cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

AMA-CUCM Troubleshooting: Best Practices for Reading Trace Files

Community Tech-Talk Series - Understanding Cisco Unified Communications Security

8112
Views
25
Helpful
1
Comments
Beginner

Community Tech-Talk series is all about discussing and sharing insights on specific topics, selectively chosen based on most-common conversation themes happening in community from our technology area.

I decided to discuss about "Understanding Cisco Unified Communications Security" to address some of your most talked about concerns primarily reflected in the community discussions, pertinent to Security of Cisco Unified Communications Solution.

UC security tech talk.png

Cisco Unified Communications Solution Security – Overview

The long waged war between TDM and IP Telephony is over and the winner is: VoIP! Long ago seen down upon IP based communications and UC adoption have changed and continue to change the communications paradigm. As more and more organizations adopt IP Telephony / Unified Communication (UC) solutions, they savor the potential of – power of connectivity, lower costs, and improved productivity. It can’t be denied that business agility is the mantra for success in an increasingly competitive and global environment and UC allows organizations supporting attainment of internal and external stakeholder satisfaction by enabling organizations to embed communications and collaboration into business processes. Collaboration with customers, employees, contractors, and strategic partners help accelerate time‐to-market, conscious decision making, and innovation hence, resulting in world class business agility.

However, with obvious benefits of UC there’re a number of threats that come to life when the essence of VoIP is based on data networks, which have been under attack ever since the conception of the Internet. There’s not one but many threats when it pertains to your UC solution, as simple as eavesdropping to as complex as a Denial of Service (DOS) attack. Within the context of UC solution, the whole ecosystem must be secured from business process driven communications to network infrastructure to UC applications to endpoints to management. And that too in a manner that – the security implied upholds protection of intellectual property and proprietary information, preserves corporate brands and reputations, and complies with all applicable laws and regulations.

This blog is dedicated to help you understand the need for UC security and to comprehend the various intricacies of securing a Cisco UC solution.

How to Secure Cisco UC Solution?

The key to achieve a secure Cisco UC solution requires taking into consideration voice, data, and video communications as a singular and coherent system and implementing a multilayered, uniformly applied defense construct for the system infrastructure, call control, applications, management, and endpoints. In other words adopting the Defense-in-Depth approach. Every organization has a different need for level of security for securing its data information assets and UC elements. For example, a school or a university may have a lower level of security compared to a banking company which might have higher standards of security set for its clients.

The security mechanism for a UC network should be a layered solution, with multiple security controls at multiple levels within the network, application, endpoints, and so on. This defense‐in‐depth approach minimizes the likelihood of a single point of failure, which could otherwise compromise overall security. The bottom line being, the confidentiality, integrity, and availability (CIA) of critical UC and network resources must be ensured and the security features should be transparent to the end user, possibly simple to administer, standards‐based, and cost‐effective.

Organizations should examine UC security from a business vision and goal attainment perspective by defining policies for usage of – data, voice, conferencing, Instant Messaging (IM), presence, and so on services. The UC security policy/strategy must be aligned and balanced against business risks. Essentially, the UC specific security policy becomes a guideline and stepping stone to enable enterprise wide security for a UC solution. Figure 1 portrays the ideal approach to defense-in-depth.

Figure 1           Cisco UC Security Pyramid

Security construct.jpg

A UC security policy as illustrated in figure 1 is a result of existing security gaps and security assessment and should be in line with an organization’s processes, vision, and goals.

With end-to-end security construct in mind, let’s look at the various threats against which this construct will protect your UC solution.

Threats around UC Network

There’re a host of threats around UC networks and table 1 covers the most common threats pertinent to Cisco UC networks.

Table 1             Threats pertinent to Cisco UC networks

Threat

Events / Symptoms

Impact on UC Solution   / Organization

Toll fraud

Unauthorized   resource usage, illegitimate long   distance / international calling

Loss of revenue - huge   telecom bills

Eavesdropping

Leakage of sensitive /   confidential information

Loss of   confidentiality

Identity Spoofing

Spoofing of someone's   identity (e.g. MAC, IP)

Loss of   confidentiality and integrity

Call Hijacking

Calls hijacked from   legit to hacker's platform

Loss of integrity,   confidentiality

Denial of Service

Legitimate users   denied from using voice services

Loss of service   (availability)

Unsolicited Calling   (SPIT)

Spamming of IP PBX,   Voicemail

Loss of service   (availability)

RTP Injection

Injecting malformed   packets in active RTP stream

Loss of integrity,   confidentiality

Vhishing

Unsolicited calling -   probing for user account detail, and password

Loss of   confidentiality

Physical assault

Physical sabotage /   damage

Loss of information   and service

Security Construct for Secure Cisco UC Network

To achieve end to end security for a Cisco UC solution, everything from perimeter access to user endpoints to peripheral gateways to UC servers to firewalls to physical access should be secured. This is depicted in figure 2.

Figure 2           End-to-End Security Construct

End to end security Cisco UC network.jpg

Table 2             Cisco UC Security – Relevant Cost, Complexity, and Security

Protected Entity

Low Security, Cost, and Complexity

Medium Security, Cost, and Complexity

High Security, Cost, and Complexity

Network Infrastructure

Basis network layer ACLs

Data and Voice VLAN segregation

Data and Voice SSID separation

Switch Port Security

Rate Limiting ACLs

Stateful inspection Firewalls

IOS CBAC, ZBFW

IPSec Tunnels

Scavenger QoS

TLS Proxy / UC Proxy

Intrusion Prevention / Detection Cisco ASA AIC

dot1x

CCTV, Motion Sensors

UC Applications

OS Hardening (Windows Servers)

Antivirus (Windows Servers)

Class of Restriction

Strong Password / Pin Management Policy

Phone Setting Restriction

Host Intrusion Prevention (HIPS)

User Groups / Roles (MLA)

Forced Authorization Codes

Signed Firmware and Configuration Files

SRTP for media / TLS for Signaling

IPSec to gateways / Firewalls

Secure Conference Calls

Encrypted TFTP Transfer

UC Endpoints

Restricted Settings Access

Disable PC Voice VLAN / Voice VLAN Span

VPN Phone

MIC based secure media / signaling

Secure Network Admission (NAC)

SRTP for media / TLS for Signaling

LSC based secure media / signaling

Management

Segregation of management VLAN

SSH Access to managed devices

Secure RDP

AAA for management access

Out of Band management network

Table 2 summarizes the various security controls which can be applied at various layers for attaining a secure UC solution.

In a nutshell, the following are recommended best practices and recommended security controls to design and deploy secure Cisco IP telephony networks.

Physical Security

  • Guards at data center or facility fringe
  • Badge access to data center for authorized personnel only.
  • Doors and windows with break proof glass
  • CCTV cameras
  • Equipment secured in racks in data center and in closets at user access level
  • Uninterrupted Power Supply for servers and network gear

Switching Layer Security

  • Segregation of Data and Voice VLAN (PVID, VVID)
  • Switch Port Security
  • Dynamic ARP inspection (DAI)
  • DHCP snooping
  • Dot1x - Network Access Control
  • VLAN pruning

Routing Layer Security

  • Routing protocol authentication
  • Secure access to router GUI (HTTPS)
  • Filtering of RFC 1918 addresses (at aggregation from untrusted networks)
  • Route poisoning prevention
  • Layer 3 QOS for segregating intended traffic from scavenger/malicious traffic

Perimeter Security

  • Cisco ASA for zoning in enterprises (Inside, Outside, DMZ) and filter traffic from / to Internet
  • IPSec/SSL VPN based off Cisco ASA Firewall and IOS routers
  • UC proxy services (TLS proxy/Phone proxy)
  • Cisco ASA Application Inspection Control
  • Network Intrusion Prevention System (NIPS)

CUCM Security

  • Encrypted media and signaling
  • Secure access to GUI (HTTPS)
  • Secure LDAP integration
  • Secure voicemail integration
  • Secure Trunks
  • External CA Integration
  • SSO solution Integration
  • Role based management and user access (MLA)

Unity Connection Security

  • TLS for signaling and SRTP for media
  • Secure access to GUI (HTTPS)
  • Secure LDAP integration
  • Secure integration with call control
  • External CA Integration
  • SSO solution Integration

Presence Security

  • TLS for signaling and SRTP for media
  • Secure access to GUI (HTTPS)
  • Secure integration with call control
  • Secure LDAP integration
  • External CA Integration
  • Secure CUPC

Cisco Unified IP Phone Security

  • Locally Significant Certificates (LSC), Manufacturing Installed Certificates (MIC)
  • Secure network admission (dot1x)
  • Restricted access to settings
  • Secure WiFi admission (WPA, WPA2)
  • Phone hardening
  • VPN Phone

Network Management Security

  • Secure access to network equipment and servers – Segregate management VLAN/Network
  • SSH, SCP, SFTP, HTTPS for secure management access
  • Well defined backup and restore processes, and disaster recovery program

Summing up

While UC solutions have obvious benefits such as rapid ROI realization, lower TCO, and services which help connect internal and external stakeholders when it matters most, there’re unseen risks involved which if not taken care of in time can be devastating. UC solutions share the underlying network infrastructure’s weaknesses. Fortunately, the host of threats which comes by nature of the network and VoIP’s requirement can be satisfactorily alleviated by leveraging an end-to-end security construct provided organizations realize the risks and manage them via holistic enterprise wide security architecture. The Defense-in-depth concept helps combat both internal and external threats that pester the sanctity of your UC network. The whole idea is to consider voice, data, and video communications as a singular unified system and implementing a multilayered, uniformly applied defense construct for the system infrastructure, call control, applications, endpoints, and management network. This minimizes the possibility that a failure of one or more components in the security construct could compromise overall security. Moreover, treating the development of a UC security program as a collaborative cross‐organizational project involving teams from various technical areas within and outside of organization helps build a network which can withstand a flurry of attacks. All in all, it’s your UC network and it’s you who should be in control of it and the services it delivers, not someone else!

Watch the Tech-Talk and checkout the Presentation Slides

Hope the blog was informative and proves useful for understanding Cisco UC Security specifics as well as designing, deploying, and managing secure Cisoc UC networks. Please do share your feedback and opinion via the comments session below.

Thank you for reading the blog!

Additional References:

Securing the life line of your organization - IP Communications (Cisco IP Telephony Solutions):

https://supportforums.cisco.com/community/netpro/collaboration-voice-video/ip-telephony/blog/2012/09/25/securing-the-life-line-of-your-organization--ip-telephony-solution

Best Practices for Deploying Secure Cisco IP Telephony Solutions:

http://www.ciscopress.com/articles/article.asp?p=1966660

Ask the Expert – Cisco Unified IP Phone Security:

https://supportforums.cisco.com/thread/2182313

Chalk Talk: An Insight into Cisco IP Telephony Security Controls (TS Newsletter Oct 2012):

https://supportforums.cisco.com/docs/DOC-27154

Cisco IP Telephony Security Framework:

http://www.ciscopress.com/articles/article.asp?p=1946177

Chalk Talk: An Insight to Cisco Unified Communications Manager (CUCM) Certificates:

https://supportforums.cisco.com/community/netpro/collaboration-voice-video/ip-telephony/blog/2013/02/23/chalk-talk-an-insight-to-cisco-unified-communications-manager-cucm-certificates

Securing Cisco IP Telephony Networks – A Reference, A Guide, and A Companion

Unified Communications is slowly but surely becoming part of the modern day organization’s day-to-day-operations. In fact, some organizations depend on it to the extent of their core business or processes based on IP communications. Sadly though, the security aspect pertinent to IP based communications network, applications, and underlying infrastructure is usually not taken into consideration (or is ignored) when enterprises and businesses think of deploying unified communications. While, it’s easier to build security into design before deployment of a UC network, many organizations and stakeholders either tend to shy away from it (could be due to complexity, cost, manpower) or just keep it aside for later discussion (which never happens or only happens when there’s a security exploit).

It's only natural to think about the security of your network or a network you have designed or deployed. Cisco IP Telephony networks are no different, and they need their share of security to ensure that things work out the way you planned them and not how an attacker plans them to work for his motives.

Now, there's a manual, a reference, a guide, and most importantly - a companion to assist you with all security related questions, configuration, and design issues, pertinent to Cisco UC.

Securing Cisco IP Telephony Networks empowers you to lay out a plan for securing your Cisco UC network, plan a 360 degree defense construct, and protect vital IT assets ranging from network perimeter to layer 2 to layer 3 to UC applications to UC endpoints. This book is an indispensable resource for Cisco UC and Security engineers, consultants, administrators, architects, and executives, who are tasked with ensuring security of enterprise / SMB UC solutions.

Book Cover.jpg

The book is available as a paperback edition or eBook (epub, PDF, Kindle format) at Cisco Press, Amazon, Barnes and Noble, and various leading online and offline stores.

http://www.amazon.com/dp/1587142953

http://www.ciscopress.com/title/9781587142956

http://www.barnesandnoble.com/w/securing-cisco-ip-telephony-networks-akhil-behl/1109153076

Author Bio

Akhil Behl - Headshot Picture.jpg

Akhil Behl is a Solutions Architect with Cisco Advanced Services, focusing on Cisco Collaboration and Security Architectures. He leads collaboration and security projects worldwide for Cisco Advanced Services and the Collaborative Professional Services (CPS) portfolio. Prior to his current role, he spent ten years working in various roles at Linksys as a Technical Support Lead, as an Escalation Engineer at Cisco Technical Assistance Center (TAC), and as a Network Consulting Engineer in Cisco Advanced Services. Akhil has a bachelor of technology degree in electronics and telecommunications from IP University, India, and a master’s degree in business administration from Symbiosis Institute, India.

Akhil is a dual Cisco Certified Internetwork Expert (CCIE No. 19564) in Voice and Security. He also holds many other industry certifications, such as Project Management Professional (PMP), Information Technology Infrastructure Library (ITIL) professional, VMware Certified Professional (VCP), and Information Security Management. He’s a prolific speaker and over the course of his career, he has presented and contributed in various industry forums such as Interop, Enterprise Connect, Cloud Connect, Cloud Summit, Computer Society of India (CSI), Cisco Networkers, IT Expo, and Cisco SecCon. He has several research papers published to his credit in various international journals.

He is the author of Cisco Press title ‘Securing Cisco IP Telephony Networks’ which is available as paperback and in eBook edition.

http://www.amazon.com/dp/1587142953

http://www.ciscopress.com/title/978158714295

1 Comment
Beginner

Hello everyone, 

Please I need these four courses. I have the old documents that dated from 2013 but I have need the updated courses so that I write the exam. Any help? Thanks

 

700-501 SMBEN exam (2 courses):

-Partnering with Cisco for SMB Engineers

-Cisco Architectures for SMB Engineers

 

700-505 SMBAM exam (2 courses):

-Partnering with Cisco for SMB Sales

-Cisco Architectures for SMB Sales

 

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards
This widget could not be displayed.