Re: UDS resource authentication

mmenozzi · ‎12-21-2015

Hi team

assuming that I'm not an expert in development area and especially in APIs I got a question from a financial customer that I really don't know how to address.

Question raised from this link

https://developer.cisco.com/site/user-data-services/overview/authentication/

Customer is complaining about UDS API resources are not secure.

Here is the story:this customer is approaching a Mobile Remote Access UC architecture and he would develop an application that leverages on UDS API to allow external user to search contact on this application and not on CUCM. The reason is that CUCM is currently (and correctly for me) limited in terms of contact sync.

Ok, no problem if you have a third party that support UDS maybe we can do that but looking at page above the got scared. They saw that several resources don't require user authentication in HTTP session so they are complaining because these API don't guarantee that transactions or access to some resources are all authenticated and their security department currently asks for this.

I really don't know what to say. I even don't understand very well the differences in terms of resources, however I ask you kindly in which could be the best approach to give a feedback here without making them to much disappointed.

thanks

regards

Marco

Mark Stover · ‎12-22-2015

Is there some particular resource they are worried about?

The information that's available is all obtainable from the system through other means without authentication, which is why this was designed this way. When you come through MRA, you have to auth before you can access it, too.

Mark

mmenozzi · ‎12-23-2015

Thanks Mark.

Despite MRA requires authentication before they are worried about the fact some resource access is not checked whilst other resource access it is.

My lack of knowledge on UDS doesn't allow me to reply to them in a comfortable way as I also don't know the differences of the UDS resources available and why just some of them are "authenticated".

Would you be able to describe what is the meaning of these resources and why in your opinion some of them don't require authentication ?

Marco

Mark Stover · ‎12-23-2015

The information in those resources identifies the available resources in the cluster just like the phone configurations that you get over TFTP without authentication. They also include directory information, like the IP phones do, without authentication. These are also read-only resources, you cannot make any changes. You have to authenticate before you can make changes via UDS. I understand that there can be concern over information being available without authentication, but you have to look at what is being made available before you can decide if this is a security risk or not.

I would not consider them a risk, but I can appreciate that some customers might.

I believe there is a roadmap item to add authentication to all resources, but it is not in 11.0.

Mark

mmenozzi · ‎01-17-2016

Hi Mark

sorry for the delay in getting back to you, I have been stuck with other urgent topics on the same customer.

Thanks for the honest feedback. I will try to make customer understand the same. Their security team is very challenging, I am also facing a bunch of questions around certificate contents and so on, it's an endless story.

As soon as they see there could be a potential not secure http session inside the corporate they immediately complain.

cheers

Marco