Securing voice on local segment

averheaghe · ‎09-06-2008

We recently had an audit of our VoIP system. The auditors captured voice traffic with an H.323 sniffer. Their suggestion was to move from broadcast traffic to unicast- does this sound correct? If so how best to proceed? Or any other suggestions to secure local segment Voice traffic?

Thanks,

Andy

Marwan ALshawi · ‎09-07-2008

hi Andy

voice security mainly based on ur equipment and the topology

but in general

the idea u can make the communication between voice devices, ip phones, callmanager and h323 gateway through a firewall like ASA or IOS firewall so that u gonna allow commnunication between thses devices based on source and destination and only allow spisific protocols to be passed like sccp,tftp,http and h323 call signaling (no broadcast) and if u look here there is no udp allwoed so if u wonder how phones can make calls if there is no udp allowed the naswer is because we use firewall and firewall is a SPF capable device (spf means statefull packect filtering) so for example the phone will comunicat with callmaqnager using sccp and tftp then CCM and IP phone will negotiate the udp used for a call between two phones then based on the SPF all the subsquent traffic from the calling phon with called phone will be permited automaticaly once the call ended all the automaticly permited traffic will be removed

so it is veryhelpful and secure

if u look for exstra ip telephoney security u could use vlan acl to filter traffic between ip phones to limit any attack from phone to phone for example allow only udp between phones

if helpful Rate