a third party shoud not be able to read the data that is intended for the recipient
Confidentiality or Privacy
recipient should receive the packets that the originator sends without any change to their content. A third party should be unable to modify the packets in transit
The sender and recipientof VoIP signaling or media messages need to be sure that the peer they are
communicating with is in fact who it claims to be.
protection from Denial-of-Service (DoS) attacks. The VoIP service should be available to the users at all times. Malicious or misbehaving users/devices should not be able to disrupt the service. Mitigation of DoS attacks requires taking measures to protect VoIP resources and to protect the underlying IP network.
Users share a single secret key
Symmetrical. Same key used to encrypt and decrypt
Each user has a related public and private key
Asymmetrical. Different key used to decrypt than was used to encrypt.
cant be abe to retrive the message
A hash is created using the original message.
The hash is encrypted using the private key of the signer.
The receiver decrypts the hash using the signer’s public key.
This hash is compared to a recalculated hash from the received message.
If they match, the message was sent from the signer and was not modified in transit.
Certificates are a method to distribute public keys
A certificate authority (CA) issues a certificate validating the requestor’s identity and public key
you have to pay certificated authority
public key crytography
evolved from SSL
Typically used to secure signaling
Sits on top of TCP
the client authenticates the identity of the server via TLS.
The server uses some other out-of-band means to authenticate the client.
each entity authenticates its peer by verifying its certificate.
Mutual authentication mode
provides connection security
It provides privacy and integrity.
algorithms such as Data
Encryption Standard (DES) and RC4 for data encryption.
also without encryption.
For integrity,MD5 and Secure Hash Algorithm (SHA)
Record protocol layer
Multiple protocols, such as the TLS handshake protocol,
The TLS handshake protocol is primarily engaged at the start of the data communication
operates at ip layer
protocols to provide security
Authentication Header (AH)
AH provides authentication and integrity.
Encapsulation Security Payload (ESP)
provides privacy in addition to authentication and integrity by encrypting parts of the message.
is inserted between the IP header and the upper layer protocol (TCP/UDP) header
only the payload of an IP datagram is protected.
the entire IP packet is protected.
specified for management of security keys.
uses public-key cryptography techniques to negotiate an authentication key, security protocol (AH or ESP), hashing algorithm, and encryption algorithm.
Internet Key Exchange (IKE)
provides to both data packets(RTP) and control packets
defined in RFC 3711
does not specify how the keys are exchanged between
the sender and recipient
Secure Real-time Transport Protocol (SRTP)
**to much delay or jitter if you encrypt it in the**
disable unsed services on what
If you are using Simple Network Management (SNMP) on a device only to gather data, set Simple Network
Management (SNMP) to
read only mode
If you are using web-based administration, always use WHAT? with protocols such as Secure Socket Layer (SSL).
Administratively disable any unused port on what layer switch
You can use Host-based Intrusion Protection Systems (HIPS) to secure critical voice devices such as
Separate VOIP traffic, usually by using
IP layer, use separate IP network address spaces for what type of traffic
data and voice traffic
if from a soft device you dont
Filters malicious DHCP messages and builds a database of IP-to-MAC
acts as a firewall between untrusted sources
All IP traffic on an untrusted port is blocked except for DHCP messages
IP Source Guard
inspects all ARP messages on untrusted ports and verifies that the ARP messages are not malicious by comparing the ARP messages against the DHCP snooping binding database
Dynamic ARP Inspection (DAI)
flooding the network with traffic out all ports
Configuring a maximum number of MAC addresses per port. If a particular port encounters this limit, the specified action is taken on that port. The offending port can be either shut down or placed in a restricted mode.
should be on the every host and interface that the switch connected to a pc
attempts to prevent malicious host devices from sending BPDUs
connected to another switch but should never be the root
configured on a per-port basis
monitor and analyze network traffic to detect intrusion.
Network-based Intrusion Prevention Systems (NIPS)
send first part of the three part hand shake and wont complete
half open (emboynic)
SYN and ACK what layer they deal with
trust another server or device for authentication
is trust that is transmitted through another party.
they open up pinholes for the voice media to flow through.
Application-Layer Gateways (ALG).
It is advisable to use a private address space that is specific for VoIP instead of using