Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © 2004, Cisco Systems, Inc. All rights reserved IP Telephony Security Cisco Systems.

Published byRobyn Dalton Modified over 9 years ago

Similar presentations

Presentation on theme: "1 © 2004, Cisco Systems, Inc. All rights reserved IP Telephony Security Cisco Systems."— Presentation transcript:

1 1 © 2004, Cisco Systems, Inc. All rights reserved IP Telephony Security Cisco Systems

2 222 © 2005, Cisco Systems, Inc. All rights reserved ipt_security Threat Models Merge IP Telephony inherits IP data network threat models: Reconnaissance, DoS, host vulnerability exploit, surveillance, hijacking, identity, theft, misuse, etc. QoS requirements of IP Telephony increase exposure to DoS attacks that affect: Delay, jitter, packet loss, bandwidth PC endpoints typically require user authentication, phones typically allow any user (exceptions: access/billing codes, Class of Service)

3 333 © 2005, Cisco Systems, Inc. All rights reserved ipt_security Making IP Telephony Secure Put a protective shell around IP through the infrastructure Protecting routers & switches Preventing layer 2 tricks like VOMIT Physical security! Protecting IPT servers Put security in the IP telephony protocols The above are not mutually exclusive!

4 444 © 2005, Cisco Systems, Inc. All rights reserved ipt_security Protect Routers and Switches Apply well-known and proven techniques to protect network elements Follow sound password and authentication practices Ensure that unused router services are turned off Securely configure any network management functions NTP Authentication, Routing Authentication, Password encryption, SSH, AAA features, access control for SNMP, block telnet, turn off unused TCP/UDP service Restrict Physical Access! Beware router/switch password recovery. …

5 555 © 2005, Cisco Systems, Inc. All rights reserved ipt_security Prevent Layer 2 Tricks CAM is the forwarding table for a switch Filled dynamically based on source MAC address If destination MAC address is unknown => flood frame within VLAN CAM overflow CAM overflow: sends zillions of fake source MAC to fill MAC => learning is disabled Prevention:port security Prevention: port security (small and finite number of MAC per port) DHCP Rogue DHCP Rogue DHCP: malicious (fake DNS, GW) allows for Man in the Middle Attacks Prevention:DHCP snooping Prevention: DHCP snooping, drop all replies coming from non trusted DHCP servers ARP is the protocol to link MAC & IP addresses ARP spoofing ARP spoofing: attacked sends fake binding his-MAC, sniffed-IP Prevention:DHCP snooping Prevention: DHCP snooping to learn trusted binding, drop all violation Spanning Tree Protocol, the ‘routing’ protocol, detects loops Fake BPDU Fake BPDU => re-routing, computation (DoS) Prevention:drop BPDU Prevention: drop BPDU on all access port, partially static topology

6 666 © 2005, Cisco Systems, Inc. All rights reserved ipt_security A Word About Physical Security Access to network equipment must be controlled Keep network equipment well within recommended environmental limits Mission critical resources may require dispersion, to provide effective redundancy Killing power is an effective DoS attack

7 777 © 2005, Cisco Systems, Inc. All rights reserved ipt_security IPT Servers They are essential to IPT Protected by Strict security policy enforcement (firewall, …) Host security: IPS, AV, … Applying security fixes RBAC management

8 888 © 2005, Cisco Systems, Inc. All rights reserved ipt_security Securing IPT Protocols First Step: Phone Authentication Using X.509 certificates Manufacturing Installed Certificate (MIC) –Installed in non-erasable, non-volatile memory Locally Significant Certificate (LSC) –Installed by local authority –Supercedes MIC

9 999 © 2005, Cisco Systems, Inc. All rights reserved ipt_security Securing IPT Protocols Second Step: Use TLS for Signaling IP TCP TLS HTTPSCCPFTPSIP Supports any application protocol Bi-directional PKI establishes Identity HMAC provides Integrity Encryption offers Privacy

10 10 © 2005, Cisco Systems, Inc. All rights reserved ipt_security Securing IPT Protocols Second Step: Use TLS for Signaling TLS is the transport for signed (RSA), authenticated (HMAC- SHA1) and encrypted (AES-128) signaling (1)

11 11 © 2005, Cisco Systems, Inc. All rights reserved ipt_security Securing IPT Protocols Third Step: Use SRTP for Audio Stream Authenticated portion timestamp PVXCCMPTsequence number synchronization source (SSRC) identifier contributing sources (CCRC) identifiers … RTP extension (optional) RTP payload SRTP MKI -- 0 bytes for voice Authentication tag -- 4 bytes for voice Encrypted portion Secure Real Time Protocol RFC 3711 for transport of secure media Uses AES-128 for both authentication and encryption

12 12 © 2005, Cisco Systems, Inc. All rights reserved ipt_security Securing IPT Protocols Third Step: Use SRTP for Audio Stream SRTP is the transport for authenticated and encrypted (AES-128) media (2)

13 13 © 2005, Cisco Systems, Inc. All rights reserved ipt_security Conclusion Security for IPT is usually desirable Security for IPT can be delivered Within the network infrastructure By the IPT protocols Security is not a barrier for deployment BTW: apply the same paranoia to data as wellBTW: apply the same paranoia to data as well

Download ppt "1 © 2004, Cisco Systems, Inc. All rights reserved IP Telephony Security Cisco Systems."

Similar presentations

Ethernet Switch Features Important to EtherNet/IP

Ethernet Switch Features Important to EtherNet/IP
Addressing Security Issues IT Expo East 2011. Addressing Security Issues Unified Communications SIP Communications in a UC Environment.

Addressing Security Issues IT Expo East Addressing Security Issues Unified Communications SIP Communications in a UC Environment.
Mitigating Layer 2 Attacks

Mitigating Layer 2 Attacks
CANTO – 2006 Information Security and Voice over IP (VoIP) Robert Potvin, CISSP VP - Strategic Consulting June 21st, 2006.

CANTO – 2006 Information Security and Voice over IP (VoIP) Robert Potvin, CISSP VP - Strategic Consulting June 21st, 2006.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: Introduction to Switched Networks Routing And Switching 2.0.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: Introduction to Switched Networks Routing And Switching 2.0.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
1 Voice over Internet Protocol (VoIP) Security Affects on the IP Network Architecture Conference ICS – Wireless Group Meeting Tempe, Arizona.

1 Voice over Internet Protocol (VoIP) Security Affects on the IP Network Architecture Conference ICS – Wireless Group Meeting Tempe, Arizona.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: Introduction to Switched Networks Routing and Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: Introduction to Switched Networks Routing and Switching.
CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.
Network Security Network Attacks and Mitigation 張晃崚 CCIE #13673, CCSI #31340 區域銷售事業處 副處長 麟瑞科技.

Network Security Network Attacks and Mitigation 張晃崚 CCIE #13673, CCSI #31340 區域銷售事業處 副處長 麟瑞科技.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
1 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet security Ethernet: Layer 2 Security Eric Vyncke Cisco Systems Distinguished Engineer.

1 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet security Ethernet: Layer 2 Security Eric Vyncke Cisco Systems Distinguished Engineer.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study

Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study

Similar presentations

Ads by Google