- ホーム
- > 洋書
- > 英文書
- > Computer / General
Full Description
The real-world guide to securing Cisco-based IP telephony applications, devices, and networksCisco IP telephony leverages converged networks to dramatically reduce TCO and improve ROI. However, its critical importance to business communications and deep integration with enterprise IP networks make it susceptible to attacks that legacy telecom systems did not face. Now, there's a comprehensive guide to securing the IP telephony components that ride atop data network infrastructures-and thereby providing IP telephony services that are safer, more resilient, more stable, and more scalable.Securing Cisco IP Telephony Networks provides comprehensive, up-to-date details for securing Cisco IP telephony equipment, underlying infrastructure, and telephony applications. Drawing on ten years of experience, senior network consultant Akhil Behl offers a complete security framework for use in any Cisco IP telephony environment. You'll find best practices and detailed configuration examples for securing Cisco Unified Communications Manager (CUCM), Cisco Unity/Unity Connection, Cisco Unified Presence, Cisco Voice Gateways, Cisco IP Telephony Endpoints, and many other Cisco IP Telephony applications. The book showcases easy-to-follow Cisco IP Telephony applications and network security-centric examples in every chapter.This guide is invaluable to every technical professional and IT decision-maker concerned with securing Cisco IP telephony networks, including network engineers, administrators, architects, managers, security analysts, IT directors, and consultants.Recognize vulnerabilities caused by IP network integration, as well as VoIP's unique security requirementsDiscover how hackers target IP telephony networks and proactively protect against each facet of their attacksImplement a flexible, proven methodology for end-to-end Cisco IP Telephony securityUse a layered (defense-in-depth) approach that builds on underlying network security designSecure CUCM, Cisco Unity/Unity Connection, CUPS, CUCM Express, and Cisco Unity Express platforms against internal and external threatsEstablish physical security, Layer 2 and Layer 3 security, and Cisco ASA-based perimeter securityComplete coverage of Cisco IP Telephony encryption and authentication fundamentalsConfigure Cisco IOS Voice Gateways to help prevent toll fraud and deter attacksSecure Cisco Voice Gatekeepers and Cisco Unified Border Element (CUBE) against rogue endpoints and other attack vectorsSecure Cisco IP telephony endpoints-Cisco Unified IP Phones (wired, wireless, and soft phone) from malicious insiders and external threatsThis IP communications book is part of the Cisco Press (R) Networking Technology Series. IP communications titles from Cisco Press help networking professionals understand voice and IP telephony technologies, plan and design converged networks, and implement network solutions for increased productivity.
Contents
Introduction xxiii Part I Introduction to Cisco IP Telephony Security 3Chapter 1 What Is IP Telephony Security and Why Do You Need It? 3Defining IP Telephony Security 4What Is IP Telephony? 4What Is IP Telephony Security? 4What Is the Rationale Behind Securing an IP Telephony Network? 6What Can You Do to Safeguard Your IP Telephony Network? 7IP Telephony Security Threats 8How Do Hackers Attack an IP Telephony Network? 8Foot Printing 9Scanning 9Enumeration 9Exploit 9Covering Tracks 10What Are IP Telephony Security Threats and Countermeasures? 10Threats 11Countermeasures 12An Insight to VoIP Security Tools 12IP Telephony Security/Penetration Tools 13Sniffing Tools 13Scanning and Enumeration Tools 14Flooding/DoS Tools 14Signaling and Media-Manipulation Tools 15Business Challenges and Cisco IP Telephony Security Responses 15Common Business Challenges Associated with IP Telephony Security 15Cisco IP Telephony Security Responses 16Summary 17Chapter 2 Cisco IP Telephony Security Building Blocks 19Introduction to IP Telephony Security Methodology 19Understanding the IP Telephony Security Methodology 19Demystifying IP Telephony Security Methodology 21IP Telephony Security Architecture 22Exploring IP Telephony Security Methodology and Defining Security Architecture 24IP Telephony Security Assessment and Security Policy Development 24IP Telephony Network Security Implementation 26Physical Security 28Layer 2 Security 29Layer 3 Security 29Perimeter Security 30IP Telephony Application Security Implementation 31Defining the IP Telephony Network Components That Should Be Secured 32IP Telephony Network Elements That Should Be Secured 32Summary 34Chapter 3 What Can You Secure and How Can You Secure It? 35Layered Security Approach for IP Telephony Security 35IP Telephony Layered Security Approach 36Case Study 36Enabling IP Telephony Security: Layer upon Layer 37Cisco IP Telephony Security Controls 40Discovering IP Telephony Security Controls 40Cisco IP Telephony Security Controls 41Cisco IP Telephony Network Security Controls 41Cisco IP Telephony Device Security Controls 43Cisco IP Telephony Application Security Controls 45Cisco IP Telephony Endpoint Security Controls 48Cisco IP Telephony Security Overview 50Discovering End-to-End IP Telephony Security 50Understanding Each IP Telephony Component and its Relative Security Control 52XYZ Headquarters (Main Data Center) 52IP Telephony Data Center Security Insight 54IP Telephony Remote Data Center Security Insight 54IP Telephony Remote Site Security Insight 56Telecommuter Solution Security Insight 56Summary 57Chapter 4 Cisco IP Telephony Security Framework 59Cisco IP Telephony Security Life Cycle 60Enabling IP Telephony Security 61Security and Risk Assessment 61IP Telephony Security Policy Development and Enforcement 62Planning and Designing 63IP Telephony Network and Application Security Deployment 63Operate and Manage 64Monitor 64Developing an IP Telephony Security Policy 64Building an IP Telephony Security Policy/Strategy In line with Your Corporate Security Policy 64Risk Assessment 65Components of IP Telephony Security Policy 69IP Telephony Security Policy/Strategy 70Core IP Telephony Security Policies 72Physical Security of IP Telephony Equipment 74Physical Security Policy 75Local-Area Network Security Policy 76Wide-Area Network and Perimeter Security Policy 77IP Telephony Server Security Policy 78Voice Application Security Policy 79Endpoint Security Policy 79Conclusion 80Evaluating Cost of Security-Cost Versus Risk 80Cost of Implementing IP Telephony Security 81Cost of a Security Breach 81How to Balance Between Cost and Risk 82Determining the Level of Security for Your IP Telephony Network 84Case Study 84The Riddles Are Over 86Putting Together All the Pieces 87IP Telephony Security Framework 87Summary 92Part II Cisco IP Telephony Network Security 93Chapter 5 Cisco IP Telephony Physical Security 95IP Telephony Physical Security 95What Is IP Telephony Physical Security All About? 96Physical Security Issues 97Restricting Access to IP Telephony Facility 97Securing the IP Telephony Data Center Perimeter 98IP Telephony Data Center Internal Security 99Personnel Training 100Disaster Recovery and Survivability 100Locking Down IP Telephony Equipment 101Environmental Factors 102Summary 103Chapter 6 Cisco IP Telephony Layer 2 Security 105Layer 2 Security Overview 105Cisco IP Telephony Layer 2 Topology Overview 106Why Bother with Layer 2 Security? 107IP Telephony Layer 2 Security Issues and Mitigation 108VLAN Hopping Attack and Mitigation 109Attack Details 109Mitigation 111Spanning Tree Protocol (STP) Manipulation 112Attack Details 112Mitigation 112DHCP Spoofing 113Attack Details 113Mitigation 114ARP Spoofing 114Attack Details 115Mitigation 116MAC Address Spoofing Attack 116Attack Details 116Mitigation 117IP Spoofing Attack 119Attack Details 119Mitigation 120CAM Table Overflow and DHCP Starvation Attack 120Attack Details 121Mitigation 122Dealing with Rogue Endpoints: 802.1x 123What Is 802.1x and How Does it Work? 123EAP Authentication Methods 125802.1x for IP Telephony 126Layer 2 Security: Best Practices 131Summary 133Chapter 7 Cisco IP Telephony Layer 3 Security 135Layer 3 Security Fundamentals: Securing Cisco IOS Routers 136Cisco IOS Platform Security 136Restricting Management Access 137Securing the Console Port 138Securing the Auxiliary Port 139Securing the VTY Ports 139Securing the HTTP Interface 140Disabling Unnecessary IOS Services 142Small Services 142Finger Service 143BootP 143Cisco Discovery Protocol (CDP) 143Proxy ARP 145Directed Broadcast 146Source Routing 147Classless Routing 148Configuration Autoloading 148Securing TFTP 149Securing Routing Protocols 150Routing Information Protocol v2 (RIPv2) 151Enhanced Interior Gateway Routing Protocol (EIGRP) 152Open Shortest Path First (OSPF) 152Border Gateway Protocol (BGP) 153Securing Hot Standby Routing Protocol (HSRP) 153Safeguarding Against ICMP Attacks 154ICMP Unreachables 154ICMP Mask Reply 154ICMP Redirects 154Constraining ICMP 155Securing User Passwords 156Controlling User Access and Privilege Levels 157Enabling Local Authentication and Authorization 157Enabling External Server-based Authentication, Authorization, and Accounting (AAA) 158Configuring Cisco TACACS+ Based Authentication 158Configuring Cisco TACACS+ Based Authorization 159Configuring Cisco TACACS+ Based Accounting 159Antispoofing Measures 160RFC 2827 Filtering 161Unicast Reverse Packet Forwarding (uRPF) 162Router Banner Messages 163Securing Network Time Protocol (NTP) 164Blocking Commonly Exploited Ports 165Extending Enterprise Security Policy to Your Cisco Router 165Password Minimum Length 165Authentication Failure Rate 166Block Logins 166Disable Password Recovery 166Layer 3 Traffic Protection-Encryption 168Layer 3 Security-Best Practices 168Summary 169Chapter 8 Perimeter Security with Cisco Adaptive Security Appliance 171IP Telephony Data Center's Integral Element: Cisco Adaptive Security Appliance 172An Introduction to Cisco ASA Firewall 172Cisco ASA Firewall and OSI layers 174Cisco ASA Basics 175Cisco ASA: Stateful Firewall 175Cisco ASA Firewall: Interfaces 175Cisco ASA Firewall: Security Levels 177Cisco ASA: Firewall Modes 179Cisco ASA: Network Address Translation 180Cisco ASA: UTM Appliance 180Cisco ASA: IP Telephony Firewall 181Securing IP Telephony Data Center with Cisco ASA 182Case Study: Perimeter Security with Cisco ASA 184Cisco ASA QoS Support 186Firewall Transiting for Endpoints 186Cisco ASA Firewall (ACL Port Usage) 188Introduction to Cisco ASA Proxy Features 201Cisco ASA TLS Proxy 203Cisco ASA Phone Proxy 212Cisco VPN Phone 222Cisco VPN Phone Prerequisites 223Implementing VPN Phone 224Remote Worker and Telecommuter Voice Security 227Summary 231Part III Cisco IP Telephony Application and Device Security 233Chapter 9 Cisco Unified Communications Manager Security 235Cisco Unified Communications Manager (CUCM) Platform Security 236CUCM Linux Platform Security 237Certificate-Based Secure Signaling and Media: Certificate Authority Proxy Function 238Enabling CUCM Cluster Security: Mixed-Mode 240Security by Default (SBD) 249TFTP Download Authentication 249TFTP Configuration File Encryption 250Trust Verification Service (Remote Certificate and Signature Verification) 251Using External Certificate Authority (CA) with CAPF 253Using External Certificate Authority (CA) with Cisco Tomcat 256Enabling Secure LDAP (LDAPS) 258Enabling Secure LDAP Connection Between CUCM and Microsoft Active Directory 259Securing IP Phone Conversation 261Securing Cisco IP Phones 262Identifying Encrypted and Authenticated Phone Calls 264Securing Third-Party SIP Phones 264Configuring Third-Party SIP Phone 267Secure Tone 267CUCM Trunk Security 271ICT and H.225 (Gatekeeper Controlled) Secure Trunks 271SIP Trunk Security 273Inter Cluster Trunk Security 275SME Trunk Security 275Trusted Relay Point (TRP) 277Preventing Toll Fraud 279Partitions and Calling Search Spaces 280Time of Day Routing 280Block Off-Net to Off-Net Transfers 281Conference Restrictions 281Calling Rights for Billing and Tracking 281Route Filters for Controlled Access 282Access Restriction for Protocols from User VRF 282Social Engineering 282Securing CTI/JTAPI Connections 283JTAPI Client Config 285Restricting Administrative Access (User Roles and Groups) 286Fighting Spam Over Internet Telephony (SPIT) 288CUCM Security Audit (Logs) 290Application Log 291Database Log 291Operating System Log 291Remote Support Accounting Log 292Enabling Audit Logs 292Collecting and Analyzing CUCM Audit Logs 294Analyzing Application Audit Logs 294Single Sign-On (SSO) 295SSO Overview 296System Requirements for SSO 296Configuring OpenAM SSO Server 297Configuring Windows Desktop SSO Authentication Module Instance 300Configure J2EE Agent Profile on OpenSSO Server 301Configuring SSO on CUCM 303Configuring Client Machine Browsers for SSO 306Internet Explorer 306Mozilla Firefox 306Summary 307Chapter 10 Cisco Unity and Cisco Unity Connection Security 309Cisco Unity/Unity Connection Platform Security 310Cisco Unity Windows Platform Security 311OS Upgrade and Patches 311Cisco Security Agent (CSA) 311Antivirus 312Server Hardening 312Cisco Unity Connection Linux Platform Security 313Securing Cisco Unity/Unity Connection Web Services 313Securing Cisco Unity Web Services (SA, PCA, and Status Monitor) 313Securing Cisco Unity Connection Web Services (Web Administration, PCA, and IMAP) 317Preventing Toll Fraud 317Secure Voicemail Ports 318Cisco Unity: Secure Voicemail Ports with CUCM (SCCP) 319Cisco Unity: Authenticated Voicemail Ports with CUCM (SIP) 321Cisco Unity Connection: Secure Voicemail Ports with CUCM (SCCP) 323Cisco Unity Connection: Secure Voicemail Ports with CUCM (SIP) 324Secure LDAP (LDAPS) for Cisco Unity Connection 327Securing Cisco Unity/Unity Connection Accounts and Passwords 327Cisco Unity Account Policies 327Cisco Unity Authentication 329Cisco Unity Connection Account Polices 330Cisco Unity/Unity Connection Class of Service 331Cisco Unity Class of Service (and Roles) 331Cisco Unity Connection Class of Service (and Roles) 331Cisco Unity/Unity Connection Secure Messaging 332Cisco Unity Secure Messaging 332Cisco Unity Connection Secure Messaging 334Cisco Unity/Unity Connection Security Audit (Logs) 335Cisco Unity Security Audit 335Cisco Unity Connection Security Audit 337Cisco Unity Connection Single Sign-On (SSO) 338Summary 338Chapter 11 Cisco Unified Presence Security 339Securing Cisco Unified Presence Server Platform 339Application and OS Upgrades 340Cisco Security Agent (CSA) 340Server Hardening 340Securing CUPS Integration with CUCM 341Securing CUPS Integration with LDAP (LDAPS) 345Securing Presence Federation (SIP and XMPP) 345CUPS SIP Federation Security 347Intra-Enterprise/Organization Presence SIP Federation 347Inter-Enterprise/Organization Presence SIP Federation 354CUPS XMPP Federation Security 364Cisco Unified Personal Communicator Security 368Securing CUPC LDAP Connectivity 368Securing CUPC Connectivity with Cisco Unified Presence 370Securing CUPC Connectivity with CUCM 371Securing CUPC Connectivity with Voicemail (Cisco Unity/Unity Connection) 372Summary 375Chapter 12 Cisco Voice Gateway Security 377Cisco Voice Gateway Platform Security 377Preventing Toll Fraud on Cisco Voice Gateways 378Call Source Authentication 378Voice Gateway Toll Fraud Prevention by Default 379Class of Restriction (COR) 380Call Transfer and Forwarding 383Securing Conference Resources 384Securing Voice Conversations on Cisco Voice Gateways 390Configuring MGCP Support for SRTP 391Configuring H.323 Gateway to Support SRTP 394Configuring SIP Gateway to Support SRTP 396Securing Survivable Remote Site Telephony (SRST) 399Monitoring Cisco Voice Gateways 402Summary 403Chapter 13 Cisco Voice Gatekeeper and Cisco Unified Border Element Security 405Physical and Logical Security of Cisco Gatekeeper and Cisco Unified Border Element 405Gatekeeper Security-What Is It All About? 406Securing Cisco Gatekeeper 406Restricted Subnet Registration 407Gatekeeper Accounting 407Gatekeeper Security Option 410Gatekeeper Intra-Domain Security 410Gatekeeper Inter-Domain Security 411Gatekeeper HSRP Security 413Cisco Unified Border Element Security 414Filtering Traffic with Access Control List 416Signaling and Media Encryption 416Hostname Validation 417Firewalling CUBE 417CUBE Inherited SIP Security Features 418Summary 420Chapter 14 Cisco Unified Communications Manager Express and Cisco UnityExpress Security 421Cisco Unified Communications Manager Express Platform Security 422Preventing Toll Fraud on Cisco Unified Communications Manager Express 422After-Hours Calling Restrictions 422Call Transfer Restriction 423Call Forward Restriction 424Class of Restriction 425Cisco Unified CME: AAA Command Accounting and Auditing 425Cisco IOS Firewall for Cisco Unified CME 426Cisco Unified CME: Securing GUI Access 426Cisco Unified CME: Strict ephone Registration 427Cisco Unified CME: Disable ephone Auto-Registration 428Cisco Unified CME: Call Logging (CDR) 428Cisco Unified CME: Securing Voice Traffic (TLS and SRTP) 429Securing Cisco Unity Express Platform 435Enabling AAA for Cisco Unity Express 437Preventing Toll Fraud on Cisco Unity Express 438Cisco Unity Express: Secure GUI Access 440Summary 440Chapter 15 Cisco IP Telephony Endpoint Security 441Why Is Endpoint Security Important? 442Cisco Unified IP Phone Security 443Wired IP Phone: Hardening 443Speakerphone 444PC Port 445Settings Access 445Gratuitous Address Resolution Protocol ARP (GARP) 445PC Voice VLAN Access 445Video Capabilities 446Web Access 446Span to PC Port 446Logging Display 447Peer Firmware Sharing 447Link Layer Discovery Protocol: Media Endpoint Discover (LLDP-MED) Switch Port 447Link Layer Discovery Protocol (LLDP) PC Port 447Configuring Unified IP Phone Hardening 447Wired IP Phone: Secure Network Admission 448Wired IP Phone: Voice Conversation Security 448Wired IP Phone: Secure TFTP Communication 449Cisco Unified Wireless IP Phone Security 449Cisco Wireless LAN Controller (WLC) Security 450Cisco Wireless Unified IP Phone Security 454Hardening Cisco Wireless IP Phones 454Profile 455Admin Password 455FIPS Mode 456Securing a Cisco Wireless IP Phone 456Securing Cisco Wireless Endpoint Conversation 456Securing Cisco Wireless Endpoint Network Admission 457Using Third-Party Certificates for EAP-TLS 457Wireless IP Phone: Secure TFTP Communication 463Securing Cisco IP Communicator 463Hardening the Cisco IP Communicator 464Encryption (Media and Signaling) 465Enable Extension Mobility for CIPC 466Lock Down MAC Address and Device Name Settings 467Network Access Control (NAC)-Based Secured Network Access 469VLAN Traversal for CIPC Voice Streams 469Summary 470Part IV Cisco IP Telephony Network Management Security 471Chapter 16 Cisco IP Telephony: Network Management Security 473Secure IP Telephony Network Management Design 473In-Band Network Management 474Securing In-Band Management Deployment 475Out-of-Band (OOB) Network Management 475Securing OOB Management Deployment 476Hybrid Network Management Design 477Securing a Hybrid Network Management Deployment 477Securing Network Management Protocols 478Secure Network Monitoring with SNMPv3 479Cisco IP Telephony Applications with SNMPv3 Support 480SNMP for Cisco IOS Routers and Switches 483SNMP Deployment Best Practices 485Syslog 485Secure Syslog for IP Telephony Applications 486Configuring Syslog in Cisco Network Devices (Cisco IOS Devices and Cisco ASA) 488Cisco IOS Devices Syslog 488Cisco ASA Firewall Syslog 489Syslog Deployment Best Practices 490Secure Shell (SSH) 491Configuring SSH on IOS Devices 492Enabling SSH Access on Cisco ASA 494SSH Deployment Best Practices 495HTTP/HTTPS 495Enabling Cisco CP for Cisco IOS Routers 496Enabling Cisco ASA ASDM 498HTTPS Deployment Best Practices 500Securing VNC Management Access 500VNC Deployment Best Practices 501Securing Microsoft Remote Desktop Protocol 501Configuring IP Telephony Server for Accepting Secure RDP Connections 502Configuring RDP Client for Initiating Secure RDP Session 504RDP Deployment Best Practices 506TFTP/SFTP/SCP 507TFTP/SFTP/SCP Deployment Best Practices 508Managing Security Events 508The Problem 508The Solution 509Cisco Prime Unified Operations Manager (CUOM) 512Cisco Prime Unified Service Monitor (CUSM) 513Cisco Unified Service Statistics Manager (CUSSM) 514Cisco Prime Unified Provisioning Manager (CUPM) 515Summary 515Part V Cisco IP Telephony Security Essentials 517Appendix A Cisco IP Telephony: Authentication and Encryption Essentials 519Appendix B Cisco IP Telephony: Firewalling and Intrusion Prevention 551Glossary 585
