If VoIP is implemented, security is an important consideration because every node in VoIP is as accessible as a computer. When subjected to Dos attacks and hacking, VoIP often leads to issues such as unauthorized free calls, call eavesdropping, and redirection of malicious calls. How does Cisco, which strongly advocates VoIP, address many issues? If VoIP is implemented, security is an important consideration because every node in VoIP is as accessible as a computer. When subjected to Dos attacks and hacking, VoIP often leads to issues such as unauthorized free calls, call eavesdropping, and redirection of malicious calls. How does Cisco, which strongly advocates VoIP, address many issues? Cisco's elaborate Ip-telephony package can be said to be the safest of the entire Cisco Network Security defense System device. The test also shows that the VoIP network built in this way can effectively withstand the attacks of skilled hackers, whose topology is significantly better than the security options now deployed by many users, but the drawback is that building such a system is a bit expensive. In such a system, optional components include two separate PIX firewalls, another firewall located on the backbone Catalyst 6500 blades, an IDs blade in 6500, a fully independent management subnet, and different security management applications. The price of firewalls and IDs components amounts to about 640,000 yuan. Firewalls bring a lot of practical and high security features to the desktop: one is the Trust party-the concept of the untrusted party (the untrusted interface always points to the hacker), and the Protocol understands that only specific protocols requiring VoIP are allowed, and requests and responses can only be passed in the right direction. Other firewall features are included in this test, such as VoIP call control check (Stateful Cotecna of VoIP calls Controll), network address resolution (NX addressing denotes), Through the firewall channel call control, TCP interception (TCP intercept, he can ensure the smooth completion of the TCP connection, but also to prevent the call manager on the Dos attacks, as well as secure SCCP support). As the core of Cisco Ip-telephony package, call Manager version 4.0 handles call control and includes some other new security-related features. One of the most critical is VoIP encryption, in this test voice streaming (RTP, real-time Transfer Protocol) encryption only in Cisco's latest 7970 IP phone sets on the support. The latest call manager based on the Windows 2000 operating system has shown a gradual hardening trend. In addition, there are a series of powerfulNetwork Self defense features are also included in this beta-tested version of Catalyst iOS, especially iOS 12.2 (17b) Sxa on Core Catalyst 6500, and iOS Catalyst ew on Access 12.1 4500, All of these features, as pioneers of security defense, effectively block the attack team's actions compared to any other components in the Cisco topology, including traffic police (firstly) and committed access rate, which have been successful in blocking attacks against Dos attacks Second-tier port security, he can strictly limit the number of MAC addresses in one port, and the second layer of DHCP listening (Dynamic host revisit Kyoto), which effectively blocks the Dynamic Host Configuration protocol from continuous attacks Dynamic Address Resolution Protocol check, he can abort ARP (Address Resolution Protocol) infection virus and ARP interception attacks, but also can resist the attack team a large number of more covert attacks; IP Source address protection (IP Guard), he can prevent camouflage attacks; VLAN access control list, Can limit the arrival of the IP phone traffic and so on. CSA (Cisco security Agent,cisco) is another host-based intrusion prevention system (Ips,intrusion-prevention systems) that is now integrated as a security component in the Call Manager IP telephony server. Also appears in Cisco's unified voice mail server (Unity voice mail server), and all other win 2000 servers that run through the Cisco network topology. Cisco's effective security measures are applied to almost all layers: the second and third tiers (Catalyst series switches), the fourth and fifth layers (firewalls and IPs), the sixth layer (RTP voice encryption stream, which is still limited to certain telephones), and the seventh layer (server-based software such as Cisco Security agent, etc.). After a three-day Test attack organized by the evaluation Department, the security of the Cisco VoIP system has largely withstood the test, but there are several flaws: first, it is easy for the hacker team to insert a listener in an IP phone base station connection link From this vantage point they can observe the details of all traffic information collected, such as protocols, addresses, and even RTP, which is a VoIP protocol that runs on UDP and hosts voice samples on all VoIP systems. Although the flow into/out of VoIP Cisco 7970 calls is encrypted with 128-bit data, the attack team is easily accessible;The network information that the listener collects, the hacker can plug into their own computer, can further access the voice virtual LAN and send traffic to devices in other VLANs, but they cannot disguise as a call to an IP phone or IP phone. Finally, while this is an effective security policy spanning multiple platforms, the subtle interconnectedness and proper installation of all these security components is very frustrating, and it may be safe, but not practical, if the Cisco-configured firewall does not allow traffic to flow through both directions. Any improper or incorrect setting is also affected by the best security policy. 498) this.width=498 ' OnMouseWheel = ' javascript:return big (This) ' height=214 src= '/files/uploadimg/20060121/1105470. JPG "width=379> Cisco VoIP system topology map RELATED LINKS VoIP security level: As a network administrator, you may often have to confront such questions as:" Does your IP phone (IP telephony) network prevent hackers from attacking? " "Probably most of the answers are yes, but this will depend largely on which manufacturer's IP PBX the network is using." It is therefore more important to have a thorough network security plan, network and personal resource strategy, as well as additional security equipment, spending money and time. The following table defines several security levels. (Responsible editor: ZHAOHB) to force (0 Votes) Tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title party (0 Votes) passing (0 Votes) Original: VoIP also safe return to network security home
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.