Interview: Akhil Behl CCIEx2 #19564 (Voice & Security)
It's not everyday you get the chance to interview a CCIE, and especially a double CCIE! Today, Firewall.cx interviews Akhil Behl, a Double CCIE (Voice & Security) #19564 and author of the popular Cisco Press title ‘Securing Cisco IP Telephony Networks'.
Akhil Behl's Biography
Akhil Behl is a Senior Network Consultant with Cisco Advanced Services, focusing on Cisco Collaboration and Security architectures. He leads Collaboration and Security projects worldwide for Cisco Services and the Collaborative Professional Services (CPS) portfolio for the commercial segment. Prior to his current role, he spent 10 years working in various roles at Linksys, Cisco TAC, and Cisco AS. He holds CCIE (Voice and Security), PMP, ITIL, VMware VCP, and MCP certifications.
He has several research papers published to his credit in international journals including IEEE Xplore.
He is a prolific speaker and has contributed at prominent industry forums such as Interop, Enterprise Connect, Cloud Connect, Cloud Summit, Cisco SecCon, IT Expo, and Cisco Networkers. Akhil is also the author of Cisco Press title ‘Securing Cisco IP Telephony Networks’.
Be sure to not to miss our on our review of Akhil's popular Securing Cisco IP Telephony Networks and outstanding article on Secure CallManager Express Communications - Encrypted VoIP Sessions with SRTP and TLS.
Readers can find outstanding Voice Related Technical Articles in our Cisco VoIP/CCME & CallManager Section.
Q1. What are the benefits of a pure VoIP against a hybrid system?
Pure VoIP solutions are a recent addition to the overall VoIP portfolio. SIP trunks by service providers are helping covert PSTN world reachable by IP instead of TDM. A pure VoIP system has a number of advantages over a hybrid VoIP system for example:
- All media and signaling is purely IP based and no digital or TDM circuits come into picture. This in turn implies better interoperability of various components within and outside the ecosystem.
- Configuration, troubleshooting, and monitoring of a pure VoIP solution is much more lucid as compared to a hybrid system.
- The security construct of a pure VoIP system is something which the provider and consumer can mutually agree upon and deploy. In other words, the enterprise security policies can now go beyond the usual frontiers up to the provider’s soft-switch/SBC.
Q2. What are the key benefits/advantages and disadvantages of using Cisco VoIP Telephony System, coupled with its security features?
Cisco’s IP Telephony / Unified Communications systems present a world class VoIP solution to consumers from small to medium to large enterprises and SMB’s as well as various business verticals such as education, finance, banking, energy sector, and government agencies. When the discussion is around security aspect of Cisco IP Telephony / UC solution, the advantages outweigh the disadvantages because of a multitude of factors:
- Cisco IP Telephony endpoints, and underlying network gear is capable of providing robust security by means of built in security features
- Cisco IP Telephony portfolio leverages industry standard cryptography and is compatible with any product based on RFC standards
- Cisco engineering leaves no stone unturned to ensure that the IP Telephony products and applications deliver feature rich consumer experience; while maintaining a formidable security posture
- Cisco Advanced Services helps consumers design, deploy, operate, and maintain a secure, stable, and robust Cisco IP Telephony network
- Cisco IP Telephony and network applications / devices / servers can be configured on-demand to enable security to restrain a range of threats
Q3. As an author, please comment on the statement that your book can be used both as a reference and as a guide for security of Cisco IP Telephony implementation.
Over the past 10 years, I have seen people struggling with lack of a complete text which can act as a reference, a guide, and a companion to help resolve UC security queries pertinent to design, deployment, operation, and maintenance of a Cisco UC network. I felt there was a lack of a complete literature which could help one through various stages of Cisco UC solution development and build i.e. Plan, Prepare, Design, Implement, Operate, and Optimize (PPDIOO) and thought of putting together all my experience and knowledge in form of a book where the two realms i.e. Unified Communications and Security converge. More often than not, people from one realm are not acquainted with intricacies of the other. This book serves to fill in the otherwise prominent void between the UC and Security realms and acts as a guide and a reference text for professionals, engineers, managers, stakeholders, and executives.
Q4. What are today’s biggest security threats when dealing with Cisco Unified Communication installations?
While there are a host of threats out there which lurk around your Cisco UC solution, the most prominent ones are as follows:
- Session/Call hijacking
- Impersonation or identity-theft
- DOS and DDOS attacks
- Poor or absent security guidelines or policy
- Lack of training or education at user level on their responsibility towards corporate assets such as UC services
As you can see, not every threat is a technical threat and there’re threats pertinent to human as well as organizational factors. More often than not, the focus is only on technical threats while, organizations and decision makers should pay attention to other (non-technical) factors as well without which a well-rounded security construct is difficult to achieve.
Q5. When implementing SIP Trunks on CUCM/CUBE or CUCME, what steps should be taken to ensure Toll-Fraud is prevented?
An interesting question since, toll-fraud is a chronic issue. With advent of SIP trunks for PSTN access, the threat surface has evolved and a host of new threats comes into picture. While most of these threats can be mitigated at call-control and Session Border Controller (CUBE) level, an improper configuration of call restriction and privilege as well as a poorly implemented security construct can eventually lead to a toll-fraud. To prevent toll-fraud on SIP trunks following suggestions can be helpful:
- Ensure that users are assigned the right calling search space (CSS) and partitions (in case of CUCM) or Class of Restriction (COR in case of CUCME) at line/device level to have a granular control of who can dial what
- Implement after-hour restrictions on CUCM and CUCME
- Disable PSTN or out-dial from Cisco Unity, Unity Connection, and CUE or at least restrict it to a desirable local/national destination(s) as per organization’s policies
- Implement strong pin/password policies to ensure user accounts cannot be compromised by brute force or dictionary based attacks
- For softphones such as Cisco IP Communicator try and use extension mobility which gives an additional layer of security by enabling user to dial international numbers only when logged in to the right profile with right credentials
- Disable PSTN to PSTN tromboning of calls is not required or as per organizational policies
- Where possible enable secure SIP trunks and SIP authorization for trunk registration with provider
- Implement COR where possible at SRST gateways to discourage toll-fraud during an SRST event
- Monitor usage of the enterprise UC solution by call billing and reporting software (e.g. CAR) on an ongoing basis to detect any specific patterns or any abnormal usage
Q6. A common implementation of Cisco IP Telephony is to install the VoIP Telephony network on a separate VLAN – the Voice VLAN, which has restricted access through access lists applied on a central layer-3 switch. Is this common practice adequate to provide basic-level of security?
Well, I wouldn’t just filter the traffic at Layer 3 with access-lists or just do VLAN segregation at layer 2 but also enable security features such as:
- Port security
- DHCP snooping
- Dynamic ARP Inspection (DAI)
- Trusted Relay Point (TRP)
- Firewall zoning
and so on, throughout the network to ensure that legitimate endpoints in voice VLAN (whether hard phones or softphones) can get access to enterprise network and resources. While most of the aforementioned features can be enabled without any additional cost, it’s important to understand the impact of enabling these features in a production network as well as to ensure that they are in-line with the corporate/IP Telephony security policy of the enterprise.
Q7. If you were asked to examine a customer’s VoIP network for security issues, what would be the order in which you would perform your security checks? Assume Cisco Unified Communications Manager Express with IP Telephones (wired & wireless), running on Cisco Catalyst switches with multiple VLANs (data, voice, guest network etc) and Cisco Aironet access points with a WLC controller. Firewall and routers exist, with remote VPN teleworkers
My first step towards assessing the security of the customer’s voice network will be to ask them for any recent or noted security incidents as it will help me understand where and how the incident could have happened and what are the key security breach or threats I should be looking at apart from the overall assessment.
I would then start at the customer’s security policy which can be a corporate security policy or an IP Telephony specific security policy to understand how they position security of enterprise/SMB communications in-line with their business processes. This is extremely important as, without proper information on what their business processes are and how security aligns with them I cannot advise them to implement the right security controls at the right places in the network. This also ensures that the customer’s business as usual is not interrupted when security is applied to the call-control, endpoints, switching infrastructure, wireless infrastructure, routing infrastructure, at firewall level, and for telecommuters.
Once I have enough information about the customer’s network and security policy, I will start at inspection of configuration of access switches, moving down to distribution, to core to data center access. I will look at the WLC and WAP configurations next followed by IOS router and firewall configuration.
Once done at network level, I will continue the data collection and analysis at CUCME end. This will be followed by an analysis of the endpoints (wired and wireless) as well as softphones for telecommuters.
At this point, I should have enough information to conduct a security assessment and provide a report/feedback to the customer and engage with the customer in a discussion about the opportunities for improvement in their security posture and construct to defend against the threats and security risks pertinent to their line of business.
Q8. At Firewall.cx, we are eagerly looking forward to our liaison with you, as a CCIE and as an expert on Cisco IP Telephony. To all our readers and members, what would be your message for all those who want to trace your footsteps towards a career in Cisco IP Telephony?
I started in IT industry almost a decade ago with Linksys support (a division of Cisco Systems). Then I worked with Cisco TAC for a couple of years in the security and AVVID teams, which gave me a real view and feel of things from both security and telephony domains. After Cisco TAC I joined the Cisco Advanced Services (AS) team where I was responsible for Cisco’s UC and security portfolio for customer facing projects. From thereon I managed a team of consultants. On the way I did CCNA, CCVP, CCSP, CCDP, and many other Cisco specialist certifications to enhance my knowledge and worked towards my first CCIE which was in Voice and my second CCIE which was in Security. I am a co-lead of Cisco AS UC Security Tiger Team and have been working on a ton of UC Security projects, consulting assignments, workshops, knowledge transfer sessions, and so on.
It’s almost two years ago when I decided to write a book on the very subject of my interest that is – UC/IP Telephony security. As I mentioned earlier in this interview, I felt there was a dire need of a title which could bridge the otherwise prominent gap between UC and Security domains.
My advice to anyone who wishes to make his/her career into Cisco IP Telephony domain is, ensure your basics are strong as the product may change and morph forms however, the basics will always remain the same. Always be honest with yourself and do what it takes to ensure that you complete your work/assignment – keeping in mind the balance between your professional and personal life. Lastly, do self-training or get training from Cisco/Partners on new products or services to ensure you are keeping up with the trends and changes in Cisco’s collaboration portfolio.