Live chat with Cisco expert Akhil Behl
November 14, 2012
When: 8:00 - 9:00 AM PST (San Francisco; UTC -8:00 hrs)
This corresponds to:
9:00 PM PKT (Pakistan, UTC +5 hrs)
9:30 PM IST (India; UTC +5:30 hrs)
11:00 PM (Indonesia; UTC +7 hrs)
Topic Details: This session will focus on the importance of security at end-point level, which can otherwise be easily exploited by an insider or an attacker to either leverage the UC services or attack the UC network. Cisco IP Telephony/Unified Communications. The session will cover security aspects of: Cisco Unified IP Phones (wired and wireless), Cisco IP Communicator, Cisco Unified Personal Communicator, and Cisco Jabber which includes endpoint and associated application / infrastructure level security.
About the Expert: Akhil Behl is a Senior Network Consultant with Cisco Advanced Services, focusing on Cisco
Collaboration and Security architectures. He leads Collaboration and Security projects worldwide for Cisco Services and the Collaborative Professional Services (CPS) portfolio for the commercial segment. Prior to his cu
rrent role, he spent 10 years working in various roles at Linksys, Cisco TAC, and Cisco AS. He holds CCIE (Voice and Security), PMP, ITIL, VMware VCP, and MCP certifications.
He has several research papers published to his credit in international journals including IEEE Xplore. He is a prolific speaker and has contributed at prominent industry forums such as Interop, Enterprise Connect, Cloud Connect, Cloud Summit, Cisco SecCon, IT Expo, and Cisco Networkers. He is the author of title ‘Securing Cisco IP Telephony Networks’ by Cisco Press http://www.ciscopress.com/title/1587142953
What is Facebook Forum?
Facebook forums are online conversations, held at a ore-arranged time on our Facebook page. It gives you an opportunity to interact with a live Cisco expert and get more information about a particular technology, service or product.
Here's a condensed summary of the November Facebook forum in a Q&A format.
Do VoIP security practices for wired and wireless networks differ? If so, can you provide some basic examples for the audience?
Yes, there's a slight variation when it comes to security of wired vs. wireless endpoints. This variation only lies in the fact that wireless endpoints only converse with WAP or WLC's for the first mile and then are on wired infrastructure. So essentially, the security applied for wired endpoints at switch port translates to security applied for SSID at WAP/WLC. Moreover, wired endpoint to RADIUS (for 802.1x) and wireless endpoint to RADIUS conversation also leverages same schema. Overall, the difference is very less and specifics come into play for wireless vs. wired endpoints. For an in-depth view for wired vs. wireless security construct please refer to 'Securing Cisco IP Telephony Networks' http://ciscopress.com/title/1587142953
What could be the cause of one side RTP?
The causes could be various ranging from asymmetric routing to codec negotiation issues to firewall blocking traffic from higer to lower security zone (typically happens with non ALG aware firewalls)
Why to worry about endpoint security at all?
The endpoint security is important since, it is one of the least concerned aspects of most organizations. While, a CUCM or an IOS router may be staged in a Data Center and protected form physical threats and direct abuse/exposure from users/visitors, endpoints such as IP Phones are exposed to abuse, physical risks, and misuse by insiders (trusted employees) and outsiders. Un secured endpoints are an excellent gateway into a network, revealing multiple attack vectors, eventually leading to a compromised network security posture. Hence, endpoint security is as essential as security of UC applications, network elements, perimeter etc.
Talking about endpoint security, in your opinion, is it more difficult to harden a CUCM (CallManager) or CUCME (CallManager Express) installation, not taking in consideration the LAN network or IP Phones?
I would ideally not compare the two as one leverages the other i.e. UC applications or devices leverage the underlying network without which they simply cannot operate. With that said, if security is implemented only at network level and not at Call-Control level, it becomes difficult to restrain attacks at latter. On the other hand, if the security is applied at Call-Control level only and not at network level, it will only stop attacks towards the former while network will be exposed. So, to achieve a true 360 degree security for a UC network, it's essential to have security applied at various places from endpoints to access switches to distribution to core to DC access to applications to perimeter. Again, the level of security applied may vary from one organization to another depending on their will to invest (time, manpower, money) as well as the need for security. E.g., for a Govt dept level fo security will be high whereas for a school, it'll be comparatively low.
What are the various Cisco Unified Communications endpoints worth considering to be secured?
The various endpoints which can be secured (not a comprehensive list of all the models) are:
1. Cisco Unified IP Phones 69XX, 79XX, 89XX, 99XX (wired) and Cisco Unified IP Phones 792X (wireless)
2. Cisco IP Communicator
3. Cisco Unified Personal Communicator
4. Cisco Jabber for desktop, mobiles, and tablets
What can be done to secure an endpoint from a rogue user or malicious outsider?
The answer to this question is not a single but multilevel construct. Defense of an endpoint can be as simple as physical security and as complex as enabling 802.1x for secure network admission. There are various levels of protection pertinent to Cisco UC endpoints such as:
1. Physical theft security
2. Layer 2 secure admission
3. Restricting settings access
4. Disabling built-in web browser
5. Disabling computer registry access (for soft phones)
6. Enabling TLS for signaling and SRTP for media (CAPF)
7. Enabling secure web services
8. Enabling secure TFTP
9. Enabling Trusted Relay Point (TRP) for soft phones
10. Enrolling with third party CA for LSC
11. Cisco ASA UC Proxy for secure VLAN traversal
What type of information can the web server of an endpoint can reveal?
The built-in web server of a Cisco Unified IP Phone can give away a plethora of information to a malicious insider or outsider. This information can allow the attacker to know about the IP Phone subnet, TFTP server(s), CUCM call-control servers, SRST reference(s), and so on, which in turn the attacker can leverage to initiate an attack against the UC infrastructure and applications.
To know about the types of threats to Cisco Unified IP phones and other endpoints as well as about the mitigation techniques, refer to – Securing Cisco IP Telephony Networks http://www.amazon.com/gp/product/1587142953
What are the certificates used for security of an endpoint?
Cisco Unified IP Phone leverages 2 types of certificates namely: Manufacturing Installed Certificates (MIC) and Locally Significant Certificates (LSC). While, MIC are Cisco manufacturing installed and correspond to Cisco CA as root, LSC are installed by CAPF process and are linked to CAPF as root.
Toll-fraud seems to be a very hot topic when it comes to securing VoIP networks. What advice can you give an engineer to ensure his company doesn't fall a victim of Toll-Fraud?
Yes toll-fraud is an epidemic since PBX days. It can be encountered by following methods:
1. By ensuring that after-hours calling policy comes into play (time of day routing) on CUCM and/or CUCME
2. By hardening the endpoints - disable or restrict settings options, disable webserver, disable GARP, and so on
3. By implementing proper Class of Restriction (COR) at CUCM/CUCME level
4. By using stron password and pin policies for VM accounts and user credentials
5. By using EMxtension mobility profile where possible to ensure user gets right privileges only when logged in
6. By implementing security at VM ports and restricted dial-out from VM
7. By securing trunks to/from SBC, CUCM, gateways and so on
Can you also let us know a bit more about your book. How can it help an administrator, cisco engineer or IT manager in their workplace ?
The book 'Securing Cisco IP Telephony Networks' is geared towards Cisco UC/IPT/Security engineers, administrators, architects, consultants, decision makers, and execs tasked with making decision for their UC networks. It fills in an otherwise prominent void in the space of UC and Security where these two realms meet. It's a guide and a reference for anyone interested in Cisco IP Telephony security and acts as a primer for beginners and a reference for experience professionals! The full review of the book and details are available @ Securing Cisco IP Telephony Networks: http://www.firewall.cx/site-news/913-book-review-secure-voip-networks.html
Where can I find more information on this topic?
For more information on Cisco endpoint security and Cisco UC Security you can refer to following URLs -
Cisco IP Phones Security Overiew: http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/8_6_1/secugd/secuphne.html
Here's a link to the forum archive on Facebook:
Link to the actual Facebook forum that took place:
Here's the link to the event announcement page on Facebook