News Release

Cisco Earns Top Rating in Challenging VoIP Security Test

SAN JOSE, Calif., May 28, 2004 - Cisco Systems® today
May 26, 2004

SAN JOSE, Calif., May 28, 2004 - Cisco Systems® today announced that its Internet Protocol (IP) telephony system has earned the highest security rating awarded by Network World in its recently published article on the topic.

Cisco's "secure" rating was a result of tests conducted by Network World Lab Alliance members, Miercom and independent security consultant Rodney Thayer on the Cisco IP telephony system and Layer 2/3 infrastructure. The Cisco IP telephony system sustained three days of grueling, round-the-clock tests conducted by sophisticated "hackers" looking for security vulnerabilities.

"Cisco proved it can build a Voice over IP (VoIP) network that sophisticated hackers were not able to break or even noticeably disturb," said Ed Mier, president of Miercom, a leading network consultancy and product test center. "Cisco's 'secure' rating was the highest of all the vendors who participated," Mier added. "Cisco has set the bar that other IP telephony vendors will now try to reach. Overall, the IP telephony industry should derive great comfort from these test results."

The Network World Lab Alliance partners tested the Cisco CallManager-based system, the core of its IP Communications system, as well as two entries from Avaya. The full results of the security test have been published in Network World at:

About the Test

The objective of the attacks was to disrupt IP phone communications. Via each of the assault points, the hackers used scanning tools and techniques to discover what they could about the topology and then launched numerous sophisticated Denial of Service attacks. The attacks attempted to disable devices and functions at all network layers. After three full days of testing on the Cisco CallManager system, no perceptible disruption was achieved, according to Miercom. All the capabilities and features that Cisco employed in its test system are currently available to customers.

The hacker team consisted of coordinated local and remote assailants who delivered a "moderate intensity" assault. A set of ground rules limited the hackers to using only existing tools available on the Web and restricted their access to several specific assault points. The hackers operated with no prior knowledge of the internal network or configuration.

For Cisco, this accomplishment marks another major milestone for its IP Communications business.

"Winning this security test on the heels of two recent victories in competitive public reviews clearly position Cisco as having the best overall IP PBX system in the world," said Don Proctor, vice president and general manager of the Cisco Voice Technology Group. "This security evaluation was grueling and featured a sophisticated series of tests designed to uncover security vulnerabilities. The results speak for themselves. They validate that as the network's strategic importance increases and the need to protect critical business applications is amplified, the Cisco Self-Defending Network strategy of identifying, defending and adapting to security threats is a highly reliable way to protect your IT infrastructure and critical business applications."

Keys to Success

Miercom tested the Cisco CallManager 4.0 system, which contains a number of new security enhancements. The IP based call processing engine extends the capabilities of the Cisco intelligent self defending network to better protect Cisco IP Communications systems and provide improved business resilience. New industry-standard digital certificates in Cisco CallManager 4.0 confirm the identity of network devices to help protect against entry of rogue system users. New standards-based authentication and encryption have been added to Cisco CallManager 4.0 and Cisco IP phones providing end-to-end privacy and integrity of voice communications.

Business resilience has also been enhanced with the new Cisco Security Agent (CSA), which is a key component of Cisco's overall security strategy. CSA provides proactive and adaptive threat protection for Cisco telephony applications, servers and desktop computing systems. It brings together multiple levels of security functionality by combining host intrusion prevention, distributed firewall, malicious mobile code protection, operating system integrity assurance, and audit log consolidation all within a single agent package. Cisco CallManager 4.0 customers, as well as Cisco Unity and Cisco IP Contact Center customers, receive all of these additional levels of safety and protection for their converged networks at no extra cost.

That Cisco IP Communications system tested by Miercom was built around a resilient Cisco data network infrastructure configured according to the Cisco SAFE blueprints for secure communications. This included a strong compliment of layer 2 security features such as DHCP Snooping, Dynamic ARP Inspection, IP Source Guard, Port Security and VLAN ACLs; stateful firewalls with application inspection capabilities; policers to limit DoS and distributed DoS attacks; and out-of-band management.