Home > Articles > Cisco Network Technology > Security > CCSP CSI Exam Certification: SAFE IP Telephony Design

CCSP CSI Exam Certification: SAFE IP Telephony Design

Chapter Description

This chapter will help you prepare for the CCSP CSI Exam, with a focus on SAFE IP Telephony Design. Sample questions are included to help you study.
  • Examining SAFE IP Telephony Design Fundamentals

  • Understanding SAFE IP Telephony Axioms

  • Understanding SAFE IP Telephony Network Designs

This chapter introduces the SAFE network design for IP telephony, which Cisco Systems developed to address customer concerns with the security of IP telephony deployed in a network. The "SAFE: IP Telephony Security in Depth" whitepaper examines the security of IP telephony in each of the SAFE blueprints—enterprise, medium-sized, and small networks—and builds on the concepts of modularity and "defense in depth." The whitepaper also addresses the unique security issues that an IP telephony deployment poses to a network.

"Do I Know This Already?" Quiz

The purpose of the "Do I Know This Already?" quiz is to help you decide if you really need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now.

The 13-question quiz, derived from the major sections in "Foundation Topics" portion of the chapter, helps you determine how to spend your limited study time.

Table 19-1 outlines the major topics discussed in this chapter and the "Do I Know This Already?" quiz questions that correspond to those topics.

Table 19-1 "Do I Know This Already?" Foundation Topics Section-to-Question Mapping

Foundations Topics Section

Questions Covered in This Section

Examining SAFE IP Telephony Design Fundamentals

1–2

Understanding SAFE IP Telephony Axioms

3–9

Understanding SAFE IP Telephony Network Designs

10–12


CAUTION

The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark this question wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security.

  1. Which of the following objectives are fundamental in the design of SAFE IP telephony networks?

    1. Designation of responsibility

    2. Quality of service

    3. Integration with existing network infrastructure

    4. Authentication of users and devices (identity)

    5. Flexibility of the design

    6. Secure management

  2. What network feature should be deployed throughout the network infrastructure to ensure a successful IP telephony design?

    1. QoS

    2. ACLs

    3. Authentication

    4. IDS

    5. IPS

  3. Which of the following is one of the key axioms in the SAFE IP telephony design?

    1. Security and attack mitigation based on policy

    2. Voice and data segmentation

    3. User authentication

    4. Options for high availability (some designs)

    5. Secure management

  4. Which of the following protocols currently are used in IP telephony products?

    1. IGMP

    2. MGCP

    3. SIP

    4. CGMP

    5. CDP

    6. Q.773

    7. H.323

  5. Why does a firewall need to be "intelligent" when dealing with H.323 traffic?

    1. The firewall must be capable of recognizing the traffic to encrypt it properly.

    2. H.323 uses multiple static ports for signaling and media streams, and the firewall needs to know about those.

    3. H.323 traffic must be authenticated at the firewall, and, therefore, the firewall needs to be capable of recognizing that traffic.

    4. H.323 utilizes multiple dynamic ports for call sessions, and the firewall must be capable of determining those ports from the signaling channel.

    5. H.323 cannot use NAT, and, therefore, the firewall must be capable of identifying H.323 traffic appropriately.

  6. Which of the following is a tool that you can use to reconstruct a voice conversation?

    1. dsniff

    2. TCPdump

    3. ARPwatch

    4. VOMIT

    5. MITM

  7. Which of the following are legitimate connections that should be allowed through the stateful firewall protecting the call-processing manager?

    1. PC web browser connecting to voice-mail server

    2. IP phone connecting to PC clients in the data segment

    3. Call establishment and configuration traffic

    4. Browsing of the IP phone web servers by PC clients

    5. Connections from IP phones in the voice segment and the voice-mail system

    6. Communication between the voice-mail system and the call-processing manager

  8. What are the two most common recommended methods of authentication for IP phones?

    1. Device authentication

    2. Network authentication

    3. Proxy authentication

    4. User authentication

    5. Null authentication

  9. Security design reliance should be based on which of the following?

    1. VLAN segmentation

    2. Data sharing between voice and data VLANs

    3. Access control

    4. Layered security best practices

    5. Multicast join restriction

  10. Which of the following are services provided by the edge router in the small IP telephony design?

    1. VLAN segmentation

    2. Stateful firewalling

    3. NAT

    4. QoS

    5. All of these answers are correct

  11. What is the purpose of the call-processing manager in each of the SAFE IP telephony designs?

    1. The call-processing manager provides data services to IP telephony devices in the module.

    2. The call-processing manager provides voice services to IP telephony devices in the module.

    3. The call-processing manager does not provide voice-mail storage in the modules.

    4. The call-processing manager provides data storage for the IP phones.

  12. What two basic designs are possible in the small and medium blueprints for IP telephony?

    1. Hub

    2. Spoke

    3. Headend

    4. Remote

    5. Branch

  13. What is the purpose of the Layer 3 switches in the server module?

    1. The switches in the module are not Layer 3 switches; they are Layer 2 switches.

    2. No special purpose is assigned to the Layer 3 switches in this module.

    3. The Layer 3 switches provide routing and switching services to both voice and data traffic, in addition to filtering, QoS, VLANs, and private VLANs to the servers. They also provide for traffic inspection through the use of integrated NIDS.

    4. The Layer 3 switches provide firewall services through the use of an integrated firewall service module.

The answers to the "Do I Know This Already?" quiz are found in Appendix A, "Answers to the 'Do I Know This Already?' Quizzes and Q&A Sections." The suggested choices for your next step are as follows:

  • 11 or less overall score—Read the entire chapter. This includes the "Foundation Topics" and "Foundation Summary" sections and the Q&A section.

  • 12 or 13 overall score—If you want more review on these topics, skip to the "Foundation Summary" section and then go to the Q&A section. Otherwise, move to the next chapter.

2. Examining SAFE IP Telephony Design Fundamentals | Next Section