This document covers some of the best practices methodologies you should put into operation to secure and prevent Toll fraud on Cisco Unified Communications Manager Express and the IP Phones connected to the network.
How to secure Cisco Unified CME and IP Phones?
After-hours calling Restrictions
Call Transfer Restrictions
Call Forward Restrictions
Class of Restrictions (COR)
Securing GUI access on CME
Strict ephone Registration
Deny external traffic on Voice signaling ports
Disable ephone Auto-registration
Configuration examples are based on Cisco Unified CME Version 8.6.
1. After-hours Calling Restrictions
Cisco Unified CME enables you to configure toll restriction policies based on time and date. You can configure the calling policies so that the users are not allowed to make calls to predefined numbers during certain hours of the day and outside business hours.
CME1(config-telephony)# after-hours day Mon 20:00 08:00
CME1(config-telephony)# after-hours day Tue 20:00 08:00
CME1(config-telephony)# after-hours day Wed 20:00 08:00
CME1(config-telephony)# after-hours day Thu 20:00 08:00
CME1(config-telephony)# after-hours day Fri 20:00 08:00
CME1(config-telephony)# after-hours day Sat 12:00 12:00
CME1(config-telephony)# after-hours day Sun 12:00 12:00
Blocks calls outside of business hours, Monday to Friday before 8 am and after 8 pm.
This command disables the call transfer to any destination POTS or VOIP.
CME1(config)# ephone-template 2
CME1(config-ephone-template)# transfer max-length 4
This command specifies the maximum number of digits a user can dial when a call is transferred.
CME1(config)# ephone 10
CME1(config-ephone)# ephone-template 1
CME1(config)# ephone 20
CME1(config-ephone)# ephone-template 2
3. Call Forward Restrictions
For an attacker, the most convenient way to exploit a phone system for toll fraud is to have an insider do a call-forward to certain destinations. To restrict the number of digits that can be dialed by CME, you can use the call forward restriction feature.
CME1(config)# ephone-dn 60
CME1(config-ephone-dn)# number 5001
CME1(config-ephone-dn)# no forward local-calls
This feature restricts the call forward to local calls
This restricts the number of digits that can be dialed by CME during Call forward.
4. Class of Restrictions (COR)
Class of Restriction (COR) in CME is identical to voice gateways. You can apply the COR list in ephone-dn in addition to dial-peers.
CME1(config)# ephone-dn 10
CME1(config-ephone-dn)# number 1001
CME1(config-ephone-dn)# cor incoming internal
CME1(config-ephone-dn)# cor outgoing local
5. Securing GUI access on CME
SSL for HTTP (HTTPS) provides server authentication, encryption and message integrity to allow secure HTTP communications. SSL also provides HTTP client authentication. It is highly recommended to have Cisco Unified CME GUI interface secured with HTTPS access.
CME1(config)# ip http authentication AAA | TACACS | local
Default HTTPS port is 443, which can be changed to a higher port (none-1024) port number.
5. Strict ephone Registration
CME should be configured to enable only Cisco Unified IP Phones in the trusted domain (inside zone) for registration. You can use the strict-match option in ip source-address command so that only locally attached IP Phones can get register to CME.
CME1(config-telephony)# ip source-address 10.85.102.160 port <2000/5060> strict-match
In addition block TCP ports 2000-2002 and 5060 from the WAN to prevent external SCCP/SIP phone registration with CME.
6. Deny External Traffic on Voice signaling ports
CME1(config)# ip access-list extended BlockTraffic
CME1(config-ext-nac1) deny tcp any any range 2000 2002
CME1(config-ext-nac1) deny tcp any any eq 5060
CME1(config-ext-nac1) permit ip any any log
CME1(config)# interface FastEtherner 1/0
CME1(config-if)# ip access-group BlockTraffic in
7. Disable ephone Auto-Registration
CME enables auto-registration of ephones by default. This implies that new Cisco Unified IP Phones that try to register with CME are auto-registered with DN auto-assigned and are able to make calls immediately. You can disable auto-registration to prevent toll fraud.
CME1(config-telephony)# no auto-reg-ephone
Restricting SIP Phone Auto Registration : For SIP Phones you must configure the system so that the SIP endpoints must authenticate with a username and password
CME1(config)# voice register global
CME1(config-register-global)# mode cme
CME1(config-register-global)# source-address 10.85.102.152 port 5060
Good day, We are planning to upgrade unity connection from 9.1 to 12.5 currently Unity 9.1 is hosted on esxi version is 6.0 We wish to upgrade esxi to version 6.5we know UC 9.1 is not compatible with esxi 6.5, however if we should upgrade t...
Hi There, We are trying to install CUCM PUB 12.5 and we are struck on the black blank screen from past two hours. we can wee RAM is being utilized 100% and CPU is around 20%. Is this normal? If yes, how long we have to wait until this black screen is...
A customer has a Jabber Directory Integration with LDAP. From the Jabber search, he should be able to search users by various other LDAP Attributes. The feature generally works (e.g. he can search for a City, and it will show him all users that have the C...
HelloIn the macro framework, is there a way I can register to the HttpClientResult response after I send an HTTP get request?In putty, affter sending a xcommand HttpClient get, I get this:*r HttpClientGetResult Body: example I would like to get that ...
I'm struggling to understand why the From in our outbound INVITE to our primary ITSP is using the IP address of our secondary ITSP, instead of the IP address of our CUBEs sending interface. INVITE from Jabber to CUBE is fine:Received:INVITE sip:80781...