Securing the IPT Infrastructure
XYZ will be taking different security measures at every layer and at every different component of the network, as shown in Figure 6-22. With the layered approach, if the security is compromised, the problem is contained at one level.
Figure 6-22. Multilayered Secured IPT Infrastructure
[View full size image]

Securing CallManager and Application Servers
Software Upgrades" section in Chapter 9 for more information on operating system upgrade procedures and best practices.Antivirus software is not bundled with the CallManager software. Third-party virus-scanning products such as McAfee or Norton AntiVirus are currently supported, and Cisco recommends that you install one of these antivirus products on CallManager and other application servers and schedule them to run during nonpeak hours.You should also place the CallManager servers, IP Phones, voice gateways, and application servers on different subnets. In addition, when you are deploying a CallManager cluster, you should consider separating the members of the CallManager cluster into different VLANs and thus into different IP subnets. That way, even if a virus attack or DoS attack occurs in one subnet, affecting the functioning of servers in that subnet, the servers in the other subnet are not affected, and you will not experience a major network outage.
Using a Firewall and ACLs
Use of a firewall and ACLs in front of the CallManager cluster and other IPT application servers adds an extra layer of security. For instance, you can configure the ACLs to allow only known traffic to reach the servers in the CallManager cluster and block the rest of the traffic from reaching the servers. Refer to the following URL on Cisco.com to obtain a list of TCP and UDP ports used by the CallManager. This list helps you to build the required ACLs.
http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186a00801a62b9.shtml
The list of TCP and UDP ports used by the Cisco Unity server is available from the following URL:
http://www.cisco.com/en/US/products/sw/voicesw/ps2237/products_white_paper09186a00802077c0.shtml
When you place a firewall in front of your voice network, make sure that it supports stateful inspection of the voice-signaling protocol. Voice can run on any UDP port that ranges between 16384 and 32767, and you need to make sure the firewall opens only the ports needed to support that particular application. Make sure that the firewall you are using supports Application Layer Gateway (ALG) capabilities. ALG inspects signaling packets to discover what UDP port the RTP stream is going to use and dynamically opens a pinhole for that UDP port.
Securing the IPT Network from the Outside World
While using private addressing (RFC 1918) for your IP Phones (recommended), do not use Network Address Translation (NAT) to translate these private addresses. When you are deploying IP Phone eXtensible Markup Language (XML) applications, you should use proxy servers to reach the Internet to provide the content rather than allow your CallManager servers to reach the Internet directly.As an example, consider the stock quote application that gets stock quotes from the Internet. In this example, the application server is running on a separate server and you have an XML application running on an IP Phone. When you use your IP Phone to select the ticker symbol CSCO within the stock quote application to get the stock quote update, that request does not go directly to the Internet. Instead, the request goes to the application server, which gets the information for you by using a proxy server. Hence, the IP Phones do not need to reach the Internet directly.
Securing IPT Endpoints
In the Cisco IPT solution, endpoints are Cisco IP Phones, voice gateways, media resource devices, and so forth. In addition to protecting the critical servers, you should take necessary steps to secure these endpoints. You should completely isolate the data and voice networks by using separate voice and data VLANs. Using this type of separation increases the security of your voice network.Several security features are available to protect the IP Phones. You can configure all of these features in the CallManager Administration page for each Cisco IP Phone device, shown in Figure 6-23, by setting the following fields to Disabled:Gratuitous ARP By default, Cisco IP Phones accept Gratuitous Address Resolution Protocol (GARP) packets. Some devices use GARP to announce their presence on the network. However, attackers can also use GARP to spoof a valid network device. For instance, an attacker could send out a GARP message claiming to be the default router. Setting this field to Disabled makes Cisco IP Phones ignore the GARP packets.PC Voice VLAN Access By default, Cisco IP Phones pass all packets received on the switch port (the port connected to the upstream switch) to the PC port, including 802.1q tagged packets that are destined for the Cisco IP Phone. Setting this field to Disabled makes the Cisco IP Phone stop forwarding the packets tagged with the voice VLAN to the PC port and prevents the attached PC from sending and receiving data on the voice VLAN. You should enable this feature only if you want to capture the voice packets sent on the voice VLAN by using the capture application that is being run on the PC for troubleshooting and monitoring purposes.PC Port You should disable the PC port on the back of the Cisco IP Phone for those IP Phones that are in the common areas, such as the lobby or break rooms.Settings Access Disabling this field prevents users from viewing or modifying the network configuration values on the IP Phones.
Figure 6-23. Product-Specific Configurations for Cisco IP Phones
[View full size image]

Securing Campus Network Devices
Secure the access to campus network devices such as switches and routers by using TACACS+ and RADIUS authentication methods in your campus network. You can perform configurations for your campus network devices from the CLI via Telnet sessions, but you should use Secure Shell (SSH) to access these devices. Disable unused switch ports on the LAN switches and place them in unused VLAN so that they are not misused. Use Spanning Tree Protocol (STP) attack mitigation tools such as BPDU Guard and Root Guard. Refer to the following URL to get more information on securing the routers in your network:
http://www.cisco.com/warp/public/707/21l
Securing Voice Gateways
You can increase the security for voice gateways by accepting VoIP call-control messages only from CallManager servers that are members of the CallManager cluster, and block such messages from all other sources. Also, the VoIP gateways should deny H.323, MGCP, Skinny, or SIP connection attempts from the data network. If any PC can use VoIP gateways for calling, it will be hard for you to enforce a centralized dial plan. Lack of this policy can cause a possible DoS vulnerability.
Establishing Physical Security
Physical security is sometimes taken lightly, but permission to access network equipment should be given in a controlled manner. Network equipment should be well within recommended environmental limits. All the mission-critical resources might require dispersion to provide effective redundancy. Turning off power is an effective DoS attack; give controlled and limited access to power switches.
Installing Host-Based Intrusion Detection
In addition to deploying the firewall, you should install Cisco Security Agent (CSA) software on the CallManager, Unity, and other application servers to ensure security and integrity of the server applications.Instead of focusing on attacks, CSA focuses on preventing malicious and undesired activities on the host. CSA detects and blocks the damaging activities, regardless of the attack. CSA ships with predefined policies that prevent most types of malicious activity from occurring. You can download the CSA standalone-installation version for CallManager, Unity, CRS, and other applications at no charge from Cisco.com.For more in-depth information on securing IPT networks, refer to the white paper "SAFE: IP Telephony Security in Depth" (Jason Halpern, primary author):
http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a00801b7a50.shtml
Cisco posts security advisories and notices as and when vulnerabilities are detected in Cisco products. You can access this information from the following URL:
http://www.cisco.com/en/US/products/products_security_advisories_listingl