Examining SAFE IP Telephony Design Fundamentals
Understanding SAFE IP Telephony Axioms
Understanding SAFE IP Telephony Network Designs
This chapter introduces the SAFE network design for IP telephony, which Cisco Systems developed to address customer concerns with the security of IP telephony deployed in a network. The "SAFE: IP Telephony Security in Depth" whitepaper examines the security of IP telephony in each of the SAFE blueprintsenterprise, medium-sized, and small networksand builds on the concepts of modularity and "defense in depth." The whitepaper also addresses the unique security issues that an IP telephony deployment poses to a network.
"Do I Know This Already?" Quiz
The purpose of the "Do I Know This Already?" quiz is to help you decide if you really need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now.
The 13-question quiz, derived from the major sections in "Foundation Topics" portion of the chapter, helps you determine how to spend your limited study time.
Table 19-1 outlines the major topics discussed in this chapter and the "Do I Know This Already?" quiz questions that correspond to those topics.
Table 19-1 "Do I Know This Already?" Foundation Topics Section-to-Question Mapping
Foundations Topics Section |
Questions Covered in This Section |
Examining SAFE IP Telephony Design Fundamentals |
12 |
Understanding SAFE IP Telephony Axioms |
39 |
Understanding SAFE IP Telephony Network Designs |
1012 |
CAUTION
The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark this question wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security.
Which of the following objectives are fundamental in the design of SAFE IP telephony networks?
Designation of responsibility
Quality of service
Integration with existing network infrastructure
Authentication of users and devices (identity)
Flexibility of the design
Secure management
What network feature should be deployed throughout the network infrastructure to ensure a successful IP telephony design?
QoS
ACLs
Authentication
IDS
IPS
Which of the following is one of the key axioms in the SAFE IP telephony design?
Security and attack mitigation based on policy
Voice and data segmentation
User authentication
Options for high availability (some designs)
Secure management
Which of the following protocols currently are used in IP telephony products?
IGMP
MGCP
SIP
CGMP
CDP
Q.773
H.323
Why does a firewall need to be "intelligent" when dealing with H.323 traffic?
The firewall must be capable of recognizing the traffic to encrypt it properly.
H.323 uses multiple static ports for signaling and media streams, and the firewall needs to know about those.
H.323 traffic must be authenticated at the firewall, and, therefore, the firewall needs to be capable of recognizing that traffic.
H.323 utilizes multiple dynamic ports for call sessions, and the firewall must be capable of determining those ports from the signaling channel.
H.323 cannot use NAT, and, therefore, the firewall must be capable of identifying H.323 traffic appropriately.
Which of the following is a tool that you can use to reconstruct a voice conversation?
dsniff
TCPdump
ARPwatch
VOMIT
MITM
Which of the following are legitimate connections that should be allowed through the stateful firewall protecting the call-processing manager?
PC web browser connecting to voice-mail server
IP phone connecting to PC clients in the data segment
Call establishment and configuration traffic
Browsing of the IP phone web servers by PC clients
Connections from IP phones in the voice segment and the voice-mail system
Communication between the voice-mail system and the call-processing manager
What are the two most common recommended methods of authentication for IP phones?
Device authentication
Network authentication
Proxy authentication
User authentication
Null authentication
Security design reliance should be based on which of the following?
VLAN segmentation
Data sharing between voice and data VLANs
Access control
Layered security best practices
Multicast join restriction
Which of the following are services provided by the edge router in the small IP telephony design?
VLAN segmentation
Stateful firewalling
NAT
QoS
All of these answers are correct
What is the purpose of the call-processing manager in each of the SAFE IP telephony designs?
The call-processing manager provides data services to IP telephony devices in the module.
The call-processing manager provides voice services to IP telephony devices in the module.
The call-processing manager does not provide voice-mail storage in the modules.
The call-processing manager provides data storage for the IP phones.
What two basic designs are possible in the small and medium blueprints for IP telephony?
Hub
Spoke
Headend
Remote
Branch
What is the purpose of the Layer 3 switches in the server module?
The switches in the module are not Layer 3 switches; they are Layer 2 switches.
No special purpose is assigned to the Layer 3 switches in this module.
The Layer 3 switches provide routing and switching services to both voice and data traffic, in addition to filtering, QoS, VLANs, and private VLANs to the servers. They also provide for traffic inspection through the use of integrated NIDS.
The Layer 3 switches provide firewall services through the use of an integrated firewall service module.
The answers to the "Do I Know This Already?" quiz are found in Appendix A, "Answers to the 'Do I Know This Already?' Quizzes and Q&A Sections." The suggested choices for your next step are as follows:
11 or less overall scoreRead the entire chapter. This includes the "Foundation Topics" and "Foundation Summary" sections and the Q&A section.
12 or 13 overall scoreIf you want more review on these topics, skip to the "Foundation Summary" section and then go to the Q&A section. Otherwise, move to the next chapter.