• United States

Cisco, Avaya respond to our Tester’s Challenge on VoIP security tools

Jun 21, 20045 mins
Cisco SystemsNetworkingSecurity

In their formal responses printed here, Avaya and Cisco agreed with Mier’s assertions in general, but were quick to defend measures they’ve already taken in these directions. What neither company offered, though, were detailed plans for improving the overall state of VoIP security.

In their formal responses printed here, Avaya and Cisco agreed with Mier’s assertions in general, but were quick to defend measures they’ve already taken in these directions. What neither company offered, though, were detailed plans for improving the overall state of VoIP security.

Cisco’s response

To successfully protect an organization, security must be fully integrated into all aspects of the network. This is the essence of the Cisco Self-Defending Network strategy for information security.

The unique Cisco security model proactively addresses the challenges associated with securing integrated data, voice and video through focus on three key aspects of information security: secure connectivity, threat defense, and trust and identity management. While voice and video have unique requirements, the results of this evaluation clearly showed that the Cisco integrated, multi-layer approach to security can make IP-based voice very secure.

It’s important to note that most of the security tools Cisco used in the VoIP security test already should be part of any organization’s network security strategy, and there is no additional cost for any of the voice-specific tools.

Cisco agrees that designing and implementing security must be simplified. We are committed to making improvements in this area, using both education and tools.

Education and assistance include:

• Currently Cisco documents best practices and hardware and software configurations in its SAFE blueprints.

• The Cisco Security Certification provides best-of-class training and exams. The Cisco Security Specialization Program recognizes the Cisco Channel partners who are best prepared to install and support secure network solutions.

• Cisco sponsors worldwide “Networkers” conferences for customers, with security tracks providing detailed training on security issues and best practices.

Simplified tools and interfaces

Cisco has many tools designed to simplify configuration and installation of its products to make critical security functionality more accessible. These tools are being continuously enhanced with voice-specific features. Available Cisco tools include:

• Cisco AutoQoS features in both CatOS and IOS software automatically configure network QoS parameters for VoIP according to Cisco’s best practices.

• Cisco AutoSecure is a new IOS Software feature that incorporates a “one touch” device lockdown process, enabling rapid implementation of critical security policies and procedures.

• Cisco Smartports is a feature for all Catalyst switches that simplifies the configuration of critical features for Ethernet. Smartports assists Cisco IP Telephony configuration via pre-tested switch port configurations or “macros” recommended by Cisco best practices.

• Cisco Security Agent provides “day zero” threat protection for server and desktop computing systems. It combines host intrusion prevention, distributed firewall, malicious mobile code protection, operating system integrity assurance and audit log consolidation all within a single agent package.


As our performance in Network World’s recent VoIP security test showed, Cisco understands how to build secure networks for voice, video and data. While more work remains to be done, Cisco already has taken innovative steps to simplify the configuration process while at the same time adding more comprehensive security features.

Avaya’s response

Avaya provides a holistic approach to securing converged communications based on a Trusted Communication Framework. This framework delivers applications, systems and services that protect multi-vendor converged networks.

Avaya’s IP telephony systems are infrastructure-agnostic. On Layers 2 through 5, customers can employ a configuration identical to the one supplied by Cisco in the Network World test. As noted in the test results, we also support Real-Time Transfer Protocol encryption in Layer 6, which extends to the entire line of Avaya’s IP phones, and our latest release of Communication Manager supports signaling encryption for our distributed media gateways.

As for the issues raised in the recent Tester’s Challenge, we agree with Ed Mier that the industry must continue to prioritize VoIP security. Our response is segmented to address the three areas he touches on.

Assessment, management and monitoring

According to Avaya research, more than half of all companies want some form of security assistance. Avaya offers consulting services that help companies assess network readiness, security and business continuity. We team with leading security vendors to deliver managed security services, providing firewall management and anti-virus protection in any multi-vendor network. Avaya also offers 24-7 remote security monitoring, enabling assistance for security deployment, including risk assessment/management.


Avaya has an aggressive program to educate companies on securing converged communications. Avaya also offers security seminars, Webinars, white papers, security advisories and sponsors events such as the Gartner Security Summit and NetSec 2004.

We have security tools that are easy to use. It is Avaya’s philosophy that brute-force solutions requiring an expensive army of security experts is not what customers need. Our security management architecture (Avaya VPN Manager) lets a small group cost-effectively define security policies by using tools that:

• Provide centralized security policy and configuration to firewall and VPN devices.

• Simplify setup with firewall templates and VPN wizards, including check-box activation of IP telephony firewall proxy and network address translation services.

Additionally, Avaya Installation Wizards guide users through IP installations. In the future, our Wizards will be extended with centralized provisioning tools.

Headed toward the future

Avaya believes that the future of converged communications will evolve toward a model supporting greater mobility and wireless communications. As a result:

• Avaya will implement a flexible, multi-layered authentication framework that supports emerging security standards that establish trust between users and devices for secure user communications from any location.

• Future security management should accommodate unified identity management solutions combining mobile user profiles and self-contained security. Avaya will look to standards when building its own solutions and partnerships.

• Future security implementations need to focus on industry-standard security certifications such as IEEE, IETF and the International Telecommunication Union, and groups such as the Network Integrity Consortium, in which Avaya participates.