Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
271
Views
0
Helpful
3
Replies

Securing IP Telephony Voice VLAN's

mlinsemier
Level 1
Level 1

‎06-17-2004 10:55 AM - edited ‎03-13-2019 05:18 AM

I was wondering if anyone had any input regarding securing voice VLAN's above and beyond what I have listed below in my example. I have read the white paper "SAFE: IP Telephony Security in Depth" and found it to be lacking in several areas and I thought that I would touch on those to see how other people in the industry are handling them.

Currently, I have a test Voice VLAN that I have the following access list set on:

!IP Telephony VLAN ACL Sample

!Allow DHCP to Router

access-list 107 permit udp host 0.0.0.0 host 255.255.255.255

!Permit IP phones to do call setup to primary CallManager

access-list 107 permit tcp 10.1.207.0 0.0.0.255 host <Sub CCM IP> eq 2000

!Permit IP phones to do call setup to secondary CallManager

access-list 107 permit tcp 10.1.207.0 0.0.0.255 host <Pub CCM IP> eq 2000

!Permit IP phones to tftp configurations from primary CallManager

access-list 107 permit udp 10.1.207.0 0.0.0.255 host <Sub CCM IP> eq tftp

access-list 107 permit udp 10.1.207.0 0.0.0.255 gt 1023 host <Sub CCM IP> gt 1023

!Permit IP phones to tftp configurations from primary CallManager

access-list 107 permit udp 10.1.207.0 0.0.0.255 host <Pub CCM IP> eq tftp

access-list 107 permit udp 10.1.207.0 0.0.0.255 gt 1023 host <Pub CCM IP> gt 1023

!Permit IP phones to talk East Lansing phones (Hardware / Software)

access-list 107 permit udp 10.1.207.0 0.0.0.255 10.1.2.0 0.0.0.255 range 16384 32767

access-list 107 permit udp 10.1.207.0 0.0.0.255 10.1.202.0 0.0.0.255 range 16384 32767

!Permit IP phones to talk Remote Office phones (Hardware / Software)

access-list 107 permit udp 10.1.207.0 0.0.0.255 10.4.1.0 0.0.0.255 range 16384 32767

access-list 107 permit udp 10.1.207.0 0.0.0.255 10.4.101.0 0.0.0.255 range 16384 32767

!Permit IP phones to talk to Remote VPN officers

access-list 107 permit udp 10.1.207.0 0.0.0.255 192.168.10.0 0.0.0.255 range 16384 32767

!Permit IP phones to talk Voice Gateways

access-list 107 permit udp 10.1.207.0 0.0.0.255 host <CMM IP> range 16384 32767

access-list 107 permit udp 10.1.207.0 0.0.0.255 host <CMM IP> range 16384 32767

access-list 107 permit udp 10.1.207.0 0.0.0.255 host <VG200 IP> range 16384 32767

access-list 107 permit udp 10.1.207.0 0.0.0.255 host <VG200 IP> range 16384 32767

!Permit IP phones to talk to Unity

access-list 107 permit udp 10.1.207.0 0.0.0.255 host <Unity IP> range 16384 32767

!Permit IP phones to talk to IPCC Express

access-list 107 permit udp 10.1.207.0 0.0.0.255 host <IPCC Express IP> range 16384 32767

!Permit IP phones to talk to DNS

access-list 107 permit tcp 10.1.207.0 0.0.0.255 host <DNS1 IP> eq 53

access-list 107 permit tcp 10.1.207.0 0.0.0.255 host <DNS2 IP> eq 53

access-list 107 permit udp 10.1.207.0 0.0.0.255 host <DNS1 IP> eq 53

access-list 107 permit udp 10.1.207.0 0.0.0.255 host <DNS2 IP> eq 53

!Permit IP Phones to browse HTTP

access-list 107 permit tcp 10.1.207.0 0.0.0.255 any eq 80

!Deny other traffic

access-list 107 deny ip any any log

I noticed that in the document that they never address the following:

1) IPCC Express

2) Communciation with Voice Gateways on other subnets.

3) browsing from the phone to outside their network (say for Berbee free services or other IP phone HTTP apps)

4) ICMP traffic (ability to ping the phones)

5) HTTP traffic (ability to browse to a phone for firmware info however may be good to have this disabled)

I was just curious to see how some people that have implemented access lists are doing this.

Thanks,

Matt

Labels:
0 Helpful
3 Replies 3

8r-schumann
Level 1
Level 1

‎06-17-2004 12:28 PM

I approched the situation a little differently.

I had all of my voice subnets (IP Phones, CER, Unity, CCM, and gatekeepers) behind a two PIX's. I then have ACL's that allow any Voice related traffic to come through the PIX.

Makes it a lot easier since outbound connections (to Berbee) are fine since the IP phones are starting the connection. And inter-subnet communication happens without having to have huge ACL to explicitly allow this.

I then trunk the VLAN's from my core voice switch into my user switches. So that all voice is behind the firewall and data traffic is on the other side.

0 Helpful

mlinsemier
Level 1
Level 1
In response to 8r-schumann

‎06-18-2004 07:29 AM

I had looked at this option, but was a bit concerned about conention at the PIX end, depending on what type of pix and interfaces were installed. Which PIX model are you using, If I might ask. Also by the sound of it, you have your Voice and Data networks atonomous of each other?

0 Helpful

8r-schumann
Level 1
Level 1
In response to mlinsemier

‎06-18-2004 08:14 AM

Yes, my voice and data L3 is seperate, even though it uses the same access layer switches.

I am using two PIX 515E which is plenty since it supports 130K concurrent connections and 188Mbps throughput. Remeber all my voice is on the same side so the only thing coming into the device is outside CCM cluster traffic and outbound requests from phone via IP services.

0 Helpful
Customers Also Viewed These Support Documents