Ask the Expert: Securing Today’s Collaboration Environments

ciscomoderator · ‎02-22-2013

With Akhil Behl and Jason Burns

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to apply security to collaboration platforms with Cisco Experts Akhil Behl and Jason Burns. More often than not, organizations with secure data networks tend to shy away from collaboration solution security due to reasons including: - not sure of what type/level of security is required and appropriate, concern about the resources/investment required or just concerns of "breaking" things. Feel free to ask question about which methods, techniques, and strategies should be used related to securing collaboration platforms.

Akhil Behl is a Solutions Architect with Cisco Advanced Services, focusing on Cisco Collaboration and Security Architectures. He leads collaboration and security projects worldwide for Cisco Advanced Services and the Collaborative Professional Services (CPS) portfolio. Prior to his current role, he spent ten years working in various roles at Linksys as a Technical Support Lead, as an Escalation Engineer at Cisco Technical Assistance Center (TAC), and as a Network Consulting Engineer in Cisco Advanced Services. Akhil has a bachelor of technology degree in electronics and telecommunications from IP University, India, and a master's degree in business administration from Symbiosis Institute, India.

Jason Burns is a Network Consulting Engineer with Cisco Advanced Services in the Unified Collaboration Practice. His focus for the past year has been on large scale enterprise collaboration deployments with special attention paid to collaboration security through the UC Security Virtual Team initiative. Jason has 6 years of experience in the Cisco Technical Assistance Center where he was Technical Lead for the Communications Manager team.

Remember to use the rating system to let Akhil and Jason know if you have received an adequate response.

They might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event. This event lasts through March 8, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

Anas Abueideh · ‎02-22-2013

Hi,

I have a question regarding SIP security, My customer want to deploy sip trunk with a service provider. which is the best solution to deploy the trunk ? to be terminated on the call manager or any other device ?

thanks in advance

Anas

Akhil Behl · ‎02-22-2013

Hi Anas,

How are you?

While deploying SIP trunk to an ITSP, there're various considerations such as - security, survivability, ease of configuration, ease of management etc. If your primary concern is security, you are better off with Cisco Unified Border Element (CUBE) which can be deployed on IOS router or ASR platform. It provides SIP interworking with ITSP and you can have secure SIP Trunk (using secure SIP Trunk profile) from CUCM to CUBE and from CUBE to ITSP (if ITSP supports encryption). This will ensure that your internal network IP addresses are hidden from ITSP and any external entity since, CUBE will broker the connections form CUCM / internal UC applications to ITSP. All in all, you get better interworking, address hiding, ease of management, and better survivability (if CUBE is in HA).

You can refer to Securing Cisco IP Telephony Networks, Chapters 7, 9, and 14 for more information on IOS, CUCM, and CUBE security as well as various ways in which you can interoperate SIP trunks with ITSP.

http://www.amazon.com/dp/1587142953

http://www.ciscopress.com/title/1587142953

Regards,

Akhil Behl
Solutions Architect
akbehl@cisco.com

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953

Tan kok heng · ‎02-28-2013

Hi,

i have a question regards to site to site ipsec vpn matter,

i am currently have 1 ipsec site to site vpn up and working, say "crypto map ABCD" i am about to create the second site to site vpn to another vendor say"crypto map "XYZ", but i found out that my router serial interface (public interface) already have a crypto map "ABCD", when i try to key in crypto map "XYZ" on the same interface and it replace to crypto map "ABCD".

in short, i am trying to create second site to site, how could i do the crypto map portion and public serial interface?

Thank you very much

Akhil Behl · ‎03-01-2013

Hi Tan,

How're you?

If you have a crypto map say, mymap, you need to create 2 instances differing by crytpo map number.

For example:

R1(config)# crypto map mymap 10 ipsec-isakmp

R1(config-crypto-map)# set peer 1.1.1.10

R1(config-crypto-map)# set transform-set myset

R1(config-crypto-map)# match address ACL1

!

R1(config)# crypto map mymap 20 ipsec-isakmp

R1(config-crypto-map)# set peer 2.2.2.10

R1(config-crypto-map)# set transform-set myset

R1(config-crypto-map)# match address ACL2

Note: This is just the crypto map instance config, not full VPN config

Now, you can apply crypto map mymap to serial interface. Since, there're 2 instances and each has it's own peer address, interesting traffic ACL, it is going to encrypt traffic when sending it from your internal network to destination network.

Regards,

Akhil Behl
Solutions Architect
akbehl@cisco.com

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953 - See more at: https://supportforums.cisco.com/message/3864699#sthash.PAJhTGis.dpu

Akhil Behl
Solutions Architect
akbehl@cisco.com

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953

Jason Burns · ‎03-05-2013

Anas,

In regards to your question "What will be the impact on network devices when we deploy SRTP?", Akhil mentioned the impact of the encrypted signaling to your UC devices such as CUCM.

There should be no big impact for any network device that has to pass the SRTP payload data because there is really isn't much increase in payload size for the SRTP authentication material.

Here's a common caluclation that would be performed to check your QoS settings:

G711 RTP @ 20 msec packetization = 160 byte payload @ 50 packets per second = 80 kbps of payload

With L2 + L3 overhead this is ~88kbps

http://www.cisco.com/en/US/tech/tk652/tk698/technologies_tech_note09186a0080094ae2.shtml

When you enable SRTP we add 4 bytes to the payload

G711 SRTP @ 20 mseco packetization = 164 byte payload @ 50 pps = 82 kbps payload or 90 kbps assuming Ethernet and IP overhead.

This is a negligible increase in bandwidth per call.

Endpoints that have to process the SRTP packets on the other hand such as transcoders, conference bridges, and any CUBE endpoints will have additional resource requirements to perform the encryption and decryption as Akhil mentioned.

Anas Abueideh · ‎03-01-2013

Hi,

thanks for your reply.

I have another question. if we want to deploy SRTP, what is the requirements, what the implication and consequences to the network devices ?

just to make sure, when we deploy SRTP the RTP traffic will be encrypted, right ?

Anas

Thanks in advance

Akhil Behl · ‎03-01-2013

Hi Anas,

When you are planning to deploy SRTP you need to consider a few things:

1. What is the current load on CUCM cluster (tip - calculate the current and projected number of servers using sizing tool)?

2. How many endpoints you want to secure - all or few? If few, what is the criteria to determine the type of endpoints?

3. Are you also going to need secure conferencing? If yes, that has an impact on IOS DSP resources.

4. Secure calls on SIP trunks, takes CUCM CPU and memory resources (use sizing tool to ascertain CUCM capacity)

All in all, network should be ready to support SRTP because, SIP and SCCP phones can do TLS for signaling, SRTP for media however, if you want to use gateway trunks, CUBE trunks for TLS and SRTP too, H.323 and MGCP gateways do not support secure signaling and you'll need IPSec for the same. SIP gateways can do SIP TLS.

I would recommend reading Securing Cisco IP Telephony Networks, for more info on impact on various entities, configuration best practices, and case studies.

Regards,

Akhil Behl
Solutions Architect
akbehl@cisco.com

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953

telecominfo · ‎03-05-2013

Hello,

On Cisco telephony security advisorys and providing full fixs. There is a security advisory for Cisco IP phone vunls (cisco-sa-20130109-uipphone) demonstrated by Ang Cui - http://arstechnica.com/security/2013/01/hack-turns-the-cisco-phone-on-your-desk-into-a-remote-bugging-device/ and where workarounds in the advisory have been applied. Cisco have released few firmwares for phones for the vunls and none fix the core vunls.

'These two releases should allow administrators to sufficiently secure their voice deployments. However, Cisco is committed to investigating the feasibility of providing a long-term remediation of the core vulnerability. Over the next several months, Cisco will be performing an evaluation of portions of the 7900 series firmware to investigate courses of action that can be taken to fully mitigate the underlying root cause and to improve both the network and physical security posture of the affected devices. Cisco's goal is to provide the most secure IP telephony devices available while continuing to protect customers' investment in their existing infrastructures'

Question:

Would you know when Cisco will release a full fix to the core vunls?

Would the full fix be in the form of a firmware upgrade to handsets only or will we need to patch the CUCM aswell?

Thank you,

Akhil Behl · ‎03-05-2013

Hi,

This question has been raised a few times and the status as of today is that, Cisco is working on a fix which should be available soon.

You can view the details on the following link and follow the same for status change:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCuc83860

To answer the second part, the fix is more likely to be a phone firmware fix than a CUCM patch since, the vulnerability is at an endpoint level. However, we can only be as sure when the fix is available.

Regards,

Akhil Behl
Solutions Architect
akbehl@cisco.com

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953

David_Beldi · ‎10-24-2017

Hello Guys,

sorry for disturbing you, my name is David, I am doing my final project on network security and i am having problems with NAT and policy based routing.

I am using only 1 cisco router(2901) basic switch and 2 servers.

Outside network is 192.168.183.0 which connects Our G0/0 (ip address 192.168.183.51) g0/1=11.0.0.1

Server 1 = 11.0.0.2

Server 2 = 11.0.0.15

we want ssh packets sent from client computer 192.168.183.220 to be sent to Server 2 (11.0.0.15)

and we want packets sent from 192.168.183.53 to be sent to server 1(11.0.0.2)

Problem we having is we don't know how to do port translation on multiple ip addresses. So different ip address can ssh into different server.

we tried multiple different types of configurations but nothing seems to be working.

at this stage we are stuck on this config:

ip nat inside source static tcp 11.0.0.15 22 int g0/0 22

ip nat inside source static tcp 11.0.0.2 22 192.168.183.51 22 route-map honR extendable

ip access-list etended hon

permit ip host 192.168.183.53 host 192.168.183.51

Route-map honR permit 10

match ip address hon

((with this configuration client 192.168.183.53 can ssh inside 11.0.0.2(using 192.168.183.51) but when we try to make client 192.168.183.220 to ssh inside 11.0.0.15(using 192.168.183.51) it still takes us to 11.0.0.2. I feel like ACL/ROute map isn't being used and it just static 1:1 Port forwarding.

Please help :)))

David_Beldi · ‎10-24-2017

Hello Guys,

sorry for disturbing you, my name is David, I am doing my final project on network security and i am having problems with NAT and policy based routing.

I am using only 1 cisco router(2901) basic switch and 2 servers.

Outside network is 192.168.183.0 which connects Our G0/0 (ip address 192.168.183.51) g0/1=11.0.0.1

Server 1 = 11.0.0.2

Server 2 = 11.0.0.15

we want ssh packets sent from client computer 192.168.183.220 to be sent to Server 2 (11.0.0.15)

and we want packets sent from 192.168.183.53 to be sent to server 1(11.0.0.2)

Problem we having is we don't know how to do port translation on multiple ip addresses. So different ip address can ssh into different server.

we tried multiple different types of configurations but nothing seems to be working.

at this stage we are stuck on this config:

ip nat inside source static tcp 11.0.0.15 22 int g0/0 22

ip nat inside source static tcp 11.0.0.2 22 192.168.183.51 22 route-map honR extendable

ip access-list etended hon

permit ip host 192.168.183.53 host 192.168.183.51

Route-map honR permit 10

match ip address hon

((with this configuration client 192.168.183.53 can ssh inside 11.0.0.2(using 192.168.183.51) but when we try to make client 192.168.183.220 to ssh inside 11.0.0.15(using 192.168.183.51) it still takes us to 11.0.0.2. I feel like ACL/ROute map isn't being used and it just static 1:1 Port forwarding.

Please help :)))