Datasheet
Data Sheet
All contents are Copyright © 1992–2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 3 of 8
application-layer policies to the unified communications traffic to meet security compliance
requirements. For example, businesses can permit or deny calls from specific callers or domains,
or can apply specific blacklists or whitelists. Network policies can be extended to endpoints and
applications; for example, allowing only calls from phones registered to the call control server or
denying applications such as instant messaging over SIP.
Service Protection
Maximizing uptime is a critical security concern for most organizations. The Cisco ASA 5500
Series is a high-performance, highly available (Active-Active and Active-Standby) platform, and
offers rate limiting services to prevent overloading or DoS attacks against the unified
communications infrastructure.
Voice and Video Encryption Services
For compliance or security policy reasons, organizations can be required to provide confidentiality
to voice and video traffic. End-to-end encryption often leaves network security appliances “blind” to
media and signaling traffic, which can compromise access control and threat prevention security
functions. This can result in a lack of interoperability between the firewall functions and the
encrypted voice, leaving businesses unable to satisfy both of their key security requirements.
The Cisco ASA 5500 Series is unique in its support of an encryption proxy solution (Transport
Layer Security [TLS] Proxy) for Cisco Unified Communications systems. As a truly integrated and
trusted device within the Cisco Unified Communications Manager authentication domain; voice
and video endpoints can trust the platform and securely authenticate and encrypt traffic. The Cisco
ASA 5500 Series, as a proxy, is able to decrypt these connections, apply the required threat
protection and access control, and help ensure confidentiality by re-encrypting the traffic onto the
Cisco Unified Communications Manager servers. This integration provides organizations with the
flexibility to deploy all of the required security countermeasures rather than to settle for an
inadequate subset.
The Cisco ASA also supports flexible, secure connectivity using SSL or IPsec VPN services that
enable secure, high-speed voice and data communications among multiple office locations or
remote users. The Cisco ASA 5500 Series supports quality of service (QoS) features to enable
reliable, business-quality delivery of latency-sensitive applications such as voice and video. The
QoS policies can be applied on a per-user, per-group, per-tunnel, or per-flow basis so that the
proper priority and bandwidth restrictions are applied to voice and video flows. In addition, pre-
connection posture assessment and security checks help ensure that VPN users do not
inadvertently bring attacks to the network.
Deployment Topologies
As shown in Figure 1, the Cisco ASA 5500 Series can be used across the network to protect the
call control system, endpoints, applications, and the underlying infrastructure from attacks. These
topologies include:
Protection of call control servers: By controlling access from clients to these servers, the
Cisco ASA 5500 Series can prevent malicious or unauthorized network connections from
being made that could impact performance or availability. By statefully inspecting the
connections to ascertain that they meet the access control policy and the connection
conforms to expected behavior, the Cisco ASA platform provide a first line of defense for a
secure unified communications deployment.