Threats Targeting the Operating System

When you are securing an operating system, several threats should be considered. Bugs in the operating system, as well as in the services and applications that come with the operating system, can pose severe security threats. Because applications are installed on top of the operating system, even well-written and secure applications can be affected by vulnerabilities in the underlying operating system. Built-in networking services and applications are especially sensitive because they are exposed to remote attacks. That vulnerability also applies to the IP stack in the Windows operating system. The IP stack has a strategic importance and, unfortunately, also a long tradition of more and less severe security issues. These issues result not only from the particular implementation of the IP protocol, but also from the lack of security mechanisms in the protocol itself. As shown in Figure 20-1, password and account policies as well as insecure Windows configuration settings pose security concerns in the foundation Cisco CallManager operating system.

Figure 20-1. Threats Targeting the Windows Operating System

Microsoft Windows, as the most popular operating system, is well-known to the public. As a result, many known issues are related to its password policies as well as vulnerabilities in the operating system default settings. An attacker might try to log in to the operating system using the Administrator account with commonly used passwords. In Microsoft networking, File and Print Sharing services can be used (and might have been turned on by default in some versions of Windows) to allow access to file shares without any security checking.

Another threat to the system is malicious code execution by viruses, worms, or Trojan horses. Protection against these threats consists of blocking the threats from the system and detecting and eliminating attacks that were not blocked.

Finally and extremely important is the fact that server-operating systems are vulnerable to denial of service (DoS) attacks. If the server operating system cannot resist DoS attacks, an attacker can tear down the whole IP telephony infrastructure with a single, focused attack against Cisco CallManager nodes. Besides other methods (separating the server network from other parts of the network and establishing access control), the server itself should be hardened to resist at least simple and common DoS attacks.

Lowering the Threats in Windows Operating System

You can divide the possible countermeasures against attacks to the operating system itself into measures that eliminate vulnerabilities to certain threats and methods to protect the system against attacks exploiting the remaining vulnerabilities.

The following are practices to reduce possible vulnerabilities:

  • Harden the Windows operating system with Cisco operating system upgrades.
  • Deploy the Cisco security and hot fix policy.
  • Implement a secure Windows password policy.
  • Protect against common exploits involving Windows.
  • Protect against attacks from the network by using the following:

    - Antivirus software

    - Cisco Security Agent

To protect against bugs and exploits involving Microsoft Windows, Cisco provides an already hardened version of the Windows operating system called Cisco IP Telephony Operating System. You must keep the Windows 2000 Server up to date to secure the operating system against new security holes. For that reason, Cisco provides operating system upgrades and hot fixes. Cisco CallManager and other Cisco IP telephony applications require these upgrades to function properly.

Cisco uses the Cisco IP Telephony Operating System in several Cisco IP Telephony Application Server components, such as Cisco CallManager, Cisco Emergency Responder (ER), Cisco IP Contact Center (IPCC), and Cisco Interactive Voice Response (IVR). Cisco builds the IP Telephony Operating System upgrades on top of each other and they are incrementally more secure. The upgrades provide changes to, for example, the IP stack, file system, Registry, access control lists (ACLs), and dynamic link library (DLL) engines.

Note

Before you run an operating system upgrade provided by Cisco, read the release notes for that upgrade carefully. The operating system upgrade might not apply to your installation and could harm the running applications. Before upgrading, verify that you are using the proper operating system upgrade for your Cisco CallManager version. It is also a good practice to consider making a backup before upgrading the Cisco IP Telephony Operating System.

Cisco IP Telephony Operating System upgrades can be downloaded from Cisco.com at http://www.cisco.com/cgi-bin/tablebuild.pl/cmva-3des (requires CCO account).


Part I: Cisco CallManager Fundamentals

Introduction to Cisco Unified Communications and Cisco Unified CallManager

Cisco Unified CallManager Clustering and Deployment Options

Cisco Unified CallManager Installation and Upgrades

Part II: IPT Devices and Users

Cisco IP Phones and Other User Devices

Configuring Cisco Unified CallManager to Support IP Phones

Cisco IP Telephony Users

Cisco Bulk Administration Tool

Part III: IPT Network Integration and Route Plan

Cisco Catalyst Switches

Configuring Cisco Gateways and Trunks

Cisco Unified CallManager Route Plan Basics

Cisco Unified CallManager Advanced Route Plans

Configuring Hunt Groups and Call Coverage

Implementing Telephony Call Restrictions and Control

Implementing Multiple-Site Deployments

Part IV: VoIP Features

Media Resources

Configuring User Features, Part 1

Configuring User Features, Part 2

Configuring Cisco Unified CallManager Attendant Console

Configuring Cisco IP Manager Assistant

Part V: IPT Security

Securing the Windows Operating System

Securing Cisco Unified CallManager Administration

Preventing Toll Fraud

Hardening the IP Phone

Understanding Cryptographic Fundamentals

Understanding the Public Key Infrastructure

Understanding Cisco IP Telephony Authentication and Encryption Fundamentals

Configuring Cisco IP Telephony Authentication and Encryption

Part VI: IP Video

Introducing IP Video Telephony

Configuring Cisco VT Advantage

Part VII: IPT Management

Introducing Database Tools and Cisco Unified CallManager Serviceability

Monitoring Performance

Configuring Alarms and Traces

Configuring CAR

Using Additional Management and Monitoring Tools

Part VIII: Appendix

Appendix A. Answers to Review Questions

Index



Authorized Self-Study Guide Cisco IP Telephony (CIPT)
Cisco IP Telephony (CIPT) (Authorized Self-Study) (2nd Edition)
ISBN: 158705261X
EAN: 2147483647
Year: 2004
Pages: 329

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net