Common Windows Exploits

A hardened Cisco IP Telephony Operating System can successfully defend against many common Windows exploits. Some active services cannot be disabled because Cisco CallManager uses them. To secure these areas, you must design the IP telephony-ready network properly and choose the proper roles for the Cisco CallManager nodes in the cluster. You need to protect Windows against some of the most common exploits.

One common exploit involves Extensible Markup Language (XML) applications running on HTTP (TCP port 80). Most XML applications go to the Internet to get their data. Because of this, Cisco recommends that you off-load XML services to a dedicated server that is isolated (as much as possible) from the rest of the network.

The most important task for Microsoft IIS issues is to turn off IIS on all subscribers. IIS is the parent process for HTTP, Simple Mail Transfer Protocol (SMTP), and FTP. Eighty percent of the attacks against Windows are against the IIS parent process. Turn off IIS on the subscribers, where all of the active call processing is taking place, and run it only on the publisher for administration purposes. This practice will minimize the threats against Windows by 80 percent and actually bring it closer to parity with what is considered to be the normal security settings of UNIX or Linux operating systems.

In a Cisco CallManager cluster, different servers can have different roles and, hence, do not need the same active services. One server could act as a pure management server by providing access only to Cisco CallManager Administration web pages, while other servers are providing call-routing functions and others are being used for applications such as phone services. Because IIS is a common target, run it only where needed: at the Cisco CallManager Publisher. During upgrades, IIS will also be needed on subscribers but will automatically be started when needed as long as the service is set to manual rather than disabled. Therefore, set IIS to manual on all subscribers and keep the setting automatic only at the publisher.

Caution

IIS needs to be available during upgrades. If you have set the IIS Startup Type option to Disabled, the upgrade will fail.

Table 20-1 shows what will happen during a Cisco CallManager upgrade when the IIS service is set to different options.

Table 20-1. Behavior of Cisco CallManager During an Upgrade

IIS Service Parameter

Resulting Upgrade Behavior

Enabled

The upgrade will work with no interference.

Disabled

The upgrade will fail; no message is displayed.

Manual and Stopped

The upgrade will stop, a message that the IIS is not running will pop up, the IIS service will start, and the upgrade will continue.

On the next reboot, the IIS service will be in the Manual and Stopped state again.

Manual and Running

The upgrade will work with no interference.

Finally, to avoid attacks against the Dynamic Host Configuration Protocol (DHCP) server, which, in most installations, is used to provide IP settings, push DHCP services as close to the endpoints as possible. This might include using an intelligent Cisco switch or router for DHCP services.

Part I: Cisco CallManager Fundamentals

Introduction to Cisco Unified Communications and Cisco Unified CallManager

Cisco Unified CallManager Clustering and Deployment Options

Cisco Unified CallManager Installation and Upgrades

Part II: IPT Devices and Users

Cisco IP Phones and Other User Devices

Configuring Cisco Unified CallManager to Support IP Phones

Cisco IP Telephony Users

Cisco Bulk Administration Tool

Part III: IPT Network Integration and Route Plan

Cisco Catalyst Switches

Configuring Cisco Gateways and Trunks

Cisco Unified CallManager Route Plan Basics

Cisco Unified CallManager Advanced Route Plans

Configuring Hunt Groups and Call Coverage

Implementing Telephony Call Restrictions and Control

Implementing Multiple-Site Deployments

Part IV: VoIP Features

Media Resources

Configuring User Features, Part 1

Configuring User Features, Part 2

Configuring Cisco Unified CallManager Attendant Console

Configuring Cisco IP Manager Assistant

Part V: IPT Security

Securing the Windows Operating System

Securing Cisco Unified CallManager Administration

Preventing Toll Fraud

Hardening the IP Phone

Understanding Cryptographic Fundamentals

Understanding the Public Key Infrastructure

Understanding Cisco IP Telephony Authentication and Encryption Fundamentals

Configuring Cisco IP Telephony Authentication and Encryption

Part VI: IP Video

Introducing IP Video Telephony

Configuring Cisco VT Advantage

Part VII: IPT Management

Introducing Database Tools and Cisco Unified CallManager Serviceability

Monitoring Performance

Configuring Alarms and Traces

Configuring CAR

Using Additional Management and Monitoring Tools

Part VIII: Appendix

Appendix A. Answers to Review Questions

Index





Authorized Self-Study Guide Cisco IP Telephony (CIPT)
Cisco IP Telephony (CIPT) (Authorized Self-Study) (2nd Edition)
ISBN: 158705261X
EAN: 2147483647
Year: 2004
Pages: 329
Similar book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net