Akhil Behl is a solutions architect with Cisco Services, focusing on Cisco Collaboration and Security architectures. He leads collaboration and security projects and service delivery worldwide for Cisco Services and the Collaborative Professional Services (CPS) portfolio. He has played a major role in service conception and creation for various services within Cisco Advanced Services. He has presales to sales to Professional Services to delivery to post sales experience with expertise in consulting, advisory, and guidance services. He has extensive experience in borderless, collaboration, and data center portfolios. Prior to his current role, he spent 10 years working in various roles at Linksys as a technical support lead, as an escalation engineer at the Cisco Technical Assistance Center (TAC), and as a network consulting engineer in Cisco Advanced Services.
Akhil has a bachelor of technology degree in electronics and telecommunications from IP University and a master's degree in business administration from Symbiosis Institute. He is dual Cisco Certified Internetwork Expert CCIE 19564 in voice and security. He also holds many other industry certifications, such as PMP, ITIL, VCP, ISM, CCNA, CCSP, CCVP, ISO/IEC 27002, TOGAF, and CEH.
Over the course of his career, Akhil has presented and contributed at various industry forums such as Enterprise Connect, Cloud Connect, Cloud Summit, Interop, Cisco Networkers, and SecCon. He has several research papers published in various national and international journals, including IEEE. He is an avid blogger and maintains a blog about unified communications security at http://ucsecurity.wordpress.com.
Akhil is the author of the Cisco Press title “Securing Cisco IP Telephony Networks” (ISBN 1-58714-295-3)
Expert Aashish Jolly was helping Akhil Behl to answer few of the questions asked during the session.
A. Certificate Authority Proxy Function (CAPF) is the core of CUCM security and enables secure signaling with Transport Layer Security (TLS) and secure media with Secure Real-Time Transport Protocol (SRTP) on the CUCM cluster. CAPF enables the endpoints in order to establish secure signaling with the CUCM cluster and SRTP between themselves. CAPF is also the root for the Locally Significant Certificate (LSC).
A: SRTP uses asymmetric keys. TLS also uses
A: The CA Certificate is a self-signed certificate generated by a trusted third party (CA). It is used to sign the Certificate Signing Request (CSR) and installed on the client before the signed certificate can be installed. The Identity certificate is a certificate that results from CA signing the CSR, and it is installed on the server.
A: Refer to the IP Phone Security and CTL (Certificate Trust List) document for that information.
A: The CTL client signs the CTL file with the private key (SAST) from the security token (USB token). As a result the CTL file is created with the CTL client and signed by the Cisco Site Administrator Security Token (SAST)
A: When you create a cluster, you enter the IP address if you do not use a Domain Name Server (DNS). If you want to use an external CA in order to sign the certificate of your CUCM node, you need to use the FQDN or the hostname. This further implies that CUCM may not use an FQDN with DNS suffix however, DNS server records be created to resolve CUCM hostname to IP address therefore, avoiding any need for DNS client on CUCM.
A: Yes, the Subject Name can be the IP Address. In most cases, subject name is kept at FQDN or hostname and Alt Subject name can be added (if requried) as FQDN/hostname or IP address.
A: Certificate chains can be uploaded to CUCM. Refer to the Uploading a Certificate or Certificate Chain section of the Security document.
A: Yes, you need to restart the CUCM service.
A: Ideally the VPN certificate should not expire if a VPN phone works remotely, is connected to the CUCM, and is upgraded. However, if the certificate expires, the phone must be brought back to the enterprise premises, and you can download the new certificate over the trust-established connection. The CUCM upgrade does not impact the VPN phones remotely because the upgrade does not replace any certificates.
A: SCEP is not supported yet and SCEP support isn't on the roadmap.
A: This is not committed yet.
A: These are not supported as of today and not on the Roadmap.
A: SCEP is not used commonly with Cisco devices/applications and is not currently supported on any UC applications.
A: There is no SCEP support on any UC application at this time.