ccna 9tut

ccna 9tut.Another growing VoIP security issue is related to SIP. SIP is a signaling protocol that is widely used to control communication sessions, such as VoIP sessions. With the growing use of SIP in VoIP, this opens up a whole new pinch point in the security war. SIP is a relatively new protocol with little to no inherent security. Some of its features can leave the same opportunities open for hackers, such as the use of text encoding and the ability to create SIP extensions with security vulnerabilities.Examples of attacks on SIP include registration hostage-taking, message tampering, and session teardown. Registration hostage allows a hacker to intercept incoming calls and reroute them. Message tampering allows a hacker to modify packets transmitted between SIP addresses. Session teardown allows a hacker to terminate a call or perform a DoS attack against VoIP by flooding a system shutdown request.6.4.5VoIP Security Solutions6.4.5.1 Voice VLANsMany IP security solutions can only be implemented on Layer 3 devices. For reasons of protocol architecture, Layer 2 provides little to no security. Understanding and establishing broadcast domains is one of the fundamental concepts when designing a secure IP network. If the attacking device and the target system are in the same broadcast domain, it is easy to launch a number of very dangerous, albeit simple, attacks. For this reason, IP phones, VoIP gateways, and network management workstations must be in their own subnet, separate from the rest of the data network, and they must be isolated from each other.To ensure the privacy and integrity of communications, voice media streams must be protected from eavesdropping and tampering. Data networking technologies like VLANs can split voice traffic from data traffic and protect access from the data VLAN to the voice VLAN. Using separate VLANs for voice and data prevents any hackers or hacking applications from eavesdropping or capturing traffic from other VLANs that are traveling over the physical line. By ensuring that each device is connected to the network using a switched infrastructure, packet sniffing tools used to capture user traffic can be difficult to work effectively.Assigning voice traffic to a specific VLAN to logically separate voice and data traffic is a widely recommended industry approach. Whenever possible, devices that are identified as voice devices must reside in a dedicated voice VLAN. This approach ensures that they can only communicate with other voice resources. More importantly, voice streams are kept away from the general data network or they can be easily intercepted or tampered with. Having a voice-specific VLAN makes it easy to enforce VLAN access control lists (VACLs) to protect voice traffic.ACLs can be effectively enforced on voice VLANs ± by understanding the protocols used between devices in the VoIP network. IP phones can only send RTP traffic to each other; they never send TCP or ICMP traffic to each other. IP phones send very little TCP and UDP protocols to communicate with the server. By using ACLs on the voice network, deviations from ACLs can be prevented, thus stopping many IP telephony attacks.6.4.5.2 VoIP in the Cisco ASAThe firewall inspects packets and matches them based on rules specified by the port. Pre-specifying which ports are used for voice calls is more difficult because ports are dynamically negotiated during call setup.