Security Features in CUCM 12.5

DuBu · ‎01-23-2023

Hi

We currently have CUCM/IMP/CUC (SCCP integration ) version 12.5 . Wanted to understand what security features are enabled by default in these versions. What are the benefits of Mixed mode vs Non Secure mode. What is the maximum in terms of Security that we can achieve in CUC( SCCP integration)?

Any documentation explaining the Security Features enabled on CUCM/IMP/CUC would be helpful.

Thanks in Advance

b.winter · ‎01-23-2023

1s google search: https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/12_5_1_SU1/cucm_b_security-guide-125SU1/cucm_b_security-guide-for-cisco-unified125SU1_chapter_01.html

Jonathan Schulenberg · ‎01-26-2023

TL;DR- Mixed mode with CAPF gets you up to four things:

TLS encryption of SIP/SCCP between an endpoint and CUCM
SRTP encryption of media - assuming both call participants are configured to support call encryption.
TFTP config file encryption
802.1x certificates-based authentication, wired or wireless.

Without it all you get are digitally signed TFTP config files to prevent spoofing that could proxy the phone through a malicious call control agent. This is the ITL architecture - and it borrows many concepts from the CTL with CAPF.

Be warned: CAPF requires real work to setup initially and maintain thereafter! The biggest gotcha is that LSCs do not renew automatically; you must initiate the renewal and the phone must be registered for it to work. Phones will unregister and stop working if their LSC expires! There is a BAT job to do this in bulk, usually once every few years per-Device Pool.

Also worth mentioning that CUCM 14 introduced OAuth tokens as an alternative to CAPF LSCs. A huge advantage is that they auto-renew every 60 days if the phone is online. They only accomplish the first two of the four bullets above though.