP Session 504     RDP Deployment Best Practices 506 TFTP/SFTP/SCP 507     TFTP/SFTP/SCP Deployment Best Practices 508 Managing Security Events 508     The Problem 508     The Solution 509     Cisco Prime Unified Operations Manager (CUOM) 512     Cisco Prime Unified Service Monitor (CUSM) 513     Cisco Unified Service Statistics Manager (CUSSM) 514     Cisco Prime Unified Provisioning Manager (CUPM) 515 Summary 515   Part V Cisco IP Telephony Security Essentials 517   Appendix A Cisco IP Telephony: Authentication and Encryption Essentials 519   Appendix B Cisco IP Telephony: Firewalling and Intrusion Prevention 551   Glossary 585