Best Practices for Deploying Secure Cisco IP Telephony Solutions
IP telephony is slowly but surely becoming part of the modern day organization's day-to day-operations. In fact, some organizations depend on it to the extent of their core business or processes based on IP communications. Sadly though, the security aspect pertinent to IP based communications network, applications, and underlying infrastructure is usually not taken into consideration (or is ignored) when enterprises and businesses think of deploying unified communications.
On the same lines of thought, why should anyone for that matter think of securing an IP telephony network? The answer is simple however manifold:
- To protect the information flowing in IP communication channels from eavesdropping and reconnaissance attacks as well as from manipulation or injection attacks.
- To ensure that the investment in their on-premise or off-premise infrastructure pays off (ROI) and doesn’t end up in a rogue’s hands, utilizing it for malicious purposes.
- To lower Total Cost of Ownership (TCO) by leveraging IP communications to offset PSTN/Toll calls and reducing Moving, Addition, Configuration, and Deletion (MACD) and at the same time, keeping conversations safe.
- Attacks on the telephony network may result in monetary and reputation loss. Moreover, it can directly or indirectly impact the business continuity and clientage.
Today, many organizations depend on a number of IP telephony services like voice calls, instant messaging, conferencing, and video conferencing. A typical IP telephony network can face several threats like toll fraud, reconnaissance attacks, eavesdropping, Denial of Service (DoS) attack, and call hijack. While most organizations do consider that their network needs protection from internal or external threats, such a notion is missing (usually) when it comes to their IP telephony applications/devices. This is for a number of reasons:
- Lack of confidence to secure a relatively newer technology.
- Averting risk of breaking down a working environment with introduction of security.
- Lack of resources (monetary, man power) to carry out tasks necessary for protecting VoIP resources, as well as lack of support from higher management.
The purpose of this article is to define, in primarily non‐technical terms, best practices for securing Cisco IP telephony network deployments. Please note that not all stages of security lifecycle are covered in this article. The focus is on planning, design, and deployment phases pertinent to Cisco IP telephony solution based on Plan, Prepare, Design, Implement, Operate, Optimize (PPDIOO) model.
So how can you secure your Cisco IP telephony deployment?
With earlier discussion in viewpoint, let’s understand what it takes to deploy a secure Cisco IP telephony solution that is scalable, robust, and resilient. In other words, increases ROI and decreases TCO. According to Cisco, “The objective is to secure a converged communications network to protect its availability, the confidentiality of data that it carries, and the integrity of this data.”
Achieving these objectives requires more than simply implementing a few standalone security controls, devices, and technologies. Instead, it demands a carefully developed security policy that specifies an appropriate security plan, design, implementation, and operations, with costs justified by the benefits.
A Cisco IP telephony network deployment can range from a simple to a complex model, consisting of a wide range of components and applications such as:
- Cisco Unified Communication Manager (Call-Control)
- Cisco Unity/Unity Connection (Voicemail)
- IP Phones
- Voice Gateways (PSTN T1/E1, FXO connectivity)
- Cisco Unified Border Element (Session border Controller)
- Conferencing resources (DSP farm)
- Mobility Clients
- Cisco Unified Presence
- Analog endpoints (VG2XX, ATA’s)
- Third Party servers (billing, recording, LDAP)
- Layer 2 (LAN switches)
- Layer 3 (Routers, L3 switches)
- Firewalls (Cisco ASA)
And so on.
Cisco IP telephony is a distributed system and has many individual components that must be protected. These components are at various layers of OSI model right from Layer 1 (physical layer) to Layer 7 (application layer). Malicious attacks at any layer can render the system unusable. Some of the tangible threats persist at the following layers/components:
- Endpoints (including voice gateways, analog phones, and IP Phones) and servers (call control, voicemail servers) could be targets of DoS attacks initiated from within or outside of an organization’s logical/physical territory.
- Non Voice Operating System (VOS) based servers infected with viruses that can degrade the IP telephony service or even propagate themselves to other servers in the voice or data network thereby, damaged storage and enterprise (LDAP, SQL) data.
- Intended malicious attacks leading changes in configuration information.
- Attacks concentrated on IP telephony infrastructure (Layer 1-3) for example: routing protocol manipulation, CAM table overflow, DHCP spoofing, arson, and so on.
- Toll fraud and abuse of IP telephony equipment.
While all of these seem to be potential threats or risks to the sanctity of a Cisco IP telephony deployment, it is important to understand that these risks may not all be applicable in all different types of IP telephony implementations. So, to begin with security of a Cisco IP telephony solution, risk assessment can reveal existing security gaps in network and infrastructure security, which then leads to formulation of a security policy which can give direction and meaning to efforts towards implementing right security controls or devices where required in line with an organization’s goals and vision. Finally, the security policy (combined with audit efforts) leads to successful security implementation at infrastructure, network, and application layers. These topics are covered in subsequent sections.
Getting StartedIP telephony Risk Assessment
Within the context of IP telephony pertinent to business processes, converged voice and data IP networks are entrusted to carry sensitive information and the essential functions of conducting business to and from the employees, vendors, and partners. Essentially it’s an ecosystem which requires end-to-end security. And in doing so, an IP telephony network must be secured in such a way that:
- It complies with applicable laws and regulations
- It protects intellectual property and proprietary information
- It upholds expectations from corporate reputation viewpoint
Fundamentally, neither an IP telephony solution by-itself be assumed to mitigate all security risks nor should network security measures be assumed to be enough to thwart all threats on their own. A defense-in-depth approach is required to curb and evade potential threats, which can be build aided by a comprehensive risk mitigation strategy blended with network layer and application layer security measures.
According to Cisco, “The primary objective is to integrate IP telephony and traditional data services onto a converged network infrastructure, without compromising the security of either service.”
Thus, layered security approach (defense in depth) for implementation of security controls in a holistic manner in an enterprise or organization lays down a solid foundation to build a secure and robust IP telephony solution. The security solution should be layered, with multiple controls and protection at multiple network and application levels. This minimizes the possibility of a single point of failure leading to a compromise in overall security construct.
The desired end result is that the confidentiality, integrity, and availability of critical IP telephony applications and network resources must be ensured while maintaining the solution’s performance. In a nutshell, security should be transparent to the user, simple to administer, cost‐effective, and standards‐based.
The first step toward securing a Cisco IP telephony solution is to gain an understanding of the risks involved. Pertinent to IP telephony, security risks can be broadly categorized as follows:
- Interception and impersonation of IP telephony voice and signaling sessions leading to loss of confidentiality or integrity or both
- Non-authorized or fraudulent use of IP telephony equipment or services for example, toll fraud
- Denial of Service (DoS) or Distributed DoS attacks, leading to degradation of voice services
- Direct/Indirect intrusion of other services associated with or facilitated by the IP telephony implementation
The next sections covers risk assessment overview in brief.
Risk Assessment Overview
Risk assessment helps highlight and manage the possible risks which can lead to threats and the implication of the plausible threats being realized. In other words, risk assessment is an important step in protecting your business, assets and workers/workplace as well as complying with the legal requirements. Essentially, performing a risk assessment exercise helps identify assets which are central to a business and the threats to these assets such that, precautions to deter these threats can be taken upfront in order to reduce or minimize damage caused by realization of those threats.
Risk Assessment Process
The first step is to highlight the categories of risk origination. For example, the following types of risk categories could be identified (these may differ as per business verticals or specific requirements):
Process
- Inadequate controls in the operational processes to maintain and operate UC network
People
- Failure of staff to comply with the procedures whether intentionally, oversight, or negligence to leverage IP telephony services
- Non-familiarity of staff with the set guidelines and procedures to manage or operate UC system
System
- Failure of IP telephony system to meet user requirements
- Absence of in-built control measures in the application system to deter attacks
External Events
- Imposition/changes of policies by government regulatory bodies
- Attempt to attack UC resources or fraud by external entities or customers
Assessing Risk and Risk Categorization
The next major activity is to assess the risk in each category by virtue of component, product, or process. The idea is to identify potential events that, if they occur, will adversely affect the enterprise operation or processes and the associated risk managed within the enterprise’s risk appetite. This is described by following steps:
- Identify all the operational processes for managing and operating IP telephony network.
- Identity the extent of risk impact/likelihood for each risk category with the magnitude of either High, Medium, or Low. This can be achieved by averaging out the total loss exposure amount and number of incidents happened for a year (annual loss expectancy) to derive at a common median/average.
Risk categories can be mapped into the Risk Quadrant Grid, which is divided into four quadrants as shown in Figure 1:
Figure 1 Risk Assessment OutputRisk Category, probability, and Impact
For example, an attack on Cisco Unified Communications Manager (CUCM) will heavily impact the normal business operations; this should be categorized as a High Impact risk. However, the possibility of a hacker breaking into the network and attacking CUCM is much less; it should be categorized into Low Likelihood. Hence, the outcome is that CUCM as an asset should be placed into ‘Medium High Risk’ category.
Once the asset vs. risk categorization is completed, it’s time to move to the next step, i.e. aligning security controls and mechanisms in line with risk appetite of an asset or process. It is important to understand that to have the right direction to implement security for IP telephony and to have the security deployed in a consistent manner to thwart threats of sorts, it’s essential to have a guideline that an organization’s stakeholders can follow. This guideline is the security strategy, in this case IP telephony security strategy.
Next StepsIP Telephony Security Strategy
As discussed earlier, a security strategy/policy gives direction to efforts, resources, and security controls or mechanism such that an organization can focus on the where, what, how, why, and when aspects of deploying security for its IT infrastructure. Same goes for IP telephony as well, since Cisco IP telephony is established not just by applications, rather by devices and infrastructure, which applications leverage for their operation. Hence, a systemic approach helps ensure that directional efforts account for resources, and planned controls are in line with business objectives.
When it comes to IP telephonylike any other discipline of networkingrather than implementing security post deployment, it’s a good idea to ensure that security goes with IP telephony planning and design i.e. security is a coherent part of PPDIOO phases in a Cisco IP telephony deployment project. This is depicted in Figure 2:
Figure 2 Security Policy build around PPDIOO Process
Each step in the PPDIOO process is not a discrete or independent step, they are all interrelated. It is an iterative and on-going process, which resembles the very nature of a security strategy process which is ever evolving and re-iterating. Figure 3 illustrates security strategy lifecycle.
Figure 3 Security Strategy Lifecycle
An IP telephony security strategy (policy) should be developed as a collaborative effort cross-organizational team effort requiring participation from representatives from the networking, IT security, telecom, and business departments/business units. Organizations should examine IP telephony security from a business perspective by defining goals, policies, and pattern of usage across all applicationsdata, voice, video, IM, voicemail, and presence. Security strategy for all these components needs to be aligned and properly balanced against business risks.
In a nutshell, security strategy will differ for different businesses or organizations as per their risk appetite and the requirements from business verticals. For example, a school may not require all endpoints to be authorized before being admitted in the network (Network Access Control); however, for a government organization this might be a norm. Hence, once size fits all doesn’t work with security strategy/policy development. A security strategy for an IP telephony solution may be developed based on following elements (not all inclusive or exclusive):
- Acceptable usage, behavior, and conduct pertinent to telephony resources/system
- Physical security measures
- Network infrastructure security
- Perimeter access security
- Server hardening
- Definition of secure and non-secure zones
- User endpoint security
- Wireless infrastructure security
- Vendor, partner, and consultant access restrictions
- Back and restore (including disaster recovery) security
- Network management and security response
- Internet access
- Lawful interception of calls
This is a very high level view of what goes into making a security strategy (policy) document which gives a corporate wide guideline to be followed while designing, deploying, operating, monitoring, and maintaining an IP telephony network. Moreover, it goes without saying that, the security strategy should be such that it can be comprehended in a generic way by everyone in an organization.
The next section offers insight for implementing secure Cisco IP telephony networks.
Getting Down to BusinessDeploying Secure Cisco IP telephony Networks
We have discussed briefly the types of threats that pester the IP telephony network. To reiterate, attacks on IP telephony systems can be broadly categorized into the following types:
- Confidentiality/Privacy which includes (not limited to) voice call eavesdropping, hijacking sessions
- Integrity/Authenticity which includes (not limited to) impersonization, injection
- Availability which includes (not limited to) DoS/DDoS, network infiltration
- Theft which includes (not limited to) toll fraud, data theft
- Spam over Internet Telephony (SPIT) which includes (not limited to) unsolicited calling
With a wide variety of potential threats and attacks, no solo mechanism can curb the otherwise imminent threat. Henceforth, a notion multilayer security approach (as discussed earlier) is not an option but a necessity.
To achieve end-to-end security, everything right from a user endpoint to peripheral gateways to firewalls to physical access should be secured. This is depicted in Figure 4.
Figure 4 End-to-End Security Construct
Following are recommended best practices and recommended security controls to design and deploy secure Cisco IP telephony networks.
Layer 1 (Physical Layer) Security
- Badged access to data center and other facilities. Guards at data center or facility periphery
- Alarms and sensors at data center periphery and entry/exits
- Appropriate arrangements for fire extinguishing
- Automatic doors with break proof glass
- CCTV cameras where required (and possible)
- Equipment secured in racks in data center and in closets at user access level
- Role based access (authorization) to IP telephony/network equipment
- Uninterrupted Power Supply (UPS) for servers and network devices
Layer 2 (Switching Layer) Security
- Segregation of data and voice VLAN
- Application of port based security where possible
- Dynamic ARP inspection
- DHCP snooping
- Limited MAC addresses per physical switch port
- Layer 2 ACL’s (where possible)
- Layer 2 QOS to differentiate between priority, default, and scavenger traffic (where possible)
- Network Access Control (NAC)
- VLAN pruning
- Secure management access to switch interface (SSH)
Layer 3 (Routing Layer) Security
- Routing protocol authentication
- Secure access to router console, VTY (SSH)
- Secure access to router GUI (HTTPS)
- uRPF
- Filtering of RFC 1918 addresses (at aggregation from untrusted networks)
- Secure Hot Standby Routing Protocol (HSRP) (where applicable)
- Route poisoning prevention
- Layer 3 QOS for segregating intended traffic from scavenger/malicious traffic
Layer 4 -7 (LAN/WAN/Perimeter) Security
- Cisco ASA Firewalls to broker connection from untrusted zone to trusted zone (filtering TCP/UDP connections)
- Internet or extranet facing servers to be placed in DMZ
- Network Intrusion Prevention System (NIPS) to inspect and filter/drop packets/sessions as malicious packet content
- IPSec/SSL VPN based off Cisco ASA Firewall and IOS routers
- UC proxy services (TLS proxy/Phone proxy)
- Deep packet scanning (inspect)
- Rate limiting by Application Inspection Control (AIC)
IP telephony Server Security (Call Control)
- Secure communications by virtue of Certificate Authentication Proxy Function (CAPF)TLS for signaling and SRTP for media
- Secure access to GUI (HTTPS)
- Secure CTI/JTAPI
- Secure LDAP integration
- Secure voicemail integration
- Secure presence integration
- Secure SIP Trunks
- Integration with external certificates (Third Party PKI chain)
- Integration with industry standard SSO solution
- Host Intrusion Prevention System (HIPS)CSA/SELinux
- Role based management and user access
IP telephony Server Security (Voicemail)
- Secure communications with endpointsTLS for signaling and SRTP for media
- Secure integration with call control
- Secure access to GUI (HTTPS)
- Secure LDAP integration
- Integration with external certificates (Third Party PKI chain)
- Secure voice messaging (private messages)
- Integration with industry standard SSO solution
- HIPS
- Role based management and user access
IP telephony Server Security (Presence)
- Secure communications with endpointsTLS for signaling and SRTP for media
- Secure integration with call control
- Secure access to GUI (HTTPS)
- Secure LDAP integration
- Integration with external certificates (Third Party PKI chain)
- HIPS
IP telephony Server Security (Contact Center)
- Secure integration with call control
- Secure recording
- Secure endpoints for agents
- Secure recoding
- Platform security for CVP, ICM, and other windows based platforms (Antivirus, HIPS)
IP Phone Security (Wired, Wireless, and Soft phone)
- Secure endpoint with CAPF certificates (LSC)
- Secure endpoint with built-in certificates (MIC)
- Secure network admission (dot1x)
- Secure WiFi admission (WPA, WPA2)
- Restricted access to settings
- Phone hardening
- VPN Phone
- Restricted access to system registry (for softphone)
- Trusted Relay Point (for softphone)
IP telephony Network Management
- Secure access to network equipment and servers (In-Band or Out Of Band management)
- Secure network management protocols for example: SSH, SCP, SFTP, HTTPS
- Security Event Management System (SEMS) or Security Information or Event Management (SIEM)
- Backup and restore processes
- Disaster Recovery System or and Disaster Recovery Site
Again, this is not a comprehensive list of security controls. However, these security controls and mechanisms should give you an insight to the requirement for security and risk appetite as per your organization’s goals and vision.
Bottom Line
IP telephony deployments expose the enterprise to new and serious threats from within and outside of the organization. This is primarily due to the fact that underlying network infrastructure’s weaknesses are also shared by IP telephony components leveraging the same. Coincidentally, these threats can be adequately mitigated by leveraging best-practices provided organizations rightfully understand the risks and manage them via holistic enterprise wide security architecture, leveraging defense in depth concept to combine of IP telephony system-specific and network-specific security features. Secure IP telephony requires considering voice, data, and video communications as a singular unified system and implementing a multilayered, uniformly applied defense construct for the system infrastructure, call management, applications, and endpoints. This minimizes the possibility that a failure of one or more components in the security construct could compromise overall security.
To summarize, the following are best practices to deploy Cisco IP telephony networks:
- Treat the development of an IP telephony security program as a collaborative and cross‐organizational project involving stakeholders from all departments.
- Conduct risk assessment to chalk outa comprehensive list of threats, the feasibility of each threat, the quantitative impact of each threat, and based upon the risk level, a prioritization of mitigation actions for each of the potential threats.
- Organizations should examine IP telephony security from a business perspective in line with their goals and vision. Security strategy should be such that it is aligned and is in compliance with applicable laws and regulations. Moreover, it must be properly implemented and balanced against business risks.
- Consider potential physical security risks and plan well in advance to evade any threats to IP telephony infrastructure.
- Disperse voice and data on different VLANs. Ensure that LAN switches are equipped with 802.1p prioritization so they can identify and prioritize traffic based on VLAN tags and support multiple queues. Enable port security, DHCP snooping, DAI, and other mechanisms to protect Layer 2.
- Secure Layer 3 (routing) by routing protocol authentication, NTP authentication, ACL based filtering (RFC 1918 addresses).
- Leverage VPN technologyIPSec or SSL or both; to provide a secure pathway for endpoints outside organization’s physical or logical premises, remote workers, and extranet. Voice and Video enabled VPN (V3PN) technology can be employed to encrypt voice media, voice signaling, and data traffic using IPSec.
- ALG aware firewalls at perimeter and within network can provide for granular control, protocol conformance checking, and security checks. Utilize UC proxy services offered by Cisco ASA firewall to support encrypted voice traffic through firewall.
- Employ NAC in order to unify endpoint security and network security enforcement so that network access is contingent on compliance with established security policies.
- Protect the integrity of management and managed systems. Segregate management traffic on its own VLAN (OOB). Exercise management access control, authorization, and logging.
- Employees of an organization should be aware of their responsibility pertinent to organization’s Intellectual Capital (IC) and Information.
Security is everyone’s responsibility. Not just key stakeholders but everyone needs to participate and contribute to build, operate, and maintain a secure Cisco IP telephony network. While users should be aware of their rights and responsibilities, the executives and higher management should be supportive of what IT, security, telecom, and networking departments try to achieve; a robust and secure Cisco IP telephony network which is an asset to an organization.