• United States
Neal Weinberg
Contributing writer, Foundry

Cisco IP PBX

Jun 22, 20044 mins
Cisco SystemsNetworkingSecurity

* The Reviewmeister invites Cisco to set up a bulletproof VoIP network

When it comes to VoIP, the first question the Reviewmeister has is: How do we make it secure?

So we invited Cisco to set up a bulletproof VoIP network. And they did.

Cisco’s “maximum-security” VoIP configuration included a midsize CallManager-based system, with call control, voice mail, gateway; a Catalyst 4500- and 6500-based Layer 2/Layer 3 infrastructure; a copious supply of intrusion-detection system (IDS) and PIX firewall security add-ons.

Not to mention the half-dozen Cisco security gurus supporting the test.

Our attack team couldn’t disrupt, or even disturb, Cisco’s phone operations after three days of trying.

Cisco proved it could build a VoIP network that a sophisticated hacker assault team could not break or even noticeably disturb. The elaborate IP-telephony package – with underlying Layer 2 and Layer 3 infrastructure and assorted security add-ons – is the most secure that Cisco’s collective network security expertise could muster, and employs every defensive weapon in the Cisco arsenal. 

The Cisco topology tested certainly represents more security options and stricter security settings than most users currently employ, but all are available today for a price. The optional components included: two stand-alone PIX firewalls (about $8,000 each); another firewall on a blade in the backbone Catalyst 6500 (about $35,000); an IDS blade also in the 6500 (about $30,000); an entirely separate, out-of-band management subnet and various security-management applications. The price for the firewall and IDS pieces came to slightly more than $80,000. Cisco says, though, that it threw in systems that it could readily get its hands on, and that the same job could be done with less-expensive firewall and IDS models from Cisco.

Version 4.0 of CallManager, which handles call control and is the heart of Cisco’s IP telephony package, includes some new security-related features. Key among them is the company’s first VoIP encryption implementation. At this time voice-stream (Real-time Transfer Protocol [RTP]) encryption is supported only on Cisco’s newer 7970 IP phone sets. The latest CallManager also has been additionally hardened, along with the underlying Windows 2000 operating system, according to Cisco. For our tests, this meant that open ports were closed and unnecessary services disabled.

 Cisco Security Agent (CSA) is a host-based intrusion-prevention system (IPS), and is now an integral security component in CallManager IP telephony servers. It was also on Cisco’s Unity voice mail server and all other Win 2000 servers (seven CSA agents in all) deployed throughout Cisco’s network topology. The CSA agent runs automatically and unattended, and provides some powerful safeguards at the server.

For the full report, go to


Enterprise networks that need all-in-one security protection for remote sites or branch office

Network World is embarking on a comprehensive test of blended security appliances that at least comprise traditional firewall functionality, some content-based IPS technology (such as malicious URL blocking and protocol anomaly blocking) built-in, Site-to-site IPSec VPN capabilities and policy-based content management, such as virus scanning or URL filtering.

Devices under test will be tested in both a lab setting as well on live network connections.  We are looking for volunteer sites to deploy these test units for a minimum of 30 days.  Requirements for participating in this test as a volunteer site are:

* A T-1-style Internet connection (not DSL or cable unless it’s symmetrical DSL at T-1 speeds). 

* The number of users being protected by this blended security device should range from 10 to 200. 

* A willingness to let a security consultant from Network World assist in management (i.e., look at settings, logs, etc.) of the blended device. Please note that we are not asking volunteers to cede actual control of security policy or decisions.

* Minimum commitment of 30 days between July and August 2004.

Volunteers will have full access to testing data on all 10-12 products tested.

Interested parties need to contact Christine Burns at by June 30th.