Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © 2001, Cisco Systems, Inc. All rights reserved. SEC-210 3083_05_2001_c1 VoIP over IPSec VPNs.. and some general Security tips Kjetil Berge Systems Engineer.

Published bySamantha Clarke Modified over 10 years ago

Similar presentations

Presentation on theme: "1 © 2001, Cisco Systems, Inc. All rights reserved. SEC-210 3083_05_2001_c1 VoIP over IPSec VPNs.. and some general Security tips Kjetil Berge Systems Engineer."— Presentation transcript:

1 1 © 2001, Cisco Systems, Inc. All rights reserved. SEC-210 3083_05_2001_c1 VoIP over IPSec VPNs.. and some general Security tips Kjetil Berge Systems Engineer Cisco Norway

2 SEC-210 3083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 2 2 2 Agenda Why VoIP over VPN ? What are the problems ? How to solve them ? My own VoIP over VPN test

3 SEC-210 3083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 3 3 3 John T. Dryer History Hack: Captain Crunch and the Origin of 2600 Back in the early 70s phone lines did both signaling and regular voice traffic over the same line Using a Captain Crunch cereal toy whistle it was possible to generate a sound at 2600Hz which allowed signaling data to be sent to Ma Bell Building on what was learned with the whistle, tones could then be sent using a blue box to call anywhere else for free! Steve Wozniak even used a blue box to call the Pope posing as then Secretary of State Henry Kissinger Moral of the story? Security through obscurity is not security (Unauthenticated control channels are bad). http://www.webcrunchers.com/crunch

4 4 © 2001, Cisco Systems, Inc. All rights reserved. SEC-210 3083_05_2001_c1 General things before we start …

5 SEC-210 3083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 5 5 5 Security in the Enterprise A InternetIP WANPSTN Use firewalls and IP filters to limit access into the Enterprise Also, use firewalls to limit access between the user data networks and the IP Telephony, server farm and data center subnets Perimeter Security Separate the VoIP devices onto their own subnetworks RFC 1918 addressing is preferred NIDS can be used to examine traffic between subnets for potential threats Network Separation Use non-standard access ports if possible Eliminate unneeded server OS files, directories and services A comprehensive Virus Scanning solution is critical Host-based IDS solutions are recommended Host Security Maintain a stringent device/server access policy based on user and subnet Use of Time-of-Day or temporary ACLs can augment the IP filters Netmgmt traffic must be allowed only from a secure host Device Access

6 SEC-210 3083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 6 6 6 Maintain physical device security Use card readers and video surveillance in all data centers and wiring closets Restrict telnet access Use TACACS+/RADIUS for all devices Use SSH or IPsec to protect management and auditing traffic General things before we start …

7 SEC-210 3083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 7 7 7 General things before we start … Eliminate extraneous router services HTTP, TCP/UDP Small Servers, Finger, RCP/RSH Use neighbor authentication Routing protocols, HSRP, NTP Enable Syslog logging Use NTP synced timestamps Configure SNMP securely

8 SEC-210 3083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 8 8 8 Topology Headquarters PIX CallManager Cluster NMS VoIP GW/GK CSPM DNS/PDC/ CA VLAN=160 VLAN=102 VLAN=100 VLAN=101 VLAN=200 A A PSTN V DNS, opt. DHCP Voice network Data network Syslog IP WAN

9 SEC-210 3083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 9 9 9 VOIP Enhancements PAT for SIP and H.323 Existing H.323 and SIP fixups are enhanced to support PAT Allows customers to conserve their IP address space The embedded IP address and port in the SIP/H.323 message is translated to the correct PAT, and the correct media connections negotiated during signaling are opened up The PIX dynamic PAT timeout value is also modified to be the same as the client registration timeout value that is set when the client registers with the SIP Proxy Server / H.3.23 Gatekeeper Existing commands are used Static PAT can be used for SIP Server, H.323 GateKeeper or H.323 endpoints when the port that other endpoints will use to reach them is known ahead of time

10 SEC-210 3083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 10 © 2001, Cisco Systems, Inc. All rights reserved. 10 © 2001, Cisco Systems, Inc. All rights reserved. 10 Agenda Why VoIP over VPN ? What are the problems ? How to solve them ? My own VoIP over VPN test

11 SEC-210 3083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 11 © 2001, Cisco Systems, Inc. All rights reserved. 11 © 2001, Cisco Systems, Inc. All rights reserved. 11 Customers can run VoIP over their Private WANs Today IPSec VPNs are Private WAN Replacements Customers expect/want to run Voice across IPSec VPNs as well Central /HQ Regional Sites Branch Offices SOHO Telecommuters Mobile Users Virtual Private Network Customer VPN Expectations Internet/Service Provider VPN Deployment Models Site to Site Site to Site SOHO Remote Access

12 SEC-210 3083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 12 © 2001, Cisco Systems, Inc. All rights reserved. 12 © 2001, Cisco Systems, Inc. All rights reserved. 12 VoIP over VPN offers many exiting possibilites Implement VPN WANs to replace traditional WAN Connect home offices via VPN Implement IP telephony Allows IP telephony at zero cost to home offices and branch offices! Customer VPN Expectations – cont.

13 SEC-210 3083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 13 © 2001, Cisco Systems, Inc. All rights reserved. 13 © 2001, Cisco Systems, Inc. All rights reserved. 13 Agenda Why VoIP over VPN ? What are the problems ? How to solve them ? My own VoIP over VPN test

14 SEC-210 3083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 14 © 2001, Cisco Systems, Inc. All rights reserved. 14 © 2001, Cisco Systems, Inc. All rights reserved. 14 Why VoIP over IPSec is a problem Crypto engine is FIFO only – Unable to prioritize Voice over Data Simple to overload crypto engine with too much traffic QoS required both in the Enterprise network and in the ISP network

15 SEC-210 3083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 15 © 2001, Cisco Systems, Inc. All rights reserved. 15 © 2001, Cisco Systems, Inc. All rights reserved. 15 Current Crypto Engine Issues FIFOFIFO IPSec Crypto Engine VoIP packet not prioritized in Crypto Voice quality suffers when Crypto Engine congested VoIP packet not prioritized in Crypto Voice quality suffers when Crypto Engine congested Crypto Engine performance and throughput varies depending upon HW Different Crypto engine throughputs result in variable/unacceptable delay when congestion occurs at Crypto Engine FIFO entrance queuing is the issue Crypto Engine performance and throughput varies depending upon HW Different Crypto engine throughputs result in variable/unacceptable delay when congestion occurs at Crypto Engine FIFO entrance queuing is the issue Crypto Engine looks like an internal FIFO serial interface inside router

16 SEC-210 3083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 16 © 2001, Cisco Systems, Inc. All rights reserved. 16 © 2001, Cisco Systems, Inc. All rights reserved. 16 No support for cRTP for VoIP Bandwidth Consumption (50pps) G.711 + IPSec/GRE = Approx 110kbps per VoIP call G.729 + IPSec/GRE = Approx 50kbps per VoIP call Example – G.729 at 50pps 1) Voice Payload:= 8kbps 2) IP + Voice Payload: = 24,000 bps (IP Header = 20bytes) 3) IP + GRE/IPSec + Voice Payload:= 44,800 bps - ESP = 32bytes (Variable) 4) Add Ethernet Header= 51,000bps Voice over VPN is large!

17 SEC-210 3083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 17 © 2001, Cisco Systems, Inc. All rights reserved. 17 © 2001, Cisco Systems, Inc. All rights reserved. 17 Current VoIP over VPN Support Cisco TAC will not support any Voice Quality related issues with regards to Voice over IPSec VPNs Customers running VoIP over IPSec VPNs do so understanding traffic is best effort with no guarantee of voice quality

18 SEC-210 3083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 18 © 2001, Cisco Systems, Inc. All rights reserved. 18 © 2001, Cisco Systems, Inc. All rights reserved. 18 Agenda Why VoIP over VPN ? What are the problems ? How to solve them ? – Todays solutions – What will come later this year My own VoIP over VPN test

19 SEC-210 3083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 19 © 2001, Cisco Systems, Inc. All rights reserved. 19 © 2001, Cisco Systems, Inc. All rights reserved. 19 Dual VPN Routers – VoIP and Data through separate Crypto Engines Service Provider IOS VPN Router IOS VPN Router IOS VPN Router IOS VPN Router Data Tunnel Voice Tunnel Separate tunnel for Voice/Data such that Voice packets do not incur delay, jitter or loss Requires Service Provider that recognizes ToS/DSCP and provides SLA

20 SEC-210 3083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 20 © 2001, Cisco Systems, Inc. All rights reserved. 20 © 2001, Cisco Systems, Inc. All rights reserved. 20 VoIP and Data through same Crypto Engine – Todays efforts Service Provider Cisco IOS Platform GRE Voice Tunnel IPSec Crypto Engine Voice/Data Use prioritized traffic limiting techniques such that encrypted Traffic throughputs are limited to where voice has Acceptable Delay and jitter (Prevent Crypto Engine Over-Subscription) Test on per platform basis the Max Crypto rate VoIP can co-exist with Data Such that VoIP delays are acceptable Cisco IOS Platform

21 SEC-210 3083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 21 © 2001, Cisco Systems, Inc. All rights reserved. 21 © 2001, Cisco Systems, Inc. All rights reserved. 21 Service Provider GRE Voice Tunnel IPSec Crypto Engine Voice/Data Option 2 Police to limit encrypted traffic to limits Throughputs where Voice has acceptable delays Option 1 Policing on L3 boundary before Crypto router (L3 switch or Router) QoS before Crypto Engine: Prevent over-subscription of Crypto Engine Cisco IOS Platform Cisco IOS Platform

22 SEC-210 3083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 22 © 2001, Cisco Systems, Inc. All rights reserved. 22 © 2001, Cisco Systems, Inc. All rights reserved. 22 Service Provider IPSec Tunnel External Policing on L3 boundary Before Crypto router (L3 switch or Router) What about PIX/3xxx Platforms with no QoS? How to best deploy Cisco IOS Platform Cisco IOS Platform PIX/3xxx PIX/3xxx looks like an external IOS Crypto Engine with regards to QoS Must provide external IOS means of preventing PIX/3xxx Crypto engine over-subscription PIX/3xxx max Crypto rates for voice and data not tested yet (future) Headend Remote/SOHO PC data traffic throttled to SOHO WAN Link speed so oversubscribing HW PIX/3xxx unlikely – IOS QoS must be performed on SOHO CPE device

23 SEC-210 3083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 23 © 2001, Cisco Systems, Inc. All rights reserved. 23 © 2001, Cisco Systems, Inc. All rights reserved. 23 Agenda Why VoIP over VPN ? What are the problems ? How to solve them ? – Todays solution – What will come later this year My own VoIP over VPN test

24 SEC-210 3083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 24 © 2001, Cisco Systems, Inc. All rights reserved. 24 © 2001, Cisco Systems, Inc. All rights reserved. 24 What is Coming: Crypto LLQ - 1H 2002 CY IPSec Crypto Engine Entrance Queuing to Crypto Engine Queue Entrance Criteria must be based on ToS/DSCP Crypto-LLQ is required on IOS and new VPN products No need for external CAR mechanisms to prevent Crypto Engine Over-subscription Entrance Queuing to Crypto Engine Queue Entrance Criteria must be based on ToS/DSCP Crypto-LLQ is required on IOS and new VPN products No need for external CAR mechanisms to prevent Crypto Engine Over-subscription High Low LLQLLQ LLQ on front end of Crypto Engine to prevent over-subscription

25 SEC-210 3083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 25 © 2001, Cisco Systems, Inc. All rights reserved. 25 © 2001, Cisco Systems, Inc. All rights reserved. 25 VoIP+VPN Baseline VoIP+VPN Baseline Basic Voice Quality Basic Voice Quality Enhanced Voice Voice-VPN Design Guide Functional QoS (LLQ for CE) Multicast Voice/Video Voice-VPN Platform Testing X X Other enhancements Call Bandwidth Minimization Features/Features/ Activities Remote Access VoIP+VPN Resiliency (IPSec Stateful Failover) Remote Access Voice-VPN (IOS) 1Q02CY 1H02CY 2H02CY X X X X X X X X X X X X

26 SEC-210 3083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 26 © 2001, Cisco Systems, Inc. All rights reserved. 26 © 2001, Cisco Systems, Inc. All rights reserved. 26 Agenda Why VoIP over VPN ? What are the problems ? How to solve them ? – Todays solution – What will come later this year My own VoIP over VPN test

27 SEC-210 3083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 27 © 2001, Cisco Systems, Inc. All rights reserved. 27 © 2001, Cisco Systems, Inc. All rights reserved. 27 Local VoIP over VPN testing Service Provider ADSL PIX 506 VPN/ No QoS ADSL router Home office Service Provider No QoS PIX 501 No QoS VPN/ No QoS Cisco Norway ADSL router

28 SEC-210 3083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 28 © 2001, Cisco Systems, Inc. All rights reserved. 28 © 2001, Cisco Systems, Inc. All rights reserved. 28 Home office PIX configuration 1/2 Specify which traffic to send via the VPN tunnel 1) Traffic to CCM network 10.1.1.0 2) Traffic to IP telephones centrally (10.1.120.0) access-list VPN-acl permit ip 10.200.1.0 255.255.255.0 10.1.1.0 255.255.255.0 access-list VPN-acl permit ip 10.200.1.0 255.255.255.0 10.1.120.0 255.255.255.0 Specify that traffic between 1) local network and CCM network 2) local network and IP phones is not to be NAT-ed access-list no-nat-acl permit ip 10.200.1.0 255.255.255.0 10.1.1.0 255.255.255.0 access-list no-nat-acl permit ip 10.200.1.0 255.255.255.0 10.200.1.0 255.255.255.0 Enable the No NAT acl nat (inside) 0 access-list no-nat-acl Enable Skinny fixup Fixup protocol skinny 2000

29 SEC-210 3083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 29 © 2001, Cisco Systems, Inc. All rights reserved. 29 © 2001, Cisco Systems, Inc. All rights reserved. 29 Home office PIX configuration Specify transform sets (I am using DES only) crypto ipsec transform-set des-transform esp-des esp-md5-hmac crypto map CiscoAVVID 1 ipsec-isakmp crypto map CiscoAVVID 1 match address VPN-acl crypto map CiscoAVVID 1 set peer X.X.X.X crypto map CiscoAVVID 1 set transform-set des-transform crypto map CiscoAVVID interface outside isakmp enable outside Set up shared key with central PIX isakmp key ******** address X.X.X.X netmask 255.255.255.255 Set up ISAKMP policy isakmp policy 1 authentication pre-share isakmp policy 1 encryption des isakmp policy 1 hash md5 isakmp policy 1 group 1 isakmp policy 1 lifetime 36000

Download ppt "1 © 2001, Cisco Systems, Inc. All rights reserved. SEC-210 3083_05_2001_c1 VoIP over IPSec VPNs.. and some general Security tips Kjetil Berge Systems Engineer."

Similar presentations

1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco TunnelBuilder, 5/2002 Cisco MPLS Tunnel Builder Product Details ITD Product Management.

1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco TunnelBuilder, 5/2002 Cisco MPLS Tunnel Builder Product Details ITD Product Management.
What’s New in Fireware XTM v11.3.4

What’s New in Fireware XTM v11.3.4
Computer Networks TCP/IP Protocol Suite.

Computer Networks TCP/IP Protocol Suite.
1 UNIT I (Contd..) High-Speed LANs. 2 Introduction Fast Ethernet and Gigabit Ethernet Fast Ethernet and Gigabit Ethernet Fibre Channel Fibre Channel High-speed.

1 UNIT I (Contd..) High-Speed LANs. 2 Introduction Fast Ethernet and Gigabit Ethernet Fast Ethernet and Gigabit Ethernet Fibre Channel Fibre Channel High-speed.
Virtual Trunk Protocol

Virtual Trunk Protocol
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
Unleashing the Power of IP Communications Calling Across The Boundaries Mike Burkett, VP Products April 25, 2002.

Unleashing the Power of IP Communications Calling Across The Boundaries Mike Burkett, VP Products April 25, 2002.
09999/2106 Practical Experiences Overcoming Firewalls and Limited Bandwidth for H.323 Video Conferencing AREN.

09999/2106 Practical Experiences Overcoming Firewalls and Limited Bandwidth for H.323 Video Conferencing AREN.
All rights reserved © 2000, Alcatel 1 CPE-based VPNs Hans De Neve Alcatel Network Strategy Group.

All rights reserved © 2000, Alcatel 1 CPE-based VPNs Hans De Neve Alcatel Network Strategy Group.
1 Linux IP Masquerading Brian Vargyas XNet Information Systems.

1 Linux IP Masquerading Brian Vargyas XNet Information Systems.
Communicating over the Network

Communicating over the Network
Alarm transmission over IP networks

Alarm transmission over IP networks
Chapter 1: Introduction to Scaling Networks

Chapter 1: Introduction to Scaling Networks
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.28-1 MPLS TE Overview Configuring MPLS TE on Cisco IOS Platforms.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS TE Overview Configuring MPLS TE on Cisco IOS Platforms.
Technical Track www.odva.org Securing EtherNet/IP Networks Presented by: Paul Didier - Cisco Eddie Lee - Moxa.

Technical Track Securing EtherNet/IP Networks Presented by: Paul Didier - Cisco Eddie Lee - Moxa.
What is access control list (ACL)?

What is access control list (ACL)?
Any Questions?.

Any Questions?.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.24-1 MPLS VPN Technology Introducing MPLS VPN Architecture.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Technology Introducing MPLS VPN Architecture.
Configuring and Troubleshooting ACLs

Configuring and Troubleshooting ACLs

Similar presentations

Ads by Google