Cisco IP Telephony Security Framework

Date: Sep 21, 2012 By Akhil Behl. Sample Chapter is provided courtesy of Cisco Press.
This chapter examines the Cisco IP Telephony Security life cycle. It also shows how to develop an IP telephony security policy, evaluate cost versus risk, determine the level of security required for your IP Telephony network, and develop Cisco IP Telephony Security Framework.

The threats, the remediation, IP Telephony Security methodology and much more has been discussed in previous chapters. However, the objective has always been to amalgamate IP Telephony and conventional data services onto a shared network infrastructure, without compromising the security of either service. The intention has been to apply protective mechanisms against all types of attacks that must be applied in a holistic manner throughout the enterprise network. The two main principles of an IP Telephony Security Framework are the simplification of design and configuration, and the limitation of exposure.

It is time to start putting together your IP Telephony network security strategy together. With the basics of what makes your secure IP Telephony network out of the ordinary, it is time to move on and choose the best style of security network to suit your needs. In many ways, this can be a subjective process because you might prefer one type of network security rather than another regardless of objective criteria. There’s nothing wrong with taking that approach as long as you’re armed with the facts, and that’s what this chapter is all about.

This chapter covers the following topics:

  • Cisco IP Telephony Security life cycle
  • Develop an IP Telephony Security policy
  • Evaluate cost versus risk
  • Determine the level of security required for your IP Telephony network
  • Develop Cisco IP Telephony Security Framework

Cisco IP Telephony Security Life Cycle

Cisco understands and values the importance of network security and continuously drives toward building robust, scalable, and secure products, and networks. It is vital that security is induced in design wherever possible (rather than implemented post-deployment of the network). The process of developing and securing your IP Telephony network should follow what is popularly known as a security wheel. After developing an IP Telephony Security policy, you can secure your IP Telephony network. (An IP Telephony Security policy acts as a guide for implementing various security measures without which the IP Telephony network security will neither be complete nor based on the ethics and principles of your organization.)

The security wheel, as shown in Figure 4-1, projects the verity that IP Telephony network security is a continuous process built around your corporate security policy.

Figure 4-1

Figure 4-1. Cisco Security Wheel

After the IP Telephony network is secured, it should be monitored for any deviations from normal behavior, for example, abnormal usage of services, network and application level attacks, illicit scans, and log analysis to ensure that it stays secure.

After the monitoring phase comes the testing phase. Testing can be done by an organization, or it can be outsourced to a third-party, such as the Cisco Advanced Services. Network and IP Telephony administrators and engineers should use the information from the monitoring and testing phase to make improvements to the security implementation. They should also adjust the IP Telephony Security policy as new vulnerabilities and risks are identified.

For more details on the security services offered by Cisco Advance Services and other security groups within Cisco, visit http://www.cisco.com/en/US/products/svcs/ps2961/ps2952/serv_group_home.html.

Enabling IP Telephony Security

Implementing and enabling IP Telephony Security is neither a single step nor a one-time process. It is a constant and continually improving cycle, which must be reiterated time and again as and when new threats evolve or new requirements need to be addressed. Figure 4-2 illustrates the IP Telephony Security cycle and its various phases.

Figure 4-2

Figure 4-2. IP Telephony Security Life Cycle

At the core, this cycle is based on the Cisco security wheel; however, it is more detailed and explicit toward the IP Telephony network security process.

Security and Risk Assessment

The process begins at security and risk assessment; during this stage any new or existing vulnerabilities and security loopholes are discovered. During this phase, a rigorous process consisting of multiple objectives is carried out. These include however not limited to the following:

  • Evaluating and identifying the principle assets
  • Identifying any existing security concerns
  • Exploring any possible new threats or attack vectors
  • Evaluating the cost of security

The security assessment of the enterprise IP Telephony network infrastructure helps support key business processes. The IP Telephony Security assessment should cover the following elements of your IP Telephony environment:

  • Network devices (routers and switches) vulnerabilities
  • Network and security services (firewall, routing protocols, and anti-spoofing services)
  • Network access layer, where endpoints connect to the network, and the distribution and core layers of the internal network
  • IP Telephony services, endpoints, and applications, such as Presence, IP Phones, Call Control, gateways, and so on

The objective of security assessment is to identify potential weaknesses in your IP Telephony network, which may lead to toll fraud, denial-of-service (DoS), eavesdropping on voice calls, and unauthorized access to voice mail systems within your IP Telephony environment. The result is a report on the network security posture, including recommendations for network infrastructure and IP Telephony application security improvements.

NOTE

The assessment report should ideally include a priority list of suggestions on how to decrease risks, adapted to the environment and special needs of an organization.

Risk assessment helps identify the vital assets of your IP Telephony network and evaluate the potential cost of security. The topic of risk assessment is covered in detail in the section “Risk assessment.” The completion of the risk assessment phase triggers the next phase, in which IP Telephony Security policy (strategy) is developed.

IP Telephony Security Policy Development and Enforcement

The process of development and enforcement of IP Telephony Security policy is base-lined on corporate security policy and objectives. An IP Telephony Security policy is much like a network security policy. However, the major difference is that the IP Telephony Security policy is explicitly developed for IP Telephony network covering the network, applications, and services relevant to IP Telephony infrastructure and services. You must recognize that the development of an IP Telephony Security policy is not a lone effort by the IP Telephony team. Instead, it should be done in collaboration with the network and security teams to ensure that all aspects and view points are covered as they pertain to IP Telephony Security.

NOTE

Do not be surprised if your organization does not have any existing IP Telephony Security policy because most organizations tend to apply or extend the network security policy to their IP Telephony network. It is however vital to have a specific IP Telephony Security policy to tackle the issues that a network security policy just cannot address.

Planning and Designing

The subsequent phase is the planning and designing phase, in which you plan and design the blueprint for deployment of your IP Telephony network. As a best practice, it is in this phase that you should integrate security with the design being developed instead of deploying security after your IP Telephony network has been deployed. The design should be such that the IP Telephony network and the services based on it are scalable, robust, supple, and most obviously, secure. The planning for deployment should include security as the integral component and should be done in such a manner that a layered security approach is adopted instead of concentrating security at one point, for example, at enterprise perimeter.

NOTE

If an IP Telephony network is a green field deployment, it is optimum to incorporate security in design. If the IP Telephony network is already set up, then following assessment and policy phases, you can skip to the application and network security phase.

IP Telephony Network and Application Security Deployment

This is the phase where maximum action can be expected. It goes right from deploying and enabling security on IP Telephony applications (Call Manager and Unity Connection) on servers to IP Telephony network (access layer switches, routers) to IP Telephony endpoints. As mentioned earlier, if security is planned into the design, it becomes much easier to implement in coherence with the underlying functional network. In other words, implementing security for IP Telephony network becomes seamless.

IP Telephony network security can be organized into the following categories:

  • Hardware and device security (endpoints and servers)
  • Network security (Layers 2 and 3 and upper layers)
  • Application security (Call Control, voice messaging, presence, and so on)
  • Management and monitoring (SSH and logging)

Operate and Manage

In this penultimate phase, you leverage the services offered by your IP Telephony network. It is time to reap the benefits of your hard work! Your IP Telephony network is fully operational, and you could bring it into production. However, it is also time to ensure that things go the way they were planned and that there are minimal hiccups from the intended operational and management perspective. Ensure that proper administrative and other privileges are assigned to the intended authorized staff. Furthermore, ensure that only the legitimate users can leverage the IP Telephony services without any loss of service or disruption in the IP Telephony environment. This phase almost amalgamates with the last phase, that is, monitor the IP Telephony network.

Monitor

At this point, your IP Telephony network should be under ideal conditions fully functional, and to ensure that it remains that way, you must consistently keep an eye on the health of your IP Telephony network. IP Telephony monitoring tools, techniques, security, and best practices are discussed in Chapter 16, “Cisco IP Telephony: Network Management Security.” Monitoring and responding to potential threats is a manifold process and requires monitoring and reporting any ‘deviations’. Now, let’s consider the scope of word deviation in perspective of IP Telephony network management and monitoring. Deviation could be described on one hand as the anomaly induced by improper or unjustified use of the services provided by your IP Telephony network. On the other hand it can be described as the threats that have matured and cause the loss of integrity, confidentiality, and availability of your IP Telephony network. Thus, it becomes paramount to have proper monitoring mechanisms in place and have these deviations reported as soon as they are discovered so that they can be dealt with either via an automatic defense system (for example, Firewall, Network IPS, or Host IPS) or manually.

Developing an IP Telephony Security Policy

This section covers the intricacies behind building an IP Telephony Security policy because without one you cannot enforce IP communications’ pertinent security effectively.

Building an IP Telephony Security Policy/Strategy In line with Your Corporate Security Policy

An IP Telephony network security policy (the words policy and strategy will be used interchangeably) defines a construct to protect the assets connected to a network that supports IP Telephony, based on a risk assessment analysis. It defines the access limitations and rules for accessing various assets connected to an IP Telephony network. It is the source of information for users and administrators as they set up, use, and audit the network.

It is imperative that the IP Telephony network security policy is general and broad in scope. This implies that it should provide a high-level view of the corporate ideology based on which security-related decisions should be made. However, it should not go into the details of how the policy should be implemented. The rationale is that the details can change overnight, but the general principles of what these details must achieve should remain the same. An IP Telephony Security policy needs to balance between ease of use and ease of implementation, network performance, and the security aspects in defining the rules and regulations.

Building an IP Telephony Security policy is not a one-time process. It requires adjusting policy as per new requirements, objectives, threats, or challenges. Also, IP Telephony Security policy is not an isolated or a single team effort. It requires participation and support from all segments: the IP Telephony team, network team, security team, and most importantly, management (executive sponsor). The security policy needs to be supported by management and other respective engineering teams within an organization; otherwise, it is difficult to have user buy-in.

NOTE

A security policy is not a static document and must be updated on a regular basis depending on the need to address new security challenges or to meet organizational objectives. For example, if an organization supports remote working (telecommuters), it is not feasible to chalk off remote access. Furthermore, a security policy is intended to harden the system with rules however not to deteriorate any process or production potential.

The first step toward developing an effective IP Telephony Security policy is to assess the risk associated with the network assets to be protected. Risk assessment in quintessence is a method to outline why the resources in your IP Telephony network should be protected. The next section investigates risk assessment and the fundamentals of the risk assessment process for an IP Telephony network.

Risk Assessment

Let us go over this intriguing topic to understand what goes behind performing a risk assessment exercise and why it might just save you from a certain catastrophe.

NOTE

As pointed out earlier in Chapter 2, “Cisco IP Telephony Security Building Blocks,” the IP Telephony Security assessment includes the plans for areas that have scope for improvement. Risk assessment is partially covered in almost every security assessment.

At a high level, the risk management process helps you attain the following goals:

  • It helps achieve the organization’s objectives (vision and goals): By highlighting the assets that are important or central to an organization’s functions. This helps protect those vital assets.
  • It ensures the network and infrastructure availability for rightful users: By helping categorizing network assets in terms of their importance for the network to be up and running, thereby helping with the scale of economy.
  • It assists in maintaining a strong security posture: To deter attacks against an organization’s vital assets by deploying appropriate security controls against identified and potential threats.
  • It ensures compliance with organization’s rules, regulations, standards, and policies: By helping to understand the various components of the network that could be exploited and misused, thereby building policies, rules, and regulations around their use or access mechanisms.

Figure 4-3 gives an insight to the various benefits perceived by carrying out the risk management process.

Figure 4-3

Figure 4-3. Risk Management: Areas Addressed

A typical IP Telephony risk assessment activity may well be outlined via the following steps:

Step 1. Identify sensitive information and critical systems.

Step 2. Estimate the value of IP Telephony system (information and components).

Step 3. Identify potential threats and vulnerabilities to your IP Telephony network (covered in security assessment).

Step 4. Estimate the likelihood of a potential attack or penetration being realized.

Step 5. Identify countermeasures against perceived threats and vulnerabilities (covered in security assessment).

Step 6. Estimate the cost of implementing countermeasures versus not implementing them.

Step 7. Select suitable countermeasures for implementation (covered in security assessment).

Before taking a deep dive to understand the different processes that work within a risk assessment exercise, you must realize an important fact. Not all risks are present and applicable in all different types of IP telephony implementations; every IP Telephony network is unique and has its own set of strengths and weaknesses. However, it is important to create an overall IP Telephony Security policy or strategy in which all assets, potential risks, existing issues, and mitigation methods are listed. Although, it is advisable to perform a risk assessment on existing IP telephony implementation(s), it is equally important to perform an initial risk assessment, including a review of the impact on the data network for new implementations.

Step 1. Identify Sensitive IP Telephony Information and Critical Systems

Organizations should pinpoint the various systems that form the baseline for IP Telephony, from internal servers to external network components, to understand where their critical information may potentially be stored, processed, managed, or viewed. As a disseminated system, IP Telephony network has many individual components that must be protected. Any attack vector realized at any point of time can render the system unusable for legit users. This includes and is not limited to the following:

  • Endpoints and servers targeted for DoS/DDoS or MITM attacks
  • Changes in routing protocols, leading to failed or hijacked calls
  • Change in the IP Telephony application or device configuration

Step 2. Estimate the Value of IP Telephony System (Information and Components)

After identifying the critical information and systems, organizations can then estimate the value of data loss based on where sensitive information is sent, depending on who sends it, and how often it happens. For example, an organization may find that the majority of data loss risks are associated with employees inside the organization who unconsciously put information at risk in the course of their day-to-day activities at work, for example, placing CDR data on a USB drive in preparation to work at home. Also, an estimate of loss of revenue because of a loss of communication or unavailability of the IP Telephony system should be evaluated.

Step 3. Identify Potential Threats and Vulnerabilities to Your IP Telephony Network

Identifying the threats to your IP Telephony network and understanding the vulnerabilities (gaps) is the key to secure your network. Threats can be various, such as the following:

  • Inside attacks from malicious users
  • Outside attacks from hackers and phreakers
  • Viruses, Trojan horses, and worms
  • DoS or DDoS
  • Man-in-the-middle attacks
  • Hardware or software failures
  • Loss of critical systems

Vulnerability can range from a simple software defect to a sophisticated implementation for application and network security. A gap could be introduced because of a defect that may allow an attacker to implant a back door or because there was no host protection applied, as the system was supposed to be insulated.

Step 4. Estimate the Likelihood of a Potential Attack/Penetration Being Realized

To assess the probability of an attack from malicious individuals who are either inside or outside the organization and network, application security or penetration tests could be carried out. No matter if these tests are conducted by security professionals inside the organization or outside (for example, third-party security consultants), the end result should be to identify the specific attack vectors that may be used by malicious users or outsiders to gain access to critical information and, in turn, identify and validate potential vulnerabilities that could lead to data loss.

Step 5. Identify Countermeasures Against Perceived Threats and Vulnerabilities

At the termination of an information security revelation or a penetration assessment, an organization should develop an alleviation plan based on their risk tolerance. This plan should detail the findings of the information exposure risks and explain the estimated business impact in case a vulnerability is exploited or an attack is established. The report must also address an assessment of the security measures currently in place.

Most importantly, organizations must also formulate a prioritized action plan for remediation together with a list of recommendations to enhance security and reduce risk.

Step 6. Estimate Cost of Implementing Countermeasures Versus Not Implementing Them

Always remember that security is a balance between risk and cost. To achieve a balance, there must be a plan well in advance and resources to put the plan in action. Too less or too much security can be a serious disadvantage to your IP Telephony network because it will either pave a way for the attackers to invade your network or may cost much more than you expected it to (in terms of financial and performance cost). For example, elevated operational costs because of fraudulent usage of the system by unauthorized users and high-usage bills can ensue.

NOTE

Since the equation of cost versus risk is a delicate one, you need to comprehend it and understand what you can do within your budget to apply the best possible yet effective security. This topic is covered in detail in the section, “IP Telephony Security Cost Versus Risk.”

No two networks and their security needs could possibly be similar, and the same applies to IP Telephony network as well. Thus, to cover this topic, that is the level of security required, there’s a dedicated section that explains the level of security required for your IP Telephony network to enable you to make the right decisions for your network.

Step 7. Select Suitable Countermeasures for Implementation

The last part of the risk assessment process is the contingency plan. The contingency plan usually consists of what to do if the systems do not work as expected, or in other words, they backfire. For example, if there is a natural or unnatural disaster, what should be done to contain the damage to a minimum. Fortified with the data collected during risk assessment and the final outcome, an organization should have a precise understanding of where its exposures are and how it can leverage this information to take a risk-based, prioritized approach to create a secure IP Telephony environment.

NOTE

It is important that you classify the data resident on the various servers, end user workstations, and so on. Classification can be done in terms of the type of data “Company Confidential,” “Company Public,” or sensitive client data.

It is important to understand that although risk assessment requires high-level participation and decision making, it’s actually a team effort. The process of risk assessment should be initiated and fronted by the top management in an organization. However, feedback from all levels is required, and everyone right from inventory maintenance to network administration to IP Telephony (telecom) team to CTO should be involved as stakeholders during risk assessment.

Identifying risk and conducting risk assessment are vital components of any successful and comprehensive security strategy. This significantly helps to underline what is valuable and at risk. It helps to ensure that the security planned and applied is effective and is aligned with the organization’s objectives.

Components of IP Telephony Security Policy

There are standards around which a security policy should be built and implemented. These standards are guided by RFC 2196, which lists the elements of a security policy. Although RFC 2196 provides a generic security policy outline, an IP Telephony Security policy should follow these guidelines and be built on the lines of either an existing corporate security policy or developed from scratch.

As described in RFC 2196, “The Site Security Handbook:”

A security policy is a formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide.

IP Telephony Security Policy/Strategy

Following is an example of an IP Telephony Security policy built to protect not only the underlying network, but also the IP Telephony servers, applications, endpoints, and related assets.

NOTE

We are going to consider an example of a fictitious organization XYZ, trying to formulate its IP Telephony Security policy or strategy.

An IP Telephony Security policy statement follows:

It shall be the responsibility of the IP Telephony/IT Department to provide adequate protection and confidentiality of all IP Telephony-specific corporate data and proprietary software systems, whether held centrally, on local storage media, or remotely, to ensure the continued availability of IP Telephony data, network access, and programs to all authorized members of staff and to ensure the integrity of all data and configuration controls.

The security policy for IP Telephony must address the following areas:

  • Acceptable use of organizational IP Telephony equipment (for example, hard phones, soft phones, WLAN phones, voicemail, and conferencing). The acceptable use includes calling plan restrictions (for example, calls to 900 numbers or international calls). These restrictions are also translated to configuration parameters on the respective IP Telephony components (for example, IP-PBX or SIP proxy). Acceptable use of IP Telephony equipment pertains also to contractors, vendors, and other third parties who interact with the organization.
  • Protection of IP Telephony services, including the following:
    • Service access (for example, password-protected conferencing sessions and voice mailbox access controls)
    • Signaling and media encryption for interactions in which sensitive information is handled (for example, calls or videoconferencing in which customer or patient health information or financial information is communicated)
  • Media retention based on the minimum duration that media should be kept based on regulatory or other industry, state, or federal requirements. The types of media include, but are not limited to, CDRs (call detail records), voicemail, call or videoconferencing recordings, instant messages, or backup.
  • Signaling or media interception to satisfy law enforcement requirements (for example, CALEA). Although the requirement for lawful intercept pertains to carrier networks, it is helpful to provide such capability in an enterprise network to support the investigation of unforeseen incidents or circumstances.
  • A vulnerability management process should be in place to categorize and prioritize the impact of vulnerabilities that may affect the organization’s IP Telephony infrastructure and service.

Summary of Main IP Telephony Security Policies:

  • Confidentiality of all data is to be maintained through discretionary and mandatory access controls.
  • No Internet and other external service access is allowed to or from IP Telephony data center.
  • Calling restrictions access will be implemented globally on all call-control clusters.
  • Only authorized IP Telephony and IT staff are allowed to enter the data center. (The only exception is third-party and vendor employees escorted by IP Telephony and the IT team).
  • Voice communication will be secured by using encryption techniques and by Layer 2 or Layer 3 mechanisms where possible and required.
  • Voice equipment will be placed behind firewalls restricting access to users. A dedicated management VLAN will be used to manage IP Telephony devices.
  • Antivirus and HIPS products will be installed and enabled wherever applicable.
  • OS and administrator passwords must consist of a mixture of at least eight alphanumeric characters must be changed every 30 days, and must be unique.
  • IP Telephony configurations may be changed only by IP Telephony and the IT staff.
  • To prevent the loss of availability of IP Telephony resources, measures must be taken to back up data, applications, and configurations of IP Telephony equipment.
  • A business continuity plan will be developed and tested on a regular basis.
  • Technology purchasing guidelines must be well laid out and defined to ensure that only a vendor that passes certain criteria is to be considered for the IP Telephony solution.
  • The authentication, accountability, and access (AAA) policy should clearly define the level of access, authorization for different work levels, and monitoring requirements for the access to IP Telephony system.
  • Availability Statement.
  • Information Technology Systems and Network Maintenance Policy.
  • Supporting information.
Policy General Guidelines and Statements

Following are organization XYZ’s IP Telephony Security policy general statements and guidelines.

IP Telephony Technology Purchasing Guidelines:

  • All IP Telephony and network-related equipment must be purchased keeping in mind XYZ’s requirements for confidentiality, integrity, and availability (CIA).
  • It is essential for the equipment to incorporate mechanisms for secure and confidential administration.

Availability Statement:

  • The network is available to bona fide users at all times of the day except for outages that occur for various reasons. When a trade-off must be made between confidentiality and network availability, confidentiality is always given priority.

    Supporting Information:

  • All information regarding XYZ IP Telephony operations must be kept confidential and must never be divulged to sources outside the company. All publicity-related matters should be handled through the Corporate Press Relations office.
  • Any later conflicts and issues about the security policy must be resolved with the intervention of the chief security officer, who bears the ultimate responsibility for the security policy.
Policy Enforcement

Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment.

Core IP Telephony Security Policies

Accountability Policy:

  • All users (end users and administrators) of the network are accountable for their actions that may result in network security concerns.
  • It is the responsibility of every user to be familiar with the guidelines for the services offered through the XYZ network. Also, every user is responsible to report to the system administrator about any suspected inappropriate use of IP Telephony endpoints or malicious activity on the network.
  • All users are accountable for use of their phone and in the manner it is used.

Authentication Policy:

  • All information assets on the IP Telephony network require authentication before someone is given access to them. Access attempts are logged for auditing.
  • Remote-access users need to go through two layers of authentication to authenticate themselves to the access servers connecting them to the network and then to gain access to individual resources on the network.
  • Authentication is carried out using security servers on the network. Steps must be taken to safeguard the security servers against attacks and intrusions from the outside or inside network.
  • Authentication should be carried out using one-time passwords. Authentication must be accompanied by authorization and accounting on the security servers. Authorization should be used to restrict user access to resources that are intended for users based on their belonging to a certain group. Accounting should be used to further track authorized user activities. This is a basic safeguard that must be supplemented along with intrusion detection systems.

Acceptable Usage Policy:

  • XYZ’s IP Telephony network is available for use by employees any time of the day or night for the sole purpose to address business-related conversations.
  • Using telephony, voicemail, and all IP Telephony resources for any function that is non business-related or for personal use is prohibited.

Access Policy:

  • Data center access will be strictly restricted. Access will be allowed by assuming that all access is denied unless specifically required. Access to IP Telephony data center will be given to only the following:
    • IP Telephony administrators
    • IP Telephony network administrators
    • IP Telephony management team
    • Authorized vendors or third-party employees
  • The IP Telephony resources must be accessed while an authorized IT or IP Telephony staff employee is located on the local network or from one of the remote sites or by one of the authorized telecommuters (only through company-approved procedures for remote-access users). Access from any other location is prohibited.
  • Access to network resources will be on an as-needed basis. Information assets are protected by giving access to specific groups and denying access to all others. Increasing access privileges for a given asset requires approval from the management.
  • All remote users must get management approval before they can use the resources to remotely access the corporate network. Users from the remote sites and telecommuters are treated the same as local users who use network resources. Similar access restrictions are placed on these users for accessing the various network resources.
  • Remote-access users must comply with corporate guidelines to make sure that their PCs are safe to connect to the corporate network.
  • It is the responsibility of the employees using remote access to ensure that their remote-access equipment is not used by unauthorized individuals to gain access to the resources on the corporate network.

IP Telephony Network Maintenance Policy:

  • All IP Telephony and related network equipment is to be managed only by the full-time and authorized employees of XYZ Inc. who have the privileges to do so. Giving an individual permission to work on any network equipment for administrative purposes requires management approval.
  • Remote access to administer the networking equipment is allowed, but it requires that the access be done using encryption and that authentication for login access takes place against the security servers. All management sessions, internal and external, must be encrypted.

Violations and Security Incident Reporting and Handling Policy:

  • Documented processes must be set up to identify when intrusions and network attacks take place. These processes of detection must include manual reporting and automatic reporting tools.
  • The following processes need to be set up for incident reporting and handling:
    • As soon as it has been confirmed that a breach has taken place or an attack is taking place, a process must be invoked to inform all the necessary network administrators of the problem and what their role is in tackling the situation.
    • A process needs to be set up to identify all the information that will be recorded to track the attack and for possible prosecution.
    • A process must be in place to contain the incident that has occurred or that is occurring. The process must be written keeping in mind that confidentiality and integrity is a bigger concern for XYZ than availability.
  • A process must be in place to follow up on attacks that have occurred to make sure that all the vulnerabilities exposed through the attack are corrected and that similar attacks can be avoided in the future.

Physical Security of IP Telephony Equipment

Physical Security of IP Telephony equipment must comply with the guidelines as detailed:

  • Data center equipment: All IP Telephony equipment, which includes IP Telephony servers, appliances, routers, switches, firewalls, and any IP Telephony related data center equipment.
  • High-risk situations: This refers to any IP Telephony data center area that is accessible:
    • At the ground floor level
    • At the first floor level, but accessible from the adjoining roof
    • At any level via external fire escapes or other features providing access
    • Rooms in remote, concealed, or hidden areas
  • Lockdown devices: The IP Telephony equipment will be locked down by placing it in dedicated racks placed in the secured data center.

Physical Security Policy

The following section summarizes the required physical security features for an IP Telephony data center or remote sites hosting IP Telephony equipment.

  • IP Telephony servers, routers, and switches locked down to rack.
  • Racking of equipment away from windows.
  • High-risk situations should be addressed by window locks, shutters, and bars.
  • Blinds should be deployed for observable windows.
  • Intruder alarm installed by an approved company.
  • Install movement detectors where applicable and possible.
  • Door specification for entry/exit to/from data center.
  • Visual or audio alarm confirmation.
  • Strict badge access to data center.
  • Access to only authorized Network Operation Center (NOC) and IP Telephony or IT team personnel.
  • Break glass alarm sensors.
  • Anti masking intruder alarm sensors in the data center and access routes.
  • Alarm shunt lock on door.
  • Superior protection of alarm signal transmission.
  • Security marking.
  • All IP Telephony and related hardware should be prominently security marked by branding or etching with the name of the establishment and area postcode. Advisory signs informing that all property has been security marked should be prominently displayed externally. The following are considered inferior methods of security marking: text composed solely of initials or abbreviations, marking by paint or ultra violet ink (indelible or otherwise), or adhesive labels that do not include an etching facility.

Local-Area Network Security Policy

This section details the essential LAN security mechanisms that should be implemented to safeguard IP-based communications.

  • LAN equipment
    • IP Telephony LAN equipment, hubs, bridges, repeaters, routers, and switches will be kept in secure hub rooms.
    • Hub rooms will be kept locked at all times.
    • Access to hub rooms will be restricted to IT and IP Telephony staff only.
    • Other staff and contractors requiring access to hub rooms will notify the IT department in advance so that the necessary supervision can be arranged.
    • All unused ports on switches must be in administrative shut down mode.
    • Trunk ports will allow only specific VLANs to traverse the switch trunks.
    • All VTP domains should be password protected, and VTP should be pruned.
    • Essential port security should be enabled allowing only three MAC addresses on the access port.
    • DAI and DHCP snooping should be implemented.
    • Appropriate provisions for preventing CAM table overflow, IP, and MAC spoofing attacks should be implemented.
  • Workstations
    • Users must logout of their workstations when they leave their workstation for any length of time. A password protected screen saver will be implemented on all user workstations (helps prevent CIPC, sniffer-based attacks).
    • All unused workstations must be switched off outside working hours.
  • LAN wiring
    • All network wiring will be fully documented.
    • All unused network points will be deactivated when not in use.
    • All network cables will be periodically scanned and readings recorded for future reference.
    • Users must not place or store any item on top of network cabling.
    • Redundant cabling schemes will be used where possible.
  • Monitoring software
    • The use of LAN analyzer and packet sniffing software is restricted to the IT department.
    • LAN analyzers and packet sniffers will be securely locked up when not in use.
    • Intrusion detection systems will be implemented to detect unauthorized access to the network.
  • Servers and other related equipment
    • All IP Telephony switches and routers will be kept securely under lock and key in the hub room. All IP Telephony servers will be kept in a secure data center.
    • Access to the system console and server disk, tape, and network share drives will be restricted to the authorized IT/IP Telephony staff only.
  • Electrical security
    • All IP Telephony servers will be fitted with UPS, which also condition the power supply.
    • In the event of a mains power failure, the UPSs will have sufficient power to keep the network and servers running until the generator takes over.
    • All UPSs will be tested periodically.
  • Inventory management
    • The IT/IP Telephony department will keep a full inventory of all servers, network gear, computer equipment and software in use throughout the organization.
  • Audit
    • IP Telephony and underlying hardware and software audits will be carried out periodically. These audits will be used to track unauthorized changes to hardware and software configurations and to trace the source of change.

Wide-Area Network and Perimeter Security Policy

This section details the WAN and network perimeter security guidelines:

  • IP Telephony equipment will be based off XYZ HQ and Remote data center, protected by firewalls.
  • Remote users’ alias telecommuters will be required to connect over IPSec or SSL VPN connections to the corporate VPN server for any IP Telephony services to be availed.
  • Wireless LANs will make use of the most secure encryption and authentication facilities available (for example, WPA and WPA2).
  • Users will not install their own wireless equipment, switches, and phones under any circumstances.
  • Unnecessary protocols and services will be disabled on routers.
  • The preferred method of connection to outside organizations is by a secure VPN connection, using IPSec or SSL connections.
  • Permanent connections to the Internet will be via a firewall to regulate network traffic.
  • Permanent connections to other external networks for offsite processing and so on will be via a firewall to regulate network traffic.
  • Where firewalls are used, a dual-homed firewall (a device with more than one TCP and IP address) will be the preferred solution.
  • Firewall redundancy in Active/Standby mode is preferred.
  • Network equipment will be configured to close inactive sessions.

IP Telephony Server Security Policy

This section details security policy as it applies to Windows and Linux IP Telephony servers:

  • The operating system will be kept up to date and patched on a regular basis.
  • Servers will be checked daily for viruses (applicable to Windows servers only).
  • Servers will be locked in a data center.
  • Where appropriate the server console feature (HP ILO or IBM RSA) will be activated.
  • Remote management passwords will be different from the application and OS administrator passwords.
  • Users possessing administrator rights will be limited to trained members of the IT/IP Telephony staff only.
  • Use of the Administrator accounts will be kept to a minimum. MLA/Roles will be enabled.
  • Assigning security equivalences that give one user the same access rights as another user will be avoided where possible.
  • Users’ access to IP Telephony applications will be limited by the access control features (ACL).
  • Intrusion detection and lockout will be enabled.
  • The system auditing facilities will be enabled.
  • All accounts will be assigned a password of a minimum of eight characters, alphanumeric.
  • Administrators will change the server passwords every 180 days. (180 days is an example here; the number of days for changing passwords for servers may differ for different organizations and business verticals.)
  • Unique passwords will be used for OS administrator and the web application administrator.
  • FTP or SFTP facilities will be restricted to authorized staff only.
  • SSH facilities will be restricted to authorized users.

Voice Application Security Policy

This section details the specifics of IP Telephony application level security:

  • Call accounting will be used to monitor access and abnormal call patterns.
  • Internal and external call forwarding privileges will be separated to prevent inbound calls being forwarded to an outside line.
  • The operator will endeavor to ensure that an outside call is not transferred to an outside line.
  • Use will be made of multilevel passwords and access authentication where available on IP Telephony applications.
  • Voicemail accounts will use a password with a minimum length of six digits.
  • The voicemail password should never match the last six digits of the phone number.
  • Caller to a voice mail account will be locked out after three failed attempts at password validation.
  • Dialing paid numbers will be prevented.
  • Telephone bills will be checked carefully to identify any misuse of the telephone system.
  • A conference call will be dropped when the initiator leaves.
  • The phones of all executive level employees and managers and above must be encrypted.
  • Use of encrypted conferences is preferred.
  • CFA CSS can forward only calls to internal VoIP numbers.
  • Auto registration of phones is not permitted; manual registration should be used.

Endpoint Security Policy

This section details the specifics of endpoint security (applies to wired and wireless IP Phones and soft phones):

  • Web access to IP Phones will be disabled. (If web access is enabled, it should be either restricted by ACLs or should leverage HTTPS URLs.)
  • Video capabilities where not needed should be disabled.
  • Settings button access should be restricted or disabled.
  • PC Voice VLAN access should be always disabled.
  • PC port should be disabled on lobby, elevator, and rest room phones.
  • GARP should be disabled on all IP Phones.

Conclusion

As apparent in various sections of the sample security policy, each asset in the IP Telephony network needs to be protected right from the perimeter to endpoints. It is essential that your IP Telephony Security policy covers all components as, leaving anything unguarded can possibly open up flood gates to attacks.

After you formulate your IP Telephony Security policy, it is time to look into some common questions that would mushroom in any IP Telephony or network security administrator’s mind. Two of the most burning questions are as follows:

  • What is the cost of implementing security in my Cisco IP Telephony network?
  • What is the right level of security for my Cisco IP Telephony network?

In the following sections, you will be introduced to the facts that can help you decide both the level of security and the cost to implement (versus not implementing) security for your Cisco IP Telephony network.

Evaluating Cost of Security—Cost Versus Risk

The best way to put forth cost versus risk in implementing IP Telephony Security is a single phrase, “There’s no such thing as a free lunch.”

There’s a cost for everything whether it is setting up your IP Telephony network or securing it. In the context of cost, consider the following:

  • What do you think is the cost to secure your IP Telephony network?
  • What should you do to minimize the cost and to maximize the security? In other words, not to put at risk what is the lifeline of your organization, the communications network, yet decrease the cost of securing this asset.

It is sometimes complicated to calculate the ROI for security implemented for your IP Telephony network. However, the damage sourced by the absence of efficient security controls is far greater than the cost to implement them. Figure 4-4 depicts the analytic details of the cost of security.

Figure 4-4

Figure 4-4. Cost vs. Risk Evaluation

NOTE

Cost is in context of two major factors: monetary and human resource. In other words, how much it costs to deploy a security control or process and how many man-hours does that exercise demands.

Two factors contribute to the overall cost of security for an IP Telephony system:

  • Cost of IP Telephony Security
  • Cost of IP Telephony Security breach

Cost of Implementing IP Telephony Security

The first factor is the cumulative cost of all system security components. For example, the costs to set up Certificate Authentication Proxy Function (CAPF) with a third-party certificate to encrypt media and signaling, administer user accounts and passwords, and to set up and operate routine data backup and recovery procedures. In the long run, if planned properly this cost pays off quite well.

Cost of a Security Breach

The second cost factor arises from the expected cost (damages) resulted by IP Telephony Security breaches. For example, the organization’s reputation damage, cost of recovering damaged IP Telephony information, and cost of losing data to a competition. This is the cost that would be incurred if the IP Telephony system was compromised and sensitive and critical data about call records, recordings, and customer’s data were destroyed or exposed to the wrong people.

Thus, it is expected that any organization using IP Telephony would invest rationally in security controls for its IP Telephony system (as long as you invest your money judiciously), and as a result the cost of the expenditure for damages from security breaches should go down.

As described in RFC 2196, “The Site Security Handbook:”

One old truism in security is that the cost of protecting yourself against a threat should be less than the cost of recovering if the threat were to strike you. Cost in this context should be remembered to include losses expressed in real currency, reputation, trustworthiness, and other less obvious measures.

How to Balance Between Cost and Risk

With the preceding discussion about cost of security in context, let’s look at the cost versus risk evaluation and understand how this can affect your decision to implement security controls in your IP Telephony network. Figure 4-5 depicts the verity that “Security is a balance between cost and risk.”

Figure 4-5

Figure 4-5. Security Is a Balance Between Cost and Risk

As you can discern, the cost of implementing a security control and process increases from left to right. The security implemented in an IP Telephony network can be broadly categorized in three categories: low, medium and high.

Let’s explore what each one of these cover and the trade-off to invest heavily versus not investing in IP Telephony Security:

  • Low (or default level of) security: As it is evident, a low-level of security costs nothing to minimum. This level of security is provided at a default level by IP Telephony applications and network elements. As a matter or fact, it is just about enabling it on an IP Telephony application or an underlying network component. Although this level of security might be right for networks considered to be low profile or networks where intrusion and breaches would not interest hackers, it is also an open invitation for attacks.
  • Medium (or moderate level of) security: This level requires a moderate level of investment (not only in terms of cost however, also in terms of increasing complexity). At this level, the investment into security (fiscal and manpower) is higher than the default security level; however, it provides a much better security level to organizations (for example, SMBs to enterprises) where security breaches into IP communication network are almost imminent. The investment, both manpower and cost, pays in the long terms as, the assets are protected, and the chances of damage as a result of malicious attacks from inside or outside are minimized.
  • High (or maximum level of) security: This is the most secure level that an IP Telephony network can be elevated to and may require a lot of planning and investment. The result is an IP Telephony solution that is secure, end-to-end. This kind of deployment is recommended for highly secure environments; however, it can be opted for by organizations where cost and manpower are next to security concerns. At the maximum security level, the monetary cost also goes up to ensure that the performance does not take a dip because of encryption overhead. To counter the same, more equipment might be required (for example, an increase in CUCM cluster size or the use of dedicated hardware encryption modules in IOS gateways instead of software encryption).

With this discussion in view, you can start thinking about the cost of implementing versus not implementing security in your IP Telephony network and make a conscious decision on how you will go about securing your IP Telephony network.

To address the second question about the level of security, let us go through the next section of evaluating the level of security required for your IP Telephony network before you can comprehend the cost versus risk equivalence with complexity versus security level. The same matrix would be leveraged to describe the level of security, complexity, and manpower or man-hours required to implement various levels of security for different IP Telephony networks.

Determining the Level of Security for Your IP Telephony Network

Let’ start with a fundamental fact: Not all five fingers of a hand are equal. The same applies to IP networks, organizations, and people. No two people or two organizations are precisely identical. And the same applies to IP Telephony networks as well; no networks are ever exactly the same.

With that said, more likely than not, you must be thinking about your own IP Telephony network and how dissimilar it is to another IP Telephony network you’ve had a chance to work with (or designed). The question here is, “How can you compare the security applied in that other IP Telephony network to your network?” And consider if the level of security applied was perhaps too much for your network, or maybe it was lesser than what you would like to have employed in your network.

To help you with these questions, let’s take an example of different organizations and their expectations from their IP Telephony network. Let’s go through a series of brief case studies to help you understand which level of security may be right for your organization.

NOTE

The levels of security and their constituents are illustrative. These levels and their constituents may be different or represented differently by your organization. Refer to Figure 4-5 to see a broad perspective of the various security levels that can be adapted to your network and requirements, respectively.

Case Study

The following organizations are considering securing their Cisco IP Telephony network:

  • A university
  • Sport store with multiple branches
  • Financial institution
  • Government agency

All these institutions want to leverage Cisco’s world-class IP Telephony solution for addressing their telecommunications requirement. They are all very excited to experience IP Telephony and IP-based collaboration solutions. However, they are also concerned about the security of their communication channels, stored call records, rogue devices, unauthorized access, and other practical issues that plague the integrity and confidentiality of their IP Telephony network. They are all striving to secure their IP Telephony network. Let’s analyze the level of security each one of them should logically and practically implement. The following examples are based on assumptions relevant to IP Telephony network security that different organizations or business verticals might plan for.

Before beginning, we will use the same matrix we used in the section, “How to Balance Between Cost and Risk,” for reference. However, now the discussion is no longer about the cost of security or risk. Instead, it revolves around the level of security and the associated complexity, as shown in Figure 4-6.

Figure 4-6

Figure 4-6. IP Telephony Security Levels

NOTE

Security levels on the right (refer to Figure 4-6) include the features from the left, that is, moving from left to right, it is imperative that the right (successor) security level has all features from its left counterpart (predecessor).

University: At the university, because of openness and availability of resources, it is essential to prevent unauthorized access to IP Telephony facility. Moreover, any rogue devices should be barred from registering to the CUCM cluster. Also, the university IT staff would like to have the wireless communication encrypted because many students will be using Cisco Unified Presence Client (CUPC) or Cisco IP Communicator soft phones installed on their laptops. No remote access via VPN is allowed. Maintaining the IP Telephony network and cost are some of the challenges for the university’s IP Telephony department.

Given the details, what do you think is the right level of security for the university’s IP Telephony network? Could it be low, medium, or high? Give it a thought and write down your answer.

Sport Store: The sport store organization has multiple branches and hosts a decentralized IP Telephony network with clustering over WAN and SRST support at remote sites. The employees are allowed to access the network remotely enabling them to work from home. Thus, VPN is also part of the solution. Thanks to stiff competition, the organization wants to protect its communication streams from any possible tapping or service outage. Also, the organization intends to safeguard its IP Telephony network resources from any intrusion attempt. The security must be within a set budget and implemented in a predefined timeline.

Can you guess what level of security this organization is aspiring for, by referring to Figure 4-6?

Financial institution: A popular and successful financial institution plans to secure its Cisco IP Telephony deployment. Although it does not want to let go of any native security feature, it does not want to increase the complexity level too much. One important aspect is that as per the security policy of the organization, no endpoints can register unless they have been authenticated by the AAA server on its premises. Also, no auto-registration of the endpoints is allowed. The IP Telephony staff of the organization maintains a separate IP Telephony Security policy that it must follow meticulously. Cost is not an issue and neither is manpower.

Equipped with this information, what do you think is the level of security this financial institution is planning for?

Government agency: A government agency is considering implementing its new IP Telephony network. It chose Cisco as its vendor. It wants to have it secured end-to-end with no exception. The level of security must meet guidelines set by its telecom and network security department security policy. Also, it has a contingency plan to address any security issues that may show up during normal operations. Cost, manpower, and time have virtually no frills.

With this information, can you think of the right security level to satisfy the government agency’s need for end-to-end security (based on security levels depicted in Figure 4-6)?

The Riddles Are Over

It is time to put all these riddles to an end and explore the options these institutions should “ideally” opt for.

University: Because the security needed is minimal and basic, a low or default level of security should suffice for the university IP Telephony network. This can enable it to secure its IP Telephony network with minimal additional cost and manpower. (The only exception is the addition of wireless security that overlaps with a medium or moderate security level.)

Sport store: The store is aspiring for a non-default level of security because the requirement was to encrypt the communication (media and signaling) streams and to evade any DoS attacks (use of a firewall to prevent malicious attack attempts). Thus, a medium or moderate level of security will be an ideal fit for it.

Financial organization: The financial organization does not want a complex solution yet one that provides maximum protection. This calls for a medium or moderate security level with the exception that it is requires that the endpoints use its AAA server (for 802.1x). This overlaps with the high or maximum security level.

Government agency: A government agency, as you might have guessed, is a maximum protection facility. Also, keeping in view the end-to-end security requirements along with a contingency plan (security event management), only the highest level of IP Telephony Security can satisfy its requirements.

As you can probably figure out, it is not always that the need for security is addressed by a static set of security controls defined within a security level. Sometimes, these may overflow or overlap to the next level as some of the security requirements cannot be satisfied by the current level. However, at the same time it is important to note that, the cost, time to plan or deploy, and man-hours also increase.

Putting Together All the Pieces

It is finally time to put together all the pieces to outline a security framework for your Cisco IP Telephony network:

  • Security strategy
  • Risk assessment
  • Security controls
  • Identified threats, attacks and vulnerabilities, and mitigations
  • Organization objectives

The driving force is that an IP Telephony Security Framework should help in the enrichment of IP Telephony services, enabling the users to feel confident in the privacy and integrity of their communication. In other words, a security framework should enhance and not form an obstruction to the IP-based communications.

IP Telephony Security Framework

The main ideologies that drive an IP Telephony Security Framework are as following:

  • Supports simplification of design and configuration for security for IP Telephony network
  • Ascertains confidentiality, integrity, and availability of IP Telephony network
  • Provides defense in opposition to internal and external threats and diverse attacks
  • Provides for scalable IP Telephony architecture by integrating multiple layers for security
  • Based on corporate security policies and strategy
  • Should function in a mixed environment of secured and unsecured IP Telephony components

To describe the security framework for your IP Telephony network, a useful approach would be to divide the tangible IP Telephony solution into logical domains and to pin down threats and vulnerabilities within each domain. The logical domains in which an IP Telephony solution can be broken down into following categories:

  • IP Telephony Call Control servers (CUCM)
  • IP Telephony media servers (Unity and Unity Connection)
  • IP Telephony application servers (Attendant console and UCCX)
  • IP Telephony billing, user data servers (CDR and LDAP)
  • IP Telephony end-user devices (IP Phone, soft phone, and CUPC)
  • IP Telephony operational and management access
  • Peripheral servers (voice gateways)
  • Communication transit in internal networks (Intranet or Extranet)
  • Communication transit in a public network (Internet)

NOTE

Each domain must be fortified and equipped with authentication, encryption, authorization, accounting, and security mechanisms.

Figure 4-7 outlines the logical domains pertinent to an IP Telephony Security Framework.

Figure 4-7

Figure 4-7. IP Telephony Security Framework: Logical Security Domains

In essence, at a high level, the IP Telephony Security Framework can be envisioned as a blend of the following elements:

  • Technology involved
  • Management support
  • Regulatory aspects
  • Organization processes
  • Training requirements

It is around these elements that a security framework revolves. Let’s comprehend what each element contributes to the IP Telephony Security Framework:

  • Technology involved: The most critical element for maintaining confidentiality, integrity, and availability of IP Telephony services. Technology goes from evading passive intrusion attempts to sophisticated attack mitigation techniques (as discussed in Chapter 1, “What Is IP Telephony Security and Why Do You Need It?”). It is the core of an IP Telephony network and plays the most significant role in defining the security controls and processes to be followed. The technology aspect involves (but is not limited to) the following:
    • Attack mitigation
    • Pre- and Post-deployment risk, vulnerability, and security assessment
    • Define standards for encryption, key management, and authentication within the organization
  • Management support: As a well-known fact, no (IP Telephony) project will commence devoid of apt funding and support by higher management. The decision makers, stakeholders, and executives should be supportive to have a secure and robust IP Telephony network in place. In other words, they should be better informed about the cost of security breaches and the ROI so they not only support the financial cause, but also support from a leadership and involvement perspective. (Remember risk assessment and security strategy requires participation from stakeholders.)
  • Regulatory aspects: The U.S. Communications Assistance for Law Enforcement Act (CALEA) may require access at various security levels. A service provider is obliged to provide the necessary session keys to law enforcement personnel. Despite that private companies may be exempt, a 2007 U.S. government regulation, CALEA, requires public VoIP carriers to comply with federal wiretapping standards. There are other regulatory acts that come into action pertinent to VoIP systems, for example, the Fighting Internet and Wireless Spam (FISA) Act and USA Patriotic (also known as Patriot) Act. Moreover, some organizations (for example, financial institutions) are required to meet global certifications. See the following URL for more information on how Cisco products cater to these requirements:

    http://www.cisco.com/web/strategy/government/sec_cert.html

  • Organization processes: The organization processes have a strong influence on the security framework because they drive the organization’s objective to which the security framework should be aligned with. Furthermore, a security strategy must be aligned with organization’s mission and vision, objectives, and goals. IP Telephony Security requires continuous vigilance and should be integrated into existing processes rather than viewed at as a one-time task. In essence, the processes elements include the following:
    • Security strategy
    • Organization objectives and goals
  • Training requirements: The Cisco IP Telephony system provides users with an extensive range of security features. These features are however useless if users of IP Telephony do not understand how to use them. Thus, it is important that end users are involved early in the implementation phase and IP Telephony administrators are involved during planning phase. Furthermore, cross-training should also be provided by the organization to the IT and telecom staff who may not have worked together prior to an IP Telephony implementation. Because IP Telephony systems are more complex than traditional telephone systems and use the underlying network, getting IT, telecom, and network teams aligned and training collectively is crucial to build and maintain a secure IP Telephony system.

Therefore, it is the accumulation of all the elements discussed (in Chapters 1 through 4), that derive the security framework for an IP Telephony network, as illustrated in Figure 4-8.

Figure 4-8

Figure 4-8. IP Telephony Security Framework

The IP Telephony Security Framework (refer to Figure 4-8) should serve as the baseline to protect your IP Telephony network and its services. The implementation of this framework is detailed in the subsequent chapters via security construct in design, configuration, and implementation.

Summary

While forming a security framework for your Cisco IP Telephony network, it is vital to have a handle on the various components that form the security framework. The Cisco security life cycle must be followed meticulously to implement the four phases and fit them to your IP Telephony network. This should be followed by the planning and designing of security into your IP Telephony network. Then is the rigorous exercise of risk assessment, countermeasures, and a contingency plan for every recognized asset for your IP Telephony system and underlying network equipment the organization or business owns or operates. IP Telephony Security policy is an imperative component of your IP Telephony Security Framework, without which you simply cannot position proper security controls even if you have them penned down.

A security policy is not a fixed document because it needs to be updated on a regular basis to counter any new security challenge or to address a new requirement. When designing a secure IP Telephony network, some goals (for example, objectives an organization; intent to ensure IP Telephony system availability, confidentiality, and integrity; readiness for lawful interception; alignment with overall organization security objectives; and so on) need to be taken into consideration. This chapter also discussed how much it costs when threats are realized and the IP Telephony system is out of service, that is, the cost of security. Also, you can work out the right level of security for your IP Telephony network based on the covered case studies presented in this chapter.

Part II, “Cisco IP Telephony Network Security”, shows you how to protect your IP Telephony network by securing Layer 1 (physical layer), Layer 2 (switching infrastructure), Layer 3 (routing infrastructure), and network perimeter. You will learn about the importance of network security pertinent to IP Telephony, and the ways in which you can secure your IP Telephony network against internal and external threats.