Cisco ASA5520-UC-BUN-K9 Hoja De Datos
Data Sheet
© 2010 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 2 of 8
Restricting access to the Cisco Unified Communications Manager servers significantly reduces the risk of an
attacker probing the system for vulnerabilities or exploiting access through unauthorized network channels.
Cisco ASA 5500 Series Adaptive Security Appliances are voice- and video-aware, and can inspect and apply policy
to the protocols (SIP, SCCP, H.323, and MGCP) used in modern unified communications. Older network access
control mechanisms, such as access control lists (ACLs), cannot process these more complex protocols with the
granularity and dynamism required by most organizations.
Unlike traditional data applications, unified communications protocols dynamically negotiate how to communicate by
exchanging port information within the signaling control channel. Static access control mechanisms such as ACLs
cannot track which ports to open and must therefore apply weak access controls, limiting the ability to implement
effective access policies.
Cisco ASA 5500 Series Adaptive Security Appliances can dynamically track the authorized connections that should
be opened, and then close the connections as soon as the session has ended. This level of control, combined with
other intelligent services such as voice-protocol-aware Network Address Translation (NAT), distinguishes the Cisco
ASA 5500 Series from older platforms that are not suited to the requirements of modern unified communications
protocols.
Threat Prevention
The Cisco ASA 5500 Series protects Cisco Unified Communications applications from a range of common attacks
that can threaten the integrity and availability of your system. These attacks include call eavesdropping, user
impersonation, toll fraud, and denial of service (DoS). Many of these attacks (in particular, DoS) can be launched by
sending malformed protocol packets to attack your unified communications call-control systems and applications.
Cisco ASA 5500 Series appliances perform protocol conformance and compliance checking on traffic destined to
critical unified communications servers. For example, the appliances can help ensure that media flowing through the
appliance is truly voice media (RTP), or prevent attackers from sending malicious voice signaling that could crash
your call-control systems. By helping to ensure that signaling and media comply with standard RFCs, the Cisco ASA
5500 Series provides an effective first line of defense for your critical systems.
In addition to checking protocol conformance, the multifunction security services of the Cisco ASA 5500 Series can
be extended to provide intrusion prevention services. The Cisco ASA 5500 Series Advanced Inspection and
Prevention Security Services Module (AIP SSM) applies hardware-based intrusion-prevention-system (IPS) features
to inbound traffic to stop known attacks against unified communications call-control and application servers. A set of
unified communications IPS signatures is available to protect against Cisco Unified Communications Manager and
Cisco Unified Communications Manager Express Product Security Incident Response Team (PSIRT) vulnerabilities,
giving your IT administrators immediate protection without needing to patch unified communications servers right
away. The combination of protocol conformance and intrusion prevention provides a robust network-layer defense
against common unified communications threats.
Network Security Policy Enforcement
Your unified communications deployments are probably subject to the security policy requirements established by
your organization’s security department. With the sophisticated unified communications security features of the
Cisco ASA 5500 Series, your organization can apply granular, application-layer policies to the unified
communications traffic to meet security compliance requirements. For example, your business can permit or deny
calls from specific callers or domains, or can apply specific black lists or white lists. As another example, you can
extend your network policies to endpoints and applications to allow only calls from phones registered to the call-
control server or to deny applications such as instant messaging over SIP.