CCSP SelfStudy CCSP CSI: Exam Certification Guide, Second Edition [Electronic resources]

What systems are in the Campus module of the small IP telephony blueprint?

The Campus module of the small IP telephony blueprint contains the end-user systems and the corporate servers, such as voice-mail servers, e-mail servers, management servers, IP phones, and the Layer 2 infrastructure.

Why do PC-based IP phones violate the axiom "Data and voice segmentation is key"?

PC-based IP phones violate the axiom because these are software-only IP telephony devices that reside on the data segment of the network but require access to the voice segment.

What considerations given to production servers in the data segment also should be provided to the voice servers in the voice segment?

The considerations given to production servers in the data segment of the network that also should be provided to the voice servers in the voice segment of the network include turning off all unneeded services, patching the operating system with the latest security patches, hardening the OS configuration, disabling unnecessary or unused features in the voice system, and not running unnecessary applications on the voice servers.

What is the best way to control the voice and data segment interaction?

Controlling the voice-to-data segment interaction is critical to successfully deploying and securing an IP telephony system. The best way to accomplish this task is to use a stateful firewall. This type of firewall provides denial-of-service (DoS) protection against connection starvation and fragmentation attacks, as well as dynamic, per-port access through it, when necessary. It additionally provides spoof mitigation and general packet filtering.

What are some of the specific attack-mitigation details that are especially applicable to an IP telephony deployment?

These attack-mitigation details are specific to an IP telephony deployment:

• Statically assign IP addresses to known MAC addresses in DHCP networks with IP phones deployed.

• Turn off the common temporary automatic phone-registration feature that many call-processing managers have available.

• Configure the call-processing managers to deny configuration information to unknown PC-based IP phones.

• Use a utility such as ARPwatch to monitor MAC addresses in the voice segment.

• Filter all inbound network segments at the stateful firewall in front of the call-processing manager and the voice-mail system, to restrict which devices can connect to these servers.

What are some of the services provided by the voice-enabled firewall/router in the Corporate Internet module of the small IP telephony design?

The voice-enabled firewall router in the Corporate Internet module of the small IP telephony design provides not just the typical security services, such as NAT, VPN, stateful firewall inspection of traffic, and IDS, but also voice services, including VLAN segmentation.

What are the key network devices in the Campus module of the medium-sized IP telephony blueprint, and what are their functions?

The key network devices in this module and their functions are as follows:

What is the primary function of the Campus module of the medium-sized IP telephony blueprint?

The primary function of the Campus module is to switch data, voice, and management traffic while enforcing the network and voice VLAN separation. The VLAN separation is augmented by the use of filtering on the Layer 3 switch and also a stateful firewall.

What is the purpose of placing a NIDS between the voice and data segments of the network?

NIDS can be deployed between the voice and data segments to provide detection capabilities of any DoS attacks targeted specifically at the voice segment.

How is resiliency provided in the Server module of the large IP telephony design?

Resiliency, or high availability, is ensured through the use of multiple call-processing managers and multiple firewalls configured in high-availability mode.