Re: Security best practice for segregating call control from endpoints

Habdo94 · ‎01-20-2024

Hello,

I'm quite new to Cisco world, so my apologies for my lack of knowledge on the matter.

I'd like to consult the community to check whether there is any existing security best practices providing some guidance on how to best segregate at network level the "call control" components, in particular the Unified Communication Managers (aka Call Managers), from the VoIP Endpoints. I've found some documentation about the Cisco Preferred Architecture showing the figure below where we can see that indeed those two components are separated from each other:

Source: Preferred Architecture for Cisco Collaboration 14 On-Premises Deployments, Design Overview - Cisco

However, there is no details about how best to segregate those two components in practice.

I'm asking that question because we have currently both the call managers and the VoIP endpoints residing into the same VRF behind a firewall within a bigger network itself having its head firewall and still behind a DMZ with its own firewall but we do have concern about a compromised endpoints (that are disseminated somehow everywhere - quite large organisation with 10k+ employees and a bunch of locations - and hence potentially easily accessible for a malicious user) being able to easily reach the call managers and compromise their vital function. I could not find any recommendation or guidance about that.

I've thought about some options, would be glad to receive your opinion on those or a better alternative:

- option1= simply creating a dedicated vlan for the call managers and a dedicated vlan for the endpoints still within this VRF.

- option2= same as option1 but with an extra firewall for each vlan?

-option3= moving the endpoints to another existing VRF containing all endpoints, and creating a new vlan within this endpoints VRF dedicated to the VoIP endpoints

-option4= same as option3 but again with an extra firewall for each vlan for better security and traffic monitoring/filtering.

-option5= creating a totally new VRF behind a firewall where to move all the VoIP endpoints (could be with vlan per location/site).

In advance, many thanks for your help!

Cheers,

Roger Kallberg · ‎01-21-2024

Not a complete answer to all of your questions, but at a minimum you should have your endpoints in a different VLAN than your UC servers. This is because the operating system on the UC servers has a very limited number for how many MAC addresses they can handle in their ARP cache, 2000 is the last number I’ve heard about this. If you have more endpoints than that in the same network as the servers they will be flushed from the cache periodically and this could cause issues for the endpoints.

Carlo Poggiarelli · ‎01-21-2024

Hi,

We've recently deployed a UC infrastructure for a large customer where they created a dedicated UC Server Zone on their Firewall allowing traffic from Phones allocated in a dedicated VLAN per Area (Finance, HR, Developement etc) with dedicated subnets so they also control and easily identify where a certain IP traffic comes from.

Also they created a set of rules for clients running Jabber/Webex App to allow specific traffic only to serve UC Application.

CUCM and other UC components administration have been allowed to a VRF only where IT Support/Management relies on.

In general, UC Application should be allocated in a secure zone even considering that they could be rachable from outside through eg. Expressway for Hybrid services such as MRA , B2B call or Hybrid deployment with Webex services while VoiP endpoints should be allowed to talk each other without restriction and last, Clients (Pc/Laptop) should be secured with dedicated solution of endpoint protection not only considering UC services.

My 2 cents.

Regards

Carlo

Please rate all helpful posts "The more you help the more you learn"

Habdo94 · ‎01-21-2024

Hello,

Many thanks for your (much appreciated) reactions! This gives already some insight.

Based on your feedback, I'd say in summary that a minimum viable solution would consist in at least segregating the VoIP Endpoints from the Call Managers via dedicated VLANs. This will resolve among others, the issues you mentioned.

I'm looking forward to receiving additional feedback to see whether it would make sense to go further and:

- have those dedicated VLANs that will be created terminating at a firewall (not entering into the details about what type of FW neither how yet, just want to validate the concept now), knowing that the VRF where those VLANs will be is already terminating by a firewall; my concern here is rather that, while this will probably allow better monitoring and filtering traffic from/to endpoints/CMs, firewalling voice traffic might quickly become a nightmare if the cascade FW rules are not properly configured and maintained (may lead to some latency, performance issues or complete call blocking...)

- have the VoIP Endpoints completely moved to another distinct VRF, and here two alternatives are possible:

(1) either relying on the already existing VRF for all endpoints (users/computers/toolbox) but still creating new VLAN(s) dedicated to VoIP Endpoints

(2) or within a new VRF to be created and dedicated to VoIP Endpoints.

Thanks again for your very helpful suggestions!

Best regards,

Carlo Poggiarelli · ‎01-21-2024

Hi,

Usually for traffic beteween IP Phones and endpoints , I would do L3 outing at L3 Core or Distribution Level level without struggling at FW level with a bunch of rules. As previously mentioned, Client Endpoints should be protected with a dedicated solution.

So...

Clients and IP Phones on dedicated VRF (one per client and one per Voip but on different VLAN ) with L3 terminating on Core/Distribution Switch. Both VRF on dedicated FW interface as Default GW.

Please let me know if it makes sense.

Regards

Carlo

Please rate all helpful posts "The more you help the more you learn"