© 2006 Cisco Systems, Inc. All rights reserved. CVOICE v Introduction to VoIP Considering Security Implications of VoIP Networks
© 2006 Cisco Systems, Inc. All rights reserved. CVOICE v Outline Overview Security Policies for VoIP Networks Threats to VoIP Networks Secure LAN Design Communicating Through a Firewall Delivering VoIP over a VPN Bandwidth Overhead Associated with VPN Summary Lesson Self-Check
© 2006 Cisco Systems, Inc. All rights reserved. CVOICE v Elements of a Security Policy Transport security: Protect the data while it is in transit through the network Network security: Verify which data should be entering the network Intrusion detection: Provide notification in the event of unauthorized data detection
© 2006 Cisco Systems, Inc. All rights reserved. CVOICE v Networkwide Security
© 2006 Cisco Systems, Inc. All rights reserved. CVOICE v Threats to VoIP Theft and toll fraud Unauthorized access to voice resources Compromise of network resources Downtime and DoS Invasion of call privacy
© 2006 Cisco Systems, Inc. All rights reserved. CVOICE v Secure LAN Design Assigning different VLANs creates separate broadcast domains. Separate VLANs protect against eavesdropping and tampering. Separate VLANs render packet-sniffing tools less effective.
© 2006 Cisco Systems, Inc. All rights reserved. CVOICE v Firewall Access
© 2006 Cisco Systems, Inc. All rights reserved. CVOICE v VoIP over a VPN
© 2006 Cisco Systems, Inc. All rights reserved. CVOICE v VPN Overhead
© 2006 Cisco Systems, Inc. All rights reserved. CVOICE v Span Engineering VoIP Network Security Components Identify benefits of each security component.
© 2006 Cisco Systems, Inc. All rights reserved. CVOICE v Summary Security policies must encompass both transport and network security and should recommend monitoring for intrusion detection. Security threats against VoIP include toll fraud, invasion of privacy, unauthorized access to resources, and DoS attacks. Separate VLANS for voice and data prevent eavesdropping and tampering. Stateful firewalls inspect voice signaling packets to determine which UDP ports to allow through. Firewalls that are not capable of stateful inspection require the presence of an H.323 proxy server. VPN encryption headers introduce additional overhead that negatively impacts voice traffic. To calculate bandwidth overhead, you must understand the VPN technology and protocols.
© 2006 Cisco Systems, Inc. All rights reserved. CVOICE v