The Ultimate CCNA Security Study Package

Chris Bryant, CCIE #12933

http://www.thebryantadvantage.com/
Back To Index

An Intro To Voice And SAN Security

Overview
Voice Network Overview
Gatekeepers
VoIP Protocols
VoIP Attacks
General VoIP Network Precautions
Introduction To SANs
SAN Transport Protocols
LUNs and LUN Masking
SAN Zones
Virtual SANs (VSANs)
FCAP And FCPAP
"Hot Spots And Gotchas"

An Overview Of Voice Networks

Even if you have been living in the proverbial cave, you just might have
heard about a little something called "voice over IP", or VoIP. While the
ONT exam will not require you to configure VoIP, you will need to know
the basic concepts and the (many) devices that work together to make
VoIP transmission possible.
VoIP is a major step forward over previous Voice services, as you'll see
throughout this section. Remember how ISDN BRI uses a 64-kbps circuit
for a single call? Those days are gone.
Once you've completed your CCNA Security certification, I strongly urge
you to learn more about VoIP and to consider getting Voice certified.
Cisco now offers a CCNA Voice certification, and adding that to your
resume is an outstanding idea.

In this section, we're taking a strictly introductory look at VoIP and voice
security issues and strategies. This section will not be as detailed as
other sections in the course, but it's just as important as the other sections
- so let's get started!
First and foremost are the phones themselves! That's obvious enough,
but what might not be as obvious is that not all phones on our telephony
network are going to be IP phones - some are going to be good ol'
fashioned analog phones.
Those analog phones are going to require a gateway to run properly on
our telephony network, and as you'll soon see, Cisco routers make great
gateways. The gateway is the termination point for the local media, and
also the point at which the digital-to-analog and analog-to-digital signal
conversions take place.
The gateway may also be a gatekeeper. Cisco's website mentions three
specific benefits regarding gatekeepers on their website:

Gatekeepers allow VoIP networks to become more scalable, since

changes can be made at the central location, the gatekeeper itself.
Gatekeepers allow the use of a proxy to keep VoIP calls separate
from data traffic and handle VoIP signaling as well.
Gatekeepers can be configured to allow calls when adequate
bandwidth is available for all calls to be high-quality calls, and deny
calls when that bandwidth is not available. This feature is called
Call Admission Control.
Gatekeepers allow for greater management of bandwidth and the
creation of dial plans.
Gatekeepers perform the actual phone number-to-IP address
conversion that VoIP calls require

VoIP Protocols
We've got quite a few VoIP protocols, but just as with routing and
switching, they don't all do the same thing.
The overall stages of a VoIP call are just like the stages of an ISDN call:

Setup (Call Routing process)

Maintenance
Teardown

In ISDN, we left signaling to the D-channel, and that was that. With VoIP,
however, we've got three separate protocols that can be used for
signaling:

H.323, the International Telecommunication Union standard (ITU).

This is actually a group ("suite") of protocols rather than a single
protocol, but you don't need to know every protocol in the suite.

Media Gateway Control Protocol (MGCP), an IETF standard

client/server protocol
Session Initiation Protocol (SIP), another IETF standard

Other VoIP Protocols:

The Realtime Transport Protocol (RTP) handles the actual voice payload.
RTP uses a wide range of UDP ports - port numbers 16384 through
32767. This is an excellent range of ports to know for your CCNA
Security and Voice exams, and it's a range often seen in ACLs.
There's also a Secure RTP (SRTP) protocol that's just what you think it is
- secure RTP transmission via the use of data integrity, authentication,
and other security tools.
Now I know what you're thinking - why would we ever use "nonsecure"
RTP? You really have to be aware of overhead with voice traffic, since
voice is highly sensitive to delay - and the more overhead we have, the
greater the chance of delay.
That delay can lead to jitter, a highly undesirable, annoying breakup in the
voice stream.
Typical VoIP Attacks
Some VoIP attacks are much like the ones we have to defend against
with our "regular" data networks..

Denial Of Service
Faking login credentials
Eavesdropping
Man-in-the-Middle attacks (the attacker intercepts SIP packets)

.... but there are some unique VoIP network attacks as well. You've
probably heard of phishing, where a potential intruders sends hundreds or
hundreds of thousands of emails designed to look like they're from a
company such as eBay. (If you have an eBay account, you know how
many fake emails result from that!) Most people will not answer these
phishing emails, but a few will - and those few will soon have their
account compromised.
The good ol' fashioned telephone can also be used to gather this
information - and when it is, we call it voice phishing, or vishing. One of
the best defenses against vishing is end user education; there is never a
good reason to give credit card or banking information to someone who
calls you.
And don't think you're not dealing with Spam on a voice network actually, you're dealing with SPIT.
Spam Over IP Telephony, that is. One side effect of SPIT (and yes, it is
hard to say that with a straight face) is the loss of your sanity when the
phone rings every few minutes. Again, SIP is the culprit, since SIP
allows the caller to know if the phone is available for a call before even

making the call.

General VoIP Security Precautions
You'll learn more about configuring and securing a voice network during
your CCNA Voice studies, but let's take a look at some common defenses
against VoIP network threats.
A common voice network security technique is to create a separate VLAN
for voice traffic instead of having the voice traffic transmitted on the same
VLAN as regular data. Naturally, these VLANs are called voice VLANs.
In another section, I mentioned that some network admins concentrate on
one particular potential entry point rather than seeing the big picture. We
have to be careful about this with voice networks as well, because the
Cisco IP phone itself is a potential security issue.
Here's why....
The web access feature on a Cisco IP phone is on by default, so you
can open a browser, put in the IP address of the phone, and you're
in.
Why are you in? Because by default, there's no username or
password necessary for this access!
Even worse, the intruder can then acquire the IP address of other
servers on the network!
That's an open door if ever there was one! Luckily, Cisco's Unified
Communications Manager helps to slam that door shut. With UCM, you
can enforce any level of security you choose, from disabling PC Voice
VLAN Access and / or Gratuitous ARP to cutting off web access to the
phone altogether!
Configuring UCM is beyond the scope of the CCNA Security exam, but I
want to share this link with you:
http://www.cisco.com/en/US/products/sw/voicesw/ps556/
That's the UCM (CallManager) homepage. It's not required reading for
the CCNA Security exam, but it'll come in handy for your future Voice
studies - and real-world voice network configurations.
An Introduction To Storage Area Networking
We're going to take a brief look at the basics of a SAN and SAN security,
but I urge you to learn more about SANs when you're done with your
CCNA Security certification. SANs have become so popular that Cisco
even offers a CCIE in Storage Networking, and SANs truly are the wave
of the future - and in many networks, the very near future.
NAS Spelled Backwards Isn't Really SAN

The Network Attached Storage (NAS) architecture is the one network

admins are most familiar with - the network storage devices are either
internal to the file servers or physically attached to those servers.
In a SAN, the architecture is designed to have those storage units appear
as though they're locally attached to the servers, but they're not. Instead,
the storage devices are configured as a separate network, and then the
servers can be given rights to store data on those devices. The SAN
architecture allows us to share the storage devices among any or all of
our servers.
The three SAN transport technologies are:
Fibre Channel, used for host-SAN communication. In turn, there are three
types of FC topologies:
Point-to-point, where two devices are directly connected
Arbitrated Loop (FC-AL), similar to the dreaded Token Ring topology
Switched Fabric (FC-SW), where devices are connected to a FC
switch. Similar to traditional host-Ethernet switch configuration. As
with Ethernet switches, FC-SW limits the impact down port to the
device connected to that port. The rest of the network continues to
operate normally.
iSCSI, the internet SCSI protocol. iSCSI has a major advantage over
Fibre Channel in that it requires no special cabling and can be run over
the existing LAN, which makes it less expensive than FC.
FCIP, Fibre Channel Over IP. As you'd guess from the name, FCIP can
only run over FC links, where iSCSI can run over the existing LAN.
Defined in RFC 3821, FCIP allows the transmission of data between two
SANS over a WAN.
Cisco's dedicated SAN website mentions the following as benefits of
using storage networking:

Investment Protection (SANs do cost serious money to get started)

Virtualization
Security
Consolidation
Data Availability and fast disaster recovery
Highly scalable, more readily adaptable to changes and growth in
your business than traditional data storage solutions

Obviously, there's much more to SAN than we can cover here, so we'll
concentrate on that third bullet point. To learn more about the Cisco
storage networking solutions, start here:
http://www.cisco.com/en/US/netsol/ns893/networking_solutions_package.html

Now let's talk about SAN security! The concerns we have in this area are
similar to those we have about our "regular" networks...

Data integrity and confidentiality - ensuring the data is properly

encrypted and not altered during transmission
Strict authentication and authorization processes
Preventing rogue devices from joining the network (or SAN, in this
case)
Preventing DoS attacks
These are attack types common to both "regular" networks and SAN, but
SANs have one defense that we don't associate with other network types the Logical Unit Number.
LUNs And LUN Masking
You SCSI fans out there (and aren't we all?) will recognize the LUN's
purpose. SCSI (not iSCSI - watch that!) uses the LUN as an identification
tool. A single disk drive will have SCSI LUN, while a disk array will have
multiple SCSI ports and therefore multiple LUNs. With LUN masking, this
identification number is available to some hosts and not to others.
Why do this? As far as traditional network security, both Cisco and onCisco sources agree that the security benefits are not huge. Rather, LUN
masking is traditionally used to stop a server from possibly corrupting
another server's disks.
That server may not be maliciously attempting this corruption, but the
result is still a corrupted disk. You really have to watch this when you
have Windows and non-Windows servers in the same SAN. The Windows
server may inadvertently corrupt disks on the non-Windows volumes by
writing Windows-based volume labels on them. Hiding the non-Windows
LUNs prevents that from happening.
SAN Zones
We discussed security zones in the Firewall section, and we'll use the
concept of zones with SANs as well. And for good reason!
The outstanding website www.sansecurity.com defines SAN zoning as
follows:
"SAN zoning is a method of arranging Fibre Channel devices into logical
groups over the physical configuration on the fabric. SAN zoning may be
utilized to implement compartmentalization of data for security purposes.
Each device in a SAN may be placed into multiple zones."
SAN zoning is only available with switched fabric FC (FC-SW).
There are two kinds of SAN zones, hard and soft.
Hard zoning:
Prevents any communication across the switched fabric

Is hardware-based
Is considered more secure than soft zoning
Soft zoning:
A server can see only allowed devices, *but* can still contact "hidden"
devices by their address.
Is software-based
Not particularly secure (putting it nicely)
Virtual SANs (VSANs)
You might have thought that SAN Zones sounded a little like VLANs.
Well, VSANs really sound and operate like VLANs.
VSANs are simply ports on interconnected FC switches that are virtually
grouped. Just as with VLANs, you can put ports on a single FC switch into
separate VLANs, and you can put ports on separate FC switches into the
same VLAN.
We have two authentication protocols for our VSANs, and at least one will
sound familiar! You learned all about CHAP (the Challenge Handshake
Authentication Protocol) during your initial CCNA studies; it would not hurt
to review CHAP's operation for your CCNA Security exam. CHAP is used
by iSCCI.
An improvement to CHAP, DH-CHAP (the Diffie-Hellman Challenge
Handshake Authentication Protocol) is available for authentication of hosts
connecting to one of our FC switches.
Just as we use BPDU Guard and Root Guard to prevent rogue Ethernet
switches from joining our network, we can use DH-CHAP to authenticate a
switch-to-switch connection and prevent unauthorized FC switches from
joining the network.
FCAP and FCPAP
The Fibre Channel Authentication Protocol (FCAP) is strictly optional, and
this protocol gives us a stronger authentication option for our FC
connections. FCAP's great, but one drawback is its reliance on a Public
Key Infrastructure (PKI). An alternative to FCAP, the Fibre Channel
Password Authentication Protocol (FCPAP) is not reliant on a PKI.
Hot Spots And Gotchas
The "manager" of a VoIP network is the gatekeeper. Gatekeepers can be
configured to do a wide range of VoIP management tasks, including
allowing calls only when adequate bandwidth for high-quality calls exists
(Call Admission Control) and to keep VoIP calls separate from data traffic.
VoIP signaling protocols: H.323, MGCP, SIP

The RealTime Protocol (RTP) handles the voice payload. There is a

Secure version of RTP (SRTP), but overhead must be taken into account
when using SRTP.
VoIP attack types include DoS, eavesdropping, man-in-the-middle (where
SIP packets are the intercepted packets), and vishing, which is basically
"phishing with a phone".
Another issue with voice networks is SPIT - Spam Over IP Telephony.
One basic VoIP security technique is using separate VLANs for voice
traffic, rather than allowing voice packets and data packets to share a
channel.
The web access feature on a Cisco IP Phone is on by default, and there's
no password or username necessary for access by default. Once in, an
intruder can then acquire the IP addresses of other servers on the
network.
Unified Communications Manager can help to keep that door shut by
setting a password and disabling unnecessary services such as GARP
(Gratuitous ARP).
The SAN architecture allows storage units to appear as though they're
directly attacked to servers, but they are instead on their own network /
subnet.
Why use a SAN? They're highly scalable and can more easily adapt to
changes and growth than traditional data storage solutions. Additionally,
data backup and that all-important recovery are more reliable and
efficient. They do cost serious money to get up and running, though those
costs are dropping.
The three SAN transport technologies: Fibre Channel (FC), iSCSI, and
FCIP.
The three FC topologies: point-to-point, arbitrated loop, and switched
fabric.
SANs have no real built-in defenses against typical network attacks.
LUN Masking is a basic SAN security technique used by SCSI, but it's
designed primarily to prevent Windows servers from writing Windows
volume labels on non-Windows disks rather than protecting the SAN
against deliberate attacks.
SAN Zones allow us to virtually separate storage devices in either hard
zones or soft zones.
Virtual SANs (VSANs) are similar to VLANs. Ports on FC switches can be
placed into VSANs to logically group the storage devices.
VSAN authentication protocols include CHAP and DS-CHAP.

FCAP and FCPAP do much the same thing - they deliver an FC

authentication option that's stronger than CHAP - but there's one major
difference. FCAP relies on a PKI and FCPAP does not.

Copyright 2008 The Bryant Advantage. All Rights Reserved.