cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

AMA-CUCM Troubleshooting: Best Practices for Reading Trace Files

Tech Note: Securing Cisco Unified CME and IP Phones

2167
Views
10
Helpful
1
Comments

 

 

Introduction

 

This document covers some of the best practices methodologies you should put into operation to secure and prevent Toll fraud on Cisco Unified Communications Manager Express and the IP Phones connected to the network.

 

How to secure Cisco Unified CME and IP Phones?

 

  • After-hours calling Restrictions
  • Call Transfer Restrictions
  • Call Forward Restrictions
  • Class of Restrictions (COR)
  • Securing GUI access on CME
  • Strict ephone Registration
  • Deny external traffic on Voice signaling ports
  • Disable ephone Auto-registration

 

Configuration examples are based on Cisco Unified CME Version 8.6.

 

1. After-hours Calling Restrictions

Cisco Unified CME enables you to configure toll restriction policies based on time and date. You can configure the calling policies so that the users are not allowed to make calls to predefined numbers during certain hours of the day and outside business hours.

 

Sample configuration

 

CME1(config)# telephony-service

CME1(config-telephony)#  after-hours day Mon 20:00 08:00

CME1(config-telephony)#  after-hours day Tue 20:00 08:00

CME1(config-telephony)#  after-hours day Wed 20:00 08:00

CME1(config-telephony)#  after-hours day Thu 20:00 08:00

CME1(config-telephony)#  after-hours day Fri    20:00 08:00

CME1(config-telephony)#  after-hours day Sat   12:00 12:00

CME1(config-telephony)#  after-hours day Sun 12:00 12:00

 

Blocks calls outside of business hours, Monday to Friday before 8 am and after 8 pm.

 

CME1(config-telephony)#  after-hours block pattern 1 91900 7-24

CME1(config-telephony)#  after-hours block pattern 2 91

CME1(config-telephony)#  after-hours block pattern 3 9011

 

Calls to premium numbers, say 900 numbers are blocked all the time irrespective of the day.

 

 

2. Call Transfer Restrictions

Call transfer to VOIP or POTS ie PSTN numbers can be allowed explicitly but this may open doors for toll fraud. You can use the call transfer restriction to secure the CME.

 

Sample configuration

 

 

CME1(config)# telephony-service

CME1(config-telephony) # transfer-pattern 91919.......$

 

This limits the call transfer to numbers in area code 919 and bar transfers to any other numbers.

 

 

CME1(config)# ephone-template 1

CME1(config-ephone-template)# transfer-pattern blocked

 

This command disables the call transfer to any destination POTS or VOIP.

 

CME1(config)# ephone-template 2

CME1(config-ephone-template)#  transfer max-length 4

 

This command specifies the maximum number of digits a user can dial when a call is transferred.

 

CME1(config)# ephone 10

CME1(config-ephone)# ephone-template 1

CME1(config)# ephone  20

CME1(config-ephone)# ephone-template 2

 

 

3. Call Forward Restrictions

For an attacker, the most convenient way to exploit a phone system for toll fraud is to have an insider do a call-forward to certain destinations. To restrict the number of digits that can be dialed by CME, you can use the call forward restriction feature.

Sample configuration

 

CME1(config)# ephone-dn 60

CME1(config-ephone-dn)# number 5001

CME1(config-ephone-dn)# no forward local-calls

 

This feature restricts the call forward to local calls

 

 

CME1(config)# ephone-dn-template 10

CME1(config-ephone-template)# call-forward max-length 4

 

This restricts the number of digits that can be dialed by CME during Call forward.

 

 

4. Class of Restrictions (COR)

Class of Restriction (COR) in CME is identical to voice gateways. You can apply the COR list in ephone-dn in addition to dial-peers.

 

Sample configuration

 

CME1(config)# ephone-dn 10

CME1(config-ephone-dn)# number 1001

CME1(config-ephone-dn)# cor incoming internal

CME1(config-ephone-dn)# cor outgoing local

 

 

5. Securing GUI access on CME

SSL for HTTP (HTTPS) provides server authentication, encryption and message integrity to allow secure HTTP communications. SSL also provides HTTP client authentication. It is highly recommended to have Cisco Unified CME GUI interface secured with HTTPS access.

 

Sample configuration

 

CME1(config)# crypto key generate rsa exportable label httpkeys usage-keys 1024

CME1(config)# ip http server

CME1(config)# ip http secure-server

CME1(config)# ip http secure-port <port-number>

CME1(config)# ip http authentication AAA | TACACS | local

 

Default HTTPS port is 443, which can be changed to a higher port (none-1024) port number.

 

 

5. Strict ephone Registration

CME should be configured to enable only Cisco Unified IP Phones in the trusted domain (inside zone) for registration. You can use the strict-match option in ip source-address command so that only locally attached IP Phones can get register to CME.

 

Sample configuration

 

CME1(config-telephony)# ip source-address 10.85.102.160 port <2000/5060> strict-match

 

In addition block TCP ports 2000-2002 and 5060 from the WAN to prevent external SCCP/SIP phone registration with CME.

 

 

 

6. Deny External Traffic on Voice signaling ports

 

Sample configuration

 

CME1(config)# ip access-list extended BlockTraffic

 

CME1(config-ext-nac1) deny tcp any any range 2000 2002

CME1(config-ext-nac1) deny tcp any any eq 5060

CME1(config-ext-nac1) permit ip any any log

 

CME1(config)# interface FastEtherner 1/0

CME1(config-if)# ip access-group BlockTraffic in

 

 

7. Disable ephone Auto-Registration

CME enables auto-registration of ephones by default. This implies that new Cisco Unified IP Phones that try to register with CME are auto-registered with DN auto-assigned and are able to make calls immediately. You can disable auto-registration to prevent toll fraud.

 

Sample configuration

 

CME1(config)# telephony-service

CME1(config-telephony)# no auto-reg-ephone

 

Restricting SIP Phone Auto Registration : For SIP Phones you must configure the system so that the SIP endpoints must authenticate with a username and password

 

CME1(config)# voice register global

CME1(config-register-global)# mode cme

CME1(config-register-global)# source-address 10.85.102.152 port 5060

CME1(config-register-global)# authenticate register

 

 

Related Information

 

Comments
Collaborator

Nice Examples...

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards