VoIP Telephony Network Security Considerations TR Title: VoIP Telephone Network Security Architectural Considerations

Size: px
Start display at page:

Download "VoIP Telephony Network Security Considerations TR41.4.4 01-11-018. Title: VoIP Telephone Network Security Architectural Considerations"

Transcription

1 VoIP Telephony Network Security Considerations TR Standards Project: PN URV Title: VoIP Telephone Network Security Architectural Considerations Source: 170 West Tasman Dr. San Jose, Ca USA Cisco Systems, Inc. Contact: Phone: Fax: Bob Bell Date: November 6, 2001 Distribution To: TIA TR41.4 and TIA TR ice This contribution has been prepared to assist TIA Standards Committee TR-41. It is offered to the committee as a basis for discussion and is not binding on Cisco Systems or any other company. The recommendations are subject to change in form and/or numerical value after further study. Cisco Systems specifically reserves the tight to at to, or amend, the quantitative statements contained herein. hing contained herein shall be construed as conferring by implication, or otherwise, any license or right under patent, whether or not the use of information herein necessarily employs an invention of any existing or later issued patent. The contributor grants a free, irrevocable license to the Telecommunications Industry Association (TIA) to incorporate text contained in this contribution and any modifications thereof in the creation of a TIA standards publication; to copyright in TIA s name any standards publication even though it may include portions of this contribution; and at TIA s sole discretion to permit others to reproduce in whole or in part the resulting TIA standards publication.

2 1. Introduction VoIP Security Network Security Architectural Considerations As an aid to discussion of the interconnectedness of the various components of a typical enterprise network, it is important to define the various segments of the network that may interconnect. The following description divides this typical network into 7 segments and associates a color with each segment. It is important to remember that this division is relative to the VoIP components of the network. In practice, there may be several subdivisions of each of these network segments. It is assumed for this discussion that there exists an isolation gateway between each of these components. Some may be structured on dedicated VLANs or physical LANs. The isolation gateways include devices such as routers and firewalls. VLANs may also exist within the switches. It is assumed for the purposes of this document that another, invisible network segment also exists. This special segment is the network intrusion detection segment and contains sensors and evaluation elements. These devices are not specifically defined within this document. 2. Network Segments Each of the following network segments contains similar devices. Physically, these segments may exist as separate physical LANs or as VLANs or aggregates of either or both types of topologies. Network segments are described as one of three categories. These are 1) service crucial, 2) service important, and 3) service neutral. This grading is relative to the functioning of the VoIP system and does not assume the importance of other network elements in relation to other enterprise missions. Service crucial network segments are those whose disruption would incapacitate the system. Thus, if elements in a service crucial segment are subject to a DoS attack, the entire VoIP phone system would cease to function. Service important network segments contain elements whose operation markedly enhances the functionality of the system. These would include conference bridges or IVR systems for internal use. Disruption of elements of this segment would cause significant loss of functionality within the systems but calls could still be made. Service neutral segments are those containing elements that do not significantly impact the VoIP system. Loss of a data server would not significantly impact the VoIP system as an example. 2.1 Central Call Control and Related Components Segment (Blue Network) This segment contains the call manager cluster and the database publisher. It can also include CTI servers and other devices that do not receive VoIP media streams. In addition, the CallAgent security registrar is contained within the Blue network. This network provides the signaling control for the system and the associated processes. This is a service crucial network segment Bob Bell Page 1 11/6/2001

3 2.2 Peripheral VoIP Elements Segment (Yellow Network) This segment contains those endpoints that receive VoIP media traffic. These include such items as DSP farms and Voice Mail. It also includes the VoIP Gateways and phones. It excludes VoIP devices that reside on both the Voice and Data networks. Thus, this grouping does not include PC-based VoIP Terminals. This is a service crucial or a service important network segment depending on the configuration and business plan. 2.3 Voice Associated Work Stations Segment (Green Network) This segment contains general-purpose devices that span both the Voice and Data networks. This includes the PC-based VoIP Terminals running on a workstation, attendant consoles, and other devices of this sort. This is a service important or service neutral segment depending on configuration. 2.4 Administrator Data Segment (Black Network) This segment contains the network administrators workstations and may also contain the user authorization and authentication systems used within the total network. This is a service crucial or service important network segment depending on configuration. 2.5 General Intranet Data Segment (Orange Network) This segment contains those workstations and servers comprising the Data Network infrastructure. There is a separate hierarchy of service crucial and service important, etc. units. In relationship to the VoIP system that is being profiled here, this network segment is service neutral at most. 2.6 Bastion Segment (White Network) This segment contains the servers and related infrastructure that allows access to services within the Internet. This includes HTTP proxies, mail forwarding servers, and Voice Portals. This segment, if it contains elements used within the VoIP systems is a service important segment. Otherwise, this segment is service neutral at most. 2.7 Internet Segment (Red Network) This segment is the Internet. It is a service neutral segment at best from the standpoint of the VoIP system. This segment should be considered armed and dangerous, and suspect under all conditions. 3. Segment Interconnection Mapping The following sections describe the information flows from one segment to the others. This mapping helps to identify the access controls needed for the information flows and also identifies the volume of information flow. 3.1 Blue Network This network segment contains the CALLAGENT and associated servers and processes. Internal communications within the network consists of inter-cluster communications, and signaling traffic. The endpoints should authenticate each other but privacy is probably not a big issue unless the cluster elements are remote from one another. Bob Bell Page 2 11/6/2001

4 To Yellow Network This information flow consists of signaling flows. The endpoints should authenticate each other. For high criticality units such as the DSP farms or Gateways, the endpoints shall authenticate to each other. For highly mobile devices, e.g. IP phones, the endpoints shall authenticate to each other. Signaling privacy is a significant concern as the keying information for the media privacy is contained in that information flow. If there is media traffic, because the CALLAGENT processor is providing the conference bridge capabilities for example, this downgrades the security of the blue network To Green Network This also consists primarily of signaling traffic. Because these devices represent a bridging of the Voice and Data networks, their links shall be authenticated and monitored to prevent these platforms from being used as attack platforms To Black Network There are two classes of information flows related to the Black network. These are composed of 1) user authentication traffic (e.g. RADIUS requests), and 2) Administration actions. The former traffic type is the more numerous and must follow the guidelines established for that type of traffic. It may include routing this traffic type through IPSEC tunnels or other restrictions. The latter traffic type must be authenticated and encrypted since internal information and machine structure is revealed in these messages. SSH or HTTPS are the recommended mechanisms for providing this protection To Orange Network Contact between the Blue and Orange networks should be extremely limited of at all. Such contact, in the case of user administration of their phone databases shall occur only over HTTPS or SSL/IPSEC protected linkage preferably using digital certificates as the means to authenticate. No other contact shall be allowed To White Network Contact to Internet based services such as stock quotes should terminate on a proxy server in the Bastion Network Segment. Information that is forwarded to the phones from these servers should do so on IPSEC controlled tunnels that terminate in the service conduits of the CALLAGENT. Certificate Revocation List updates from Cisco should also terminate in a Bastion server and be relayed to the CALLAGENT cluster via IPSEC controlled tunnels. No other contact is envisioned To Red Network No contact with the red network is allowed. 3.2 Yellow Network This network segment contains the phones and other media endpoints. Because this network segment is more available, greater security requirements exist. All devices must authenticate not only signaling events but also any images or other information Bob Bell Page 3 11/6/2001

5 purportedly from the blue segment must be signed digitally and validated before allowing them to become active within the elements of this network segment. Because of the centralized signaling scheme of the CALLAGENT system, the only internal communications between elements of the Yellow network should be media streams. These streams should be authenticated using HMAC techniques to assure integrity and origin. No other information flows between elements of this network segment are envisioned To Green Network Communications flows with the Green network are envisioned to be only media streams and should follow the same guidelines as the internal Yellow network flows. No other communications between elements of the Green network are envisioned To Black Network As with the Blue network above, all contact with the Black network is strictly limited by the operating rules of that network. A discussion of these rules is beyond the scope of this document To Orange Network The only contact with the Orange network is for the user to manage items on his own phone. This contact is envisioned to occur only over HTTPS secure, authenticated data flows. The authentication should be using standard HTTPS means. No other contact is envisioned To White Network No direct contact with the White network is envisioned. All messaging that uses this network should use the service conduits of CALLAGENT To Red Network No direct contact with the Red network is allowed. 3.3 Green Network This network contains elements that may bridge between the Voice and Data networks. As such, this network segment represents the point of highest threat to the CALLAGENT VoIP system. Peer communications follow the same guidelines as the Yellow network. However, this network is monitored very carefully for signs of attack. It is desirable that two IP interfaces exist for elements of this network segment. The first resides on the Green network segment. The second is homed on the data segment To Black Network Contact with this segment follows the strict rules of the Black segment. These rules are beyond the scope of this document To Orange Network Contact with the Orange network should only occur on the second network interface, if it exists. If a second physical network is not possible, then the use of VLAN separation is strongly recommended. If that is not possible, traffic from the orange network should be fully screened and controlled. Bob Bell Page 4 11/6/2001

6 To White Network Contact with the White network for the Green interface should not exist. All services requiring contact with the White network for the VoIP applications should come via the service conduits of the CALLAGENT To Red Network No direct connections with the red network are envisioned. 3.4 Black Network This administrative network has a set of strict guidelines for contact between it and the other network. That set of guidelines is under control of the enterprise network security personnel and is beyond the scope of this document. 3.5 Orange Network All contacts between the Orange network and those above it in this document are contained in previous sections. There is only one special case, that of an Orange device being connected to the switch in the back of the phone. All other contact is beyond the scope of this document To Yellow Network In the case of an Orange device connecting to the switch of a Phone, the Orange device shall not be allowed to transmit on any VLAN other than the base VLAN. All other IEEE 802.1u addresses should be blocked at that switch. This is to prevent the Orange device from assuming the role of a higher element and masquerading as a Blue network element. No other contact is envisioned except as described previously To White Network Contact with the White network should follow the security policies of the enterprise systems administrators To Red Network Contact with the Red Network should follow the network security guidelines established by the Systems Administators. 3.6 White Network Among other types of devices, the White network contains the proxy servers for services present on the phones. The information flows from these servers to the CALLAGENT servers are discussed above. No other communications flows are envisioned. Please note that it is extremely important that these servers be protected with Host-based intrusion detection systems as well as other anti-attack measures. The structure of a Bastion network is beyond the scope of this document To Red Network Contact with the Red network should follow the security policy of the systems administrators. 3.7 Red Network Under normal conditions, there should be no direct contact between elements of the Red network and any other elements within the VoIP System. Bob Bell Page 5 11/6/2001

7 4. Summary Tables From/To Blue Yellow Green Black Orange White Red Blue Simple Stringent Stringent Tightly None Yellow Stringent Stringent Stringent/ Green Black Orange White Stringent Tightly Stringent/ None None Media Only Red None None Table 1 Authentication None None None From/To Blue Yellow Green Black Orange White Red Blue Yes Yes HTTPS/ IPSEC None Required SSL/TLS Yellow YES Media Media None None None Only Only Green Yes Stringent/ Media Only HTTPS/ SSL/TLS Black Orange HTTPS/ SSL/TLS None HTTPS/ SSL/TLS White IPSEC None Red None None Table 2 - Privacy Bob Bell Page 6 11/6/2001

SpiderCloud E-RAN Security Overview

SpiderCloud E-RAN Security Overview SpiderCloud E-RAN Security Overview Excerpt for SpiderCloud Wireless, Inc. 408 East Plumeria Drive San Jose, CA 95134 USA -hereafter called SpiderCloud- Page 1 of 7 Table of Contents 1 Executive Summary...5

More information

CTS2134 Introduction to Networking. Module 8.4 8.7 Network Security

CTS2134 Introduction to Networking. Module 8.4 8.7 Network Security CTS2134 Introduction to Networking Module 8.4 8.7 Network Security Switch Security: VLANs A virtual LAN (VLAN) is a logical grouping of computers based on a switch port. VLAN membership is configured by

More information

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch What You Will Learn A demilitarized zone (DMZ) is a separate network located in the neutral zone between a private (inside)

More information

Best Practices for Securing IP Telephony

Best Practices for Securing IP Telephony Best Practices for Securing IP Telephony Irwin Lazar, CISSP Senior Analyst Burton Group Agenda VoIP overview VoIP risks Mitigation strategies Recommendations VoIP Overview Hosted by VoIP Functional Diagram

More information

Recommended IP Telephony Architecture

Recommended IP Telephony Architecture Report Number: I332-009R-2006 Recommended IP Telephony Architecture Systems and Network Attack Center (SNAC) Updated: 1 May 2006 Version 1.0 SNAC.Guides@nsa.gov This Page Intentionally Left Blank ii Warnings

More information

SIP Signaling Protocol Update R1v1. 1000 West 14 th St. North Vancouver, B.C. V7P 3P3 Canada

SIP Signaling Protocol Update R1v1. 1000 West 14 th St. North Vancouver, B.C. V7P 3P3 Canada R1v1 Document Number: TR41.4.4/01-11-013 STANDARDS PROJECT: PN-3-4462-URV TITLE: SIP Signaling Protocol Update R1v1 SOURCE: Polycom 1000 West 14 th St. North Vancouver, B.C. V7P 3P3 Canada CONTACTS: Peter

More information

Overview of Cisco VoIP Infrastructure Solution for SIP

Overview of Cisco VoIP Infrastructure Solution for SIP Overview of Cisco VoIP Infrastructure Solution for SIP The Cisco VoIP Infrastructure Solution for SIP implements a voice-over-packet network design using SIP to provide telephony services. It lays the

More information

Lucent VPN Firewall Security in 802.11x Wireless Networks

Lucent VPN Firewall Security in 802.11x Wireless Networks Lucent VPN Firewall Security in 802.11x Wireless Networks Corporate Wireless Deployment is Increasing, But Security is a Major Concern The Lucent Security Products can Secure Your Networks This white paper

More information

Cornerstones of Security

Cornerstones of Security Internet Security Cornerstones of Security Authenticity the sender (either client or server) of a message is who he, she or it claims to be Privacy the contents of a message are secret and only known to

More information

Executive Summary and Purpose

Executive Summary and Purpose ver,1.0 Hardening and Securing Opengear Devices Copyright Opengear Inc. 2013. All Rights Reserved. Information in this document is subject to change without notice and does not represent a commitment on

More information

Firewalls. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Firewall Design Principles

Firewalls. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Firewall Design Principles Firewalls Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49 1 Firewall Design Principles Firewall Characteristics Types of Firewalls Firewall Configurations

More information

NETE-4635 Computer Network Analysis and Design. Designing a Network Topology. NETE4635 - Computer Network Analysis and Design Slide 1

NETE-4635 Computer Network Analysis and Design. Designing a Network Topology. NETE4635 - Computer Network Analysis and Design Slide 1 NETE-4635 Computer Network Analysis and Design Designing a Network Topology NETE4635 - Computer Network Analysis and Design Slide 1 Network Topology Design Themes Hierarchy Redundancy Modularity Well-defined

More information

Voice Over Internet Protocol (VOIP) SECURITY. Rick Kuhn Computer Security Division National Institute of Standards and Technology

Voice Over Internet Protocol (VOIP) SECURITY. Rick Kuhn Computer Security Division National Institute of Standards and Technology Voice Over Internet Protocol (VOIP) SECURITY Rick Kuhn Computer Security Division National Institute of Standards and Technology What is VOIP? Voice Over Internet Protocol Voice Communications over data-style

More information

Application Note. Onsight Connect Network Requirements v6.3

Application Note. Onsight Connect Network Requirements v6.3 Application Note Onsight Connect Network Requirements v6.3 APPLICATION NOTE... 1 ONSIGHT CONNECT NETWORK REQUIREMENTS V6.3... 1 1 ONSIGHT CONNECT SERVICE NETWORK REQUIREMENTS... 3 1.1 Onsight Connect Overview...

More information

Why a Reverse Proxy with My Instant Communicator for mobiles??

Why a Reverse Proxy with My Instant Communicator for mobiles?? Why a Reverse Proxy with My Instant Communicator for mobiles?? INTEGRATED COMMUNICATION SYSTEMS 8AL020043359DRARA, February 2010 What is OmniTouch 8600 My Instant Communicator? Is an aggregator of all

More information

Scalable Secure Remote Access Solutions

Scalable Secure Remote Access Solutions Scalable Secure Remote Access Solutions Jason Dely, CISSP Principal Security Consultant jdely@ra.rockwell.com Scott Friberg Solutions Architect Cisco Systems, Inc. sfriberg@cisco.com Jeffrey A. Shearer,

More information

WORK PROCESS SCHEDULE COMPUTER SYSTEMS ANALYST O*NET-SOC CODE: 15-1121.00 RAPIDS CODE: 2017HY. Work Process and Classroom Training Duties and Hours

WORK PROCESS SCHEDULE COMPUTER SYSTEMS ANALYST O*NET-SOC CODE: 15-1121.00 RAPIDS CODE: 2017HY. Work Process and Classroom Training Duties and Hours WORK PROCESS SCHEDULE COMPUTER SYSTEMS ANALYST O*NET-SOC CODE: 5-.00 RAPIDS CODE: 07HY Work Process and Classroom Training Duties and Hours Period General Practices - Foundations On-the- Job Learning Hours

More information

Best Practices for Outdoor Wireless Security

Best Practices for Outdoor Wireless Security Best Practices for Outdoor Wireless Security This paper describes security best practices for deploying an outdoor wireless LAN. This is standard body copy, style used is Body. Customers are encouraged

More information

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method. A Brief Overview of VoIP Security By John McCarron Voice of Internet Protocol is the next generation telecommunications method. It allows to phone calls to be route over a data network thus saving money

More information

12. Firewalls Content

12. Firewalls Content Content 1 / 17 12.1 Definition 12.2 Packet Filtering & Proxy Servers 12.3 Architectures - Dual-Homed Host Firewall 12.4 Architectures - Screened Host Firewall 12.5 Architectures - Screened Subnet Firewall

More information

Security Overview Introduction Application Firewall Compatibility

Security Overview Introduction Application Firewall Compatibility Security Overview Introduction ShowMyPC provides real-time communication services to organizations and a large number of corporations. These corporations use ShowMyPC services for diverse purposes ranging

More information

Overview of Network Architecture Alternatives for 3GPP2 Femto Cells Jen M. Chen, et al. QUALCOMM Incorporated

Overview of Network Architecture Alternatives for 3GPP2 Femto Cells Jen M. Chen, et al. QUALCOMM Incorporated 3GPP2 Workshop, Boston, MA Title: Source: Contact: Overview of Network Architecture Alternatives for 3GPP2 Femto Cells Jen M. Chen, et al. QUALCOMM Incorporated Jen M. Chen QUALCOMM Incorporated 858-658-2543

More information

Mission-Critical Mobile Security: A Stronger, Sensible Approach

Mission-Critical Mobile Security: A Stronger, Sensible Approach Mission-Critical Mobile Security: A Stronger, Sensible Approach An Overview of Unisys Stealth for Mobile By Rob Johnson White Paper 2 Table of Contents Abstract 4 Introduction 4 Unisys Stealth for Mobile

More information

Overcoming Security Challenges to Virtualize Internet-facing Applications

Overcoming Security Challenges to Virtualize Internet-facing Applications Intel IT IT Best Practices Cloud Security and Secure ization November 2011 Overcoming Security Challenges to ize Internet-facing Applications Executive Overview To enable virtualization of Internet-facing

More information

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview Configuration Guide How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall Overview This document describes how to implement IPSec with pre-shared secrets establishing

More information

MITEL SIP CoE. Technical. Configuration Note. Configure MCD for use with Intelepeer Service provider SIP Trunking. SIP CoE 14-4940-00313

MITEL SIP CoE. Technical. Configuration Note. Configure MCD for use with Intelepeer Service provider SIP Trunking. SIP CoE 14-4940-00313 MITEL SIP CoE Technical Configuration Note Configure MCD for use with Intelepeer Service provider SIP Trunking SIP CoE 14-4940-00313 NOTICE The information contained in this document is believed to be

More information

Information Security Assessment and Testing Services RFQ # 28873 Questions and Answers September 8, 2014

Information Security Assessment and Testing Services RFQ # 28873 Questions and Answers September 8, 2014 QUESTIONS ANSWERS Q1 How many locations and can all locations be tested from a A1 5 locations and not all tests can be performed from a central location? central location. Q2 Connection type between location

More information

Network Security Topologies. Chapter 11

Network Security Topologies. Chapter 11 Network Security Topologies Chapter 11 Learning Objectives Explain network perimeter s importance to an organization s security policies Identify place and role of the demilitarized zone in the network

More information

Configuration Example

Configuration Example Configuration Example Centralized Branch Office VPN Architecture (Hub & Spoke) Example configuration files created with WSM v11.10.1 Revised 7/24/2015 Use Case In this configuration example, an organization

More information

Top-Down Network Design

Top-Down Network Design Top-Down Network Design Chapter Five Designing a Network Topology Copyright 2010 Cisco Press & Priscilla Oppenheimer Topology A map of an internetwork that indicates network segments, interconnection points,

More information

Cconducted at the Cisco facility and Miercom lab. Specific areas examined

Cconducted at the Cisco facility and Miercom lab. Specific areas examined Lab Testing Summary Report July 2009 Report 090708 Product Category: Unified Communications Vendor Tested: Key findings and conclusions: Cisco Unified Communications solution uses multilayered security

More information

Evaluating the Cisco ASA Adaptive Security Appliance VPN Subsystem Architecture

Evaluating the Cisco ASA Adaptive Security Appliance VPN Subsystem Architecture Deploying Cisco ASA VPN Solutions Volume 1 Course Introduction Learner Skills and Knowledge Course Goal and Course Flow Additional Cisco Glossary of Terms Your Training Curriculum Evaluation of the Cisco

More information

Cisco Advanced Services for Network Security

Cisco Advanced Services for Network Security Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs

More information

State of Texas. TEX-AN Next Generation. NNI Plan

State of Texas. TEX-AN Next Generation. NNI Plan State of Texas TEX-AN Next Generation NNI Plan Table of Contents 1. INTRODUCTION... 1 1.1. Purpose... 1 2. NNI APPROACH... 2 2.1. Proposed Interconnection Capacity... 2 2.2. Collocation Equipment Requirements...

More information

White Paper. Telenor VPN

White Paper. Telenor VPN White Paper Telenor VPN Versjon 2.2 September 2006 Side 1 av 5 Table of contents 1 Short introduction... 3 2 Product information... 3 2.1 Mobile Data Access... 3 2.2 SMS Acess and SMS Bedrift... 4 2.3

More information

Fireware Essentials Exam Study Guide

Fireware Essentials Exam Study Guide Fireware Essentials Exam Study Guide The Fireware Essentials exam tests your knowledge of how to configure, manage, and monitor a WatchGuard Firebox that runs Fireware OS. This exam is appropriate for

More information

Unified Communications in RealPresence Access Director System Environments

Unified Communications in RealPresence Access Director System Environments [Type the document title] 3.0 October 2013 3725-78704-001B1 Deploying Polycom Unified Communications in RealPresence Access Director System Environments Polycom Document Title 1 Trademark Information Polycom

More information

Cisco IOS Firewall. Scenarios

Cisco IOS Firewall. Scenarios Cisco IOS Firewall Common Deployment Scenarios http://www.cisco.com/go/iosfirewall com/go/iosfirewall Presentation_ID 2007 Cisco Systems, Inc. All rights reserved. 1 Cisco IOS Firewall Feature Overview

More information

MITEL SIP CoE Technical. Configuration Note. Configure MCD for use with Thinktel SIP Trunking Service. SIP CoE 12-4940-00197

MITEL SIP CoE Technical. Configuration Note. Configure MCD for use with Thinktel SIP Trunking Service. SIP CoE 12-4940-00197 MITEL SIP CoE Technical Configuration Note Configure MCD for use with SIP Trunking Service SIP CoE NOTICE The information contained in this document is believed to be accurate in all respects but is not

More information

Internet Services & Protocols

Internet Services & Protocols Department of Computer Science Institute for System Architecture, Chair for Computer Networks Internet Services & Protocols Internet (In)Security Dr.-Ing. Stephan Groß Room: INF 3099 E-Mail: stephan.gross@tu-dresden.de

More information

Network Virtualization Network Admission Control Deployment Guide

Network Virtualization Network Admission Control Deployment Guide Network Virtualization Network Admission Control Deployment Guide This document provides guidance for enterprises that want to deploy the Cisco Network Admission Control (NAC) Appliance for their campus

More information

Asheville-Buncombe Technical Community College Department of Networking Technology. Course Outline

Asheville-Buncombe Technical Community College Department of Networking Technology. Course Outline Course Number: SEC 150 Course Title: Security Concepts Hours: 2 Lab Hours: 2 Credit Hours: 3 Course Description: This course provides an overview of current technologies used to provide secure transport

More information

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall Chapter 10 Firewall Firewalls are devices used to protect a local network from network based security threats while at the same time affording access to the wide area network and the internet. Basically,

More information

FLORIDA STATE COLLEGE AT JACKSONVILLE COLLEGE CREDIT COURSE OUTLINE. CTS 2655 and CNT 2102 with grade of C or higher in both courses

FLORIDA STATE COLLEGE AT JACKSONVILLE COLLEGE CREDIT COURSE OUTLINE. CTS 2655 and CNT 2102 with grade of C or higher in both courses Form 2A, Page 1 FLORIDA STATE COLLEGE AT JACKSONVILLE COLLEGE CREDIT COURSE OUTLINE COURSE NUMBER: CTS 2662 COURSE TITLE: PREREQUISITE(S): COREQUISITE(S): Voice Over IP CTS 2655 and CNT 2102 with grade

More information

Managed Services The. The Road to Revenue. Pravin Mahajan pmahajan@cisco.com. Session Number Presentation_ID

Managed Services The. The Road to Revenue. Pravin Mahajan pmahajan@cisco.com. Session Number Presentation_ID Managed Services The The Road to Revenue Pravin Mahajan pmahajan@cisco.com Session Number 1 Agenda Managed Services Introduction Solution Offerings Market to Services Mapping Summary 2 High Business Interest

More information

This chapter covers four comprehensive scenarios that draw on several design topics covered in this book:

This chapter covers four comprehensive scenarios that draw on several design topics covered in this book: This chapter covers four comprehensive scenarios that draw on several design topics covered in this book: Scenario One: Pearland Hospital Scenario Two: Big Oil and Gas Scenario Three: Beauty Things Store

More information

Lab 5.5.3 Developing ACLs to Implement Firewall Rule Sets

Lab 5.5.3 Developing ACLs to Implement Firewall Rule Sets Lab 5.5.3 Developing ACLs to Implement Firewall Rule Sets All contents are Copyright 1992 2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 8 Device Interface

More information

Lecture 17 - Network Security

Lecture 17 - Network Security Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ Idea Why donʼt we just integrate some of these neat

More information

Lab Testing Summary Report

Lab Testing Summary Report Lab Testing Summary Report February 2007 Report 070228 Product Category: SMB IP-PBX Vendor Tested: Cisco Systems Product Tested: Cisco Unified Communications 500 Series Key findings and conclusions: Complete

More information

NEWT Managed PBX A Secure VoIP Architecture Providing Carrier Grade Service

NEWT Managed PBX A Secure VoIP Architecture Providing Carrier Grade Service NEWT Managed PBX A Secure VoIP Architecture Providing Carrier Grade Service This document describes the benefits of the NEWT Digital PBX solution with respect to features, hardware partners, architecture,

More information

WebEx Security Overview Security Documentation

WebEx Security Overview Security Documentation WebEx Security Overview Security Documentation 8/1/2003: WebEx Communications Inc. WebEx Security Overview WebEx Security Overview Introduction WebEx Communications, Inc. provides real-time communication

More information

Developing Network Security Strategies

Developing Network Security Strategies NETE-4635 Computer Network Analysis and Design Developing Network Security Strategies NETE4635 - Computer Network Analysis and Design Slide 1 Network Security Design The 12 Step Program 1. Identify network

More information

Implementing Cisco IOS Telephony and Unified Communications Express (IITUCX)

Implementing Cisco IOS Telephony and Unified Communications Express (IITUCX) Implementing Cisco IOS Telephony and Unified Communications Express (IITUCX) Course Objectives Explain the benefits and components of a Cisco Unified Communications system Describe how traditional telephony

More information

Configuring DHCP Snooping

Configuring DHCP Snooping CHAPTER 19 This chapter describes how to configure Dynamic Host Configuration Protocol (DHCP) snooping on Catalyst 4500 series switches. It provides guidelines, procedures, and configuration examples.

More information

Voice Over IP (VoIP) Denial of Service (DoS)

Voice Over IP (VoIP) Denial of Service (DoS) Introduction Voice Over IP (VoIP) Denial of Service (DoS) By Mark Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com Denial of Service (DoS) is an issue for any IP network-based

More information

ehealth and VoIP Overview

ehealth and VoIP Overview ehealth and VoIP Overview Voice over IP (VoIP) configurations can be very complex. Your network could contain a variety of devices, applications, and configuration capabilities to support voice traffic.

More information

Consensus Policy Resource Community. Lab Security Policy

Consensus Policy Resource Community. Lab Security Policy Lab Security Policy Free Use Disclaimer: This policy was created by or for the SANS Institute for the Internet community. All or parts of this policy can be freely used for your organization. There is

More information

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall Chapter 2: Security Techniques Background Chapter 3: Security on Network and Transport Layer Chapter 4: Security on the Application Layer Chapter 5: Security Concepts for Networks Firewalls Intrusion Detection

More information

Cisco Certified Security Professional (CCSP)

Cisco Certified Security Professional (CCSP) 529 Hahn Ave. Suite 101 Glendale CA 91203-1052 Tel 818.550.0770 Fax 818.550.8293 www.brandcollege.edu Cisco Certified Security Professional (CCSP) Program Summary This instructor- led program with a combination

More information

NTP VoIP Platform: A SIP VoIP Platform and Its Services

NTP VoIP Platform: A SIP VoIP Platform and Its Services NTP VoIP Platform: A SIP VoIP Platform and Its Services Speaker: Dr. Chai-Hien Gan National Chiao Tung University, Taiwan Email: chgan@csie.nctu.edu.tw Date: 2006/05/02 1 Outline Introduction NTP VoIP

More information

ITKwebcollege.ADMIN-Basics Fundamentals of Microsoft Windows Server

ITKwebcollege.ADMIN-Basics Fundamentals of Microsoft Windows Server ITKwebcollege.ADMIN-Basics Fundamentals of Microsoft Windows Server Inhalte Teil 01 Network Architecture Standards Network Components and Terminology Network Architecture Network Media Access Control Methods

More information

Secure Networking for Critical Infrastructure Using Service-aware switches for Defense-in-Depth deployment

Secure Networking for Critical Infrastructure Using Service-aware switches for Defense-in-Depth deployment Secure Networking for Critical Infrastructure Using Service-aware switches for Defense-in-Depth deployment Introduction 1 Distributed SCADA security 2 Radiflow Defense-in-Depth tool-set 4 Network Access

More information

IMPLEMENTING CISCO IOS TELEPHONY AND UNIFIED COMMUNICATIONS EXPRESS (IITUCX)

IMPLEMENTING CISCO IOS TELEPHONY AND UNIFIED COMMUNICATIONS EXPRESS (IITUCX) Temario IMPLEMENTING CISCO IOS TELEPHONY AND UNIFIED COMMUNICATIONS EXPRESS (IITUCX) This course is designed to be the primary training for Cisco Unified Communications Manager Express and Cisco Unity

More information

Technical Configuration Notes

Technical Configuration Notes MITEL SIP CoE Technical Configuration Notes Configure MCD for use with OpenIP SIP Trunking service SIP CoE 11-4940-00186 NOTICE The information contained in this document is believed to be accurate in

More information

Connecting MPLS Voice VPNs Enabling the Secure Interconnection of Inter-Enterprise VoIP

Connecting MPLS Voice VPNs Enabling the Secure Interconnection of Inter-Enterprise VoIP Connecting MPLS Voice VPNs Enabling the Secure Interconnection of Inter-Enterprise VoIP Connecting MPLS Voice VPNs Enabling the secure interconnection of Inter-Enterprise VoIP Executive Summary: MPLS Virtual

More information

SIP Security Controllers. Product Overview

SIP Security Controllers. Product Overview SIP Security Controllers Product Overview Document Version: V1.1 Date: October 2008 1. Introduction UM Labs have developed a range of perimeter security gateways for VoIP and other applications running

More information

HughesNet Broadband VPN End-to-End Security Using the Cisco 87x

HughesNet Broadband VPN End-to-End Security Using the Cisco 87x HughesNet Broadband VPN End-to-End Security Using the Cisco 87x HughesNet Managed Broadband Services includes a high level of end-to-end security features based on a robust architecture designed to meet

More information

Information Technology Security Guideline. Network Security Zoning

Information Technology Security Guideline. Network Security Zoning Information Technology Security Guideline Network Security Zoning Design Considerations for Placement of s within Zones ITSG-38 This page intentionally left blank. Foreword The Network Security Zoning

More information

Securing VoIP Networks using graded Protection Levels

Securing VoIP Networks using graded Protection Levels Securing VoIP Networks using graded Protection Levels Andreas C. Schmidt Bundesamt für Sicherheit in der Informationstechnik, Godesberger Allee 185-189, D-53175 Bonn Andreas.Schmidt@bsi.bund.de Abstract

More information

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Configuring IPsec VPN with a FortiGate and a Cisco ASA Configuring IPsec VPN with a FortiGate and a Cisco ASA The following recipe describes how to configure a site-to-site IPsec VPN tunnel. In this example, one site is behind a FortiGate and another site

More information

Bridgit Conferencing Software: Security, Firewalls, Bandwidth and Scalability

Bridgit Conferencing Software: Security, Firewalls, Bandwidth and Scalability Bridgit Conferencing Software: Security, Firewalls, Bandwidth and Scalability Overview... 3 Installing Bridgit Software... 4 Installing Bridgit Software Services... 4 Creating a Server Cluster... 4 Using

More information

DATA SECURITY 1/12. Copyright Nokia Corporation 2002. All rights reserved. Ver. 1.0

DATA SECURITY 1/12. Copyright Nokia Corporation 2002. All rights reserved. Ver. 1.0 DATA SECURITY 1/12 Copyright Nokia Corporation 2002. All rights reserved. Ver. 1.0 Contents 1. INTRODUCTION... 3 2. REMOTE ACCESS ARCHITECTURES... 3 2.1 DIAL-UP MODEM ACCESS... 3 2.2 SECURE INTERNET ACCESS

More information

VoIP Resilience and Security Jim Credland

VoIP Resilience and Security Jim Credland VoIP Resilience and Security Jim Credland About THUS plc Provider and user of VoIP and Soft Switch technologies Developing Enterprise Security Standards NISCC VoIP Working Group Security Considerations

More information

IP Telephony Management

IP Telephony Management IP Telephony Management How Cisco IT Manages Global IP Telephony A Cisco on Cisco Case Study: Inside Cisco IT 1 Overview Challenge Design, implement, and maintain a highly available, reliable, and resilient

More information

QuickSpecs. Models. Features and benefits Configuration. HP VCX x3250m2 IP Telecommuting Module. HP VCX x3250m2 IP Telecommuting Module Overview

QuickSpecs. Models. Features and benefits Configuration. HP VCX x3250m2 IP Telecommuting Module. HP VCX x3250m2 IP Telecommuting Module Overview Overview Models JE404A Key features Based on a security-hardened version of Linux Works in conjunction with existing firewalls Receives SIP signaling directly from Internet Transparently supports NAT;

More information

Enterprise VoIP Services over Mobile Ad-Hoc Technologies

Enterprise VoIP Services over Mobile Ad-Hoc Technologies Enterprise VoIP Services over Mobile Ad-Hoc Technologies 1 System Architecture Figure 1 illustrates the system architecture. We can divide it into 2 parts. One is the Mobile VoIP Box (MVB) node and the

More information

NETWORK ADMINISTRATOR

NETWORK ADMINISTRATOR JOB DESCRIPTION Title: NETWORK ADMINISTRATOR Department: Information Systems Class Code: 1821 FLSA Status: Exempt Effective Date: February 13, 1997 (Rev. 07/2012) Grade Number: 26 GENERAL PURPOSE Under

More information

Network Access Security. Lesson 10

Network Access Security. Lesson 10 Network Access Security Lesson 10 Objectives Exam Objective Matrix Technology Skill Covered Exam Objective Exam Objective Number Firewalls Given a scenario, install and configure routers and switches.

More information

Firewalls. Ahmad Almulhem March 10, 2012

Firewalls. Ahmad Almulhem March 10, 2012 Firewalls Ahmad Almulhem March 10, 2012 1 Outline Firewalls The Need for Firewalls Firewall Characteristics Types of Firewalls Firewall Basing Firewall Configurations Firewall Policies and Anomalies 2

More information

Local Area Networking technologies Unit number: 26 Level: 5 Credit value: 15 Guided learning hours: 60 Unit reference number: L/601/1547

Local Area Networking technologies Unit number: 26 Level: 5 Credit value: 15 Guided learning hours: 60 Unit reference number: L/601/1547 Unit title: Local Area Networking technologies Unit number: 26 Level: 5 Credit value: 15 Guided learning hours: 60 Unit reference number: L/601/1547 UNIT AIM AND PURPOSE Learners will gain an understanding

More information

Session Border Controllers in Enterprise

Session Border Controllers in Enterprise A Light Reading Webinar Session Border Controllers in Enterprise Thursday, October 7, 2010 Hosted by Jim Hodges Senior Analyst Heavy Reading Sponsored by: Speakers Natasha Tamaskar VP Product Marketing

More information

Introduction of Intrusion Detection Systems

Introduction of Intrusion Detection Systems Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection:

More information

Cisco Which VPN Solution is Right for You?

Cisco Which VPN Solution is Right for You? Table of Contents Which VPN Solution is Right for You?...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1 Components Used...1 NAT...2 Generic Routing Encapsulation Tunneling...2

More information

FLORIDA STATE COLLEGE AT JACKSONVILLE COLLEGE CREDIT COURSE OUTLINE

FLORIDA STATE COLLEGE AT JACKSONVILLE COLLEGE CREDIT COURSE OUTLINE Form 2A, Page 1 FLORIDA STATE COLLEGE AT JACKSONVILLE COLLEGE CREDIT COURSE OUTLINE COURSE NUMBER: CTS 2658 COURSE TITLE: PREREQUISITE(S): COREQUISITE(S): Managing Network Security CNT 2210 with grade

More information

What is the Barracuda SSL VPN Server Agent?

What is the Barracuda SSL VPN Server Agent? The standard communication model for outgoing calls is for the appliance to simply make a direct connection to the destination host. This paradigm does not suit all business needs. The Barracuda SSL VPN

More information

Jive Core: Platform, Infrastructure, and Installation

Jive Core: Platform, Infrastructure, and Installation Jive Core: Platform, Infrastructure, and Installation Jive Communications, Inc. 888-850-3009 www.getjive.com 1 Overview Jive hosted services are run on Jive Core, a proprietary, cloud-based platform. Jive

More information

Enterprise Network Solution

Enterprise Network Solution Enterprise Network Solution CONTENT p Enterprise Evolution p DCN Solutions p Case Studies Business Driven More Productivity More profitability Business Driven Challenge Productivity Improve Efficiency

More information

Internet Security Firewalls

Internet Security Firewalls Internet Security Firewalls Ozalp Babaoglu ALMA MATER STUDIORUM UNIVERSITA DI BOLOGNA Overview Exo-structures Firewalls Virtual Private Networks Cryptography-based technologies IPSec Secure Socket Layer

More information

FIREWALLS & CBAC. philip.heimer@hh.se

FIREWALLS & CBAC. philip.heimer@hh.se FIREWALLS & CBAC philip.heimer@hh.se Implementing a Firewall Personal software firewall a software that is installed on a single PC to protect only that PC All-in-one firewall can be a single device that

More information

Draft ITU-T Recommendation X.805 (Formerly X.css), Security architecture for systems providing end-to-end communications

Draft ITU-T Recommendation X.805 (Formerly X.css), Security architecture for systems providing end-to-end communications Draft ITU-T Recommendation X.805 (Formerly X.css), architecture for systems providing end-to-end communications Summary This Recommendation defines the general security-related architectural elements that

More information

Agenda. Understanding of Firewall s definition and Categorization. Understanding of Firewall s Deployment Architectures

Agenda. Understanding of Firewall s definition and Categorization. Understanding of Firewall s Deployment Architectures Firewall Agenda Unit 1 Understanding of Firewall s definition and Categorization Unit 2 Understanding of Firewall s Deployment Architectures Unit 3 Three Representative Firewall Deployment Examples in

More information

Network Security. by David G. Messerschmitt. Secure and Insecure Authentication. Security Flaws in Public Servers. Firewalls and Packet Filtering

Network Security. by David G. Messerschmitt. Secure and Insecure Authentication. Security Flaws in Public Servers. Firewalls and Packet Filtering Network Security by David G. Messerschmitt Supplementary section for Understanding Networked Applications: A First Course, Morgan Kaufmann, 1999. Copyright notice: Permission is granted to copy and distribute

More information

Sophos Certified Architect Course overview

Sophos Certified Architect Course overview Sophos Certified Architect Course overview UTM This course provides an in-depth study of UTM, designed for experienced technical professionals who will be planning, installing, configuring and supporting

More information

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions Find your network example: 1. Basic network with and 2 WAN lines - click here 2. Add a web server to the LAN - click here 3. Add a web,

More information

T.38 fax transmission over Internet Security FAQ

T.38 fax transmission over Internet Security FAQ August 17, 2011 T.38 fax transmission over Internet Security FAQ Give me a rundown on the basics of T.38 Fax over IP security. Real time faxing using T.38 SIP trunks is just as secure as sending faxes

More information

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD CCNA SECURITY. VERSION 1.0

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD CCNA SECURITY. VERSION 1.0 ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD CCNA SECURITY. VERSION 1.0 Module 1: Vulnerabilities, Threats, and Attacks 1.1 Fundamental Principles of a Secure Network

More information

Network Agent Quick Start

Network Agent Quick Start Network Agent Quick Start Topic 50500 Network Agent Quick Start Updated 17-Sep-2013 Applies To: Web Filter, Web Security, Web Security Gateway, and Web Security Gateway Anywhere, v7.7 and 7.8 Websense

More information

VOICE OVER IP SECURITY

VOICE OVER IP SECURITY VOICE OVER IP SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

More information

Building Trusted VPNs with Multi-VRF

Building Trusted VPNs with Multi-VRF Building Trusted VPNs with Introduction Virtual Private Networks (VPNs) have been a key application in networking for a long time. A slew of possible solutions have been proposed over the last several

More information

White Paper. Intrusion Detection Deploying the Shomiti Century Tap

White Paper. Intrusion Detection Deploying the Shomiti Century Tap White Paper Intrusion Detection Deploying the Shomiti Century Tap . Shomiti Tap Deployment Purpose of this Paper The scalability of Intrusion Detection Systems (IDS) is often an issue when deploying an

More information