VoIP Phone Hardening - Part 1
Security is now one of the highest selection criteria for IT professionals, becoming as important as the features when selecting the new system. There has been a significant increase in the number of companies choosing to deploy Cisco Unified Communications when phasing out their traditional time division multiplexed (TDM)-based systems. Unlike vendors whose security offerings protect individual devices in the voice system, Cisco provides comprehensive, integrated security that protects the entire network over which voice traffic travels. Multiple layers of defense for the infrastructure, call management, applications, and endpoints protect against known and emerging threats. This white paper looks at how the same security technologies and policies deployed to protect the data network can be used to protect the voice service as well. It also examines the many different settings that are available to help secure the Cisco IP Phones from potential hacker attacks. This paper is based on Cisco Unified Communication Manager 5.x, 6.x, 7.x.
There is a significant increase in the number of companies choosing to deploy Cisco Unified Communications when phasing out their traditional time division multiplexed (TDM)-based systems. Security is now one of the highest selection criteria for IT professionals, becoming as important as the features the system offers, when selecting the new system.
Unified Communications is not dedicated to its own cable infrastructure as the traditional PBX systems were, but rather uses a shared IP-based infrastructure. Voice over Internet Protocol (VoIP) defines a way to carry voice calls over an IP network, including the digitization and packetization of the voice streams. Voice traffic travels along with the data traffic over the same IP network. All of the same security technologies and policies deployed to protect the data network can be used to protect the voice service as well.
Many of the best practices for securing the data network also help protect against a number of voice threats such as:
Toll Fraud - This refers to internal or external users placing unauthorized toll calls via the corporate telephone system.
Denial of Service (DOS) - In a DoS attack, hackers use automated tools to send a deluge of nuisance traffic to IP phones, call-processing servers, or infrastructure elements.
Spoofing - In impersonation exploits, a hacker steals a legitimate user's identity so that the hacker's phone calls appear to come from another user.
Eavesdropping (Man-In-The-Middle Attack) - In man-in-the-middle (MITM) attacks, an internal user spoofs the IP address of a router or PC to spy on voice traffic as well as data entered on the phone keypad during a voice conversation, such as passwords.
Unlike vendors whose security offerings protect individual devices in the voice system, Cisco provides comprehensive, integrated security that protects the entire network over which voice traffic travels. Multiple layers of defense - for the infrastructure, call management, applications, and endpoints - protect against known threats, as well as constantly emerging unknown threats. Following is a selection of Cisco secure infrastructure technologies that are especially useful for protecting voice systems.
Virtual VLANs - Virtual VLANs separate the physical network into multiple logical networks, keeping the voice and the date on separate networks.
Voice and Video Enabled VPNs - In the event a user does gain unauthorized access; organizations can also encrypt voice traffic. Voice and video-enabled VPN (V3PN) technology, available in many Cisco routers and security appliances, encrypts voice as well as data traffic using IP Security (IPSec) or Advanced Encryption Standard (AES). Encryption is performed in hardware in order that firewall performance is not affected. In addition, a V3PN solution does not affect voice quality. The Cisco ASA 5500 Series Adaptive Security Appliances and Cisco firewall solutions provide quality of service (QoS) mechanisms to help ensure that voice packets receive priority over data packets as they travel through VPN tunnels.
Access Control List (ACL) - ACLs restrict access to a specific resource, such as a Cisco Unified Communications Manager server, to specified users or network segments.
Port Security - Port security limits the services that network users can access based on the physical port to which they connect.
Cisco Secure Access Control Server - This server provides dynamic, user-based ACLs that specify the actions that individual users are allowed to take.
DHCP Snooping - Snooping is when a user impersonates the DHCP server in order to redirect all network traffic through a device under the user's control.
Cisco Firewall Solutions - This restricts the ports that outsiders can use to access the network using particular protocols.
Intrusion Prevention - This inspects all traffic flowing through the network, regardless of whether it originated outside or inside the perimeter, to determine if it is malicious.
Wireless Security - When companies send voice traffic over their wireless LANs, they can protect the voice traffic with the same techniques used to protect wireless data traffic.
This paper presumes that your enterprise already has a security policy in place for the data network. In this white paper the many different settings that are available to help secure the Cisco IP Phones from potential hacker attacks will be examined. This paper is based on Cisco Unified Communication Manager 5.x, 6.x, 7.x
IP Phone Hardening
Cisco Unified IP Phones contain built-in features to increase security on an IP telephony network. These features can be enabled or disabled on a phone-by-phone basis to increase the security of an IP telephony deployment. Frequently, endpoints, such as IP phones, are not protected; only servers and network infrastructure devices are protected or hardened. Some of the simplest tasks an administrator can perform to secure the voice network are to secure the endpoints (phones) themselves. These tasks can be performed from the Unified Communications Manager Administrator web page. Cisco IP Phones are configured by default to achieve the greatest functionality, but are not considered to be secure.