Securing Unity Connection 7.X

Unanswered Question
Jun 28th, 2010

Hi All!

One of our financial customers is asking us to provide him with information regarding the security and encryption level of the messages stored on the Unity Connection 8.x.

He wants to know if the messages (VM) stored on the server are or could be encrypted. He also wants to know the level of the encryption if available.

He is a bit scared about the possibility for unauthorized persons to steal or play a message remotely and the risk of gaining unauthorized access to the message store that could give the ability to steal critical information.

Would you be so kind to share with me the following information about the Unity Connection 7.x platform:

• Type of file storing the messages (wav,….)

• Type of encryption that could be deployed on the message store

Ways of hardening the access to the message store and enforce the security of the platform (please share your best practices)

Regards

Nicolas

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
David Hailey Thu, 07/01/2010 - 14:54

For message security options, a good reference starter is here: http://www.cisco.com/en/US/docs/voice_ip_comm/connection/7x/administration/guide/7xcucsag210.html

As for accessing CUC, a few things:

1) For the Platform Administrator ID (used to login via console/SSH to CLI), ensure that you use a strong password.

2) Use separate accounts for administrative access to the web administration vs. user access to user web applications (PCA, etc).  Additionally, CUC has "roles" that can be assigned to administrative or end user accounts to limit what a user can or cannot access.

3) Use the credential policies to set up a policy for administrative accounts and end user accounts.  Make sure web password enforcement is strong (min 8 characters, no trivial passwords) and the same for end user voicemail passwords (e.g., min of 6 digits, no trivial passwords).  You can also age out passwords so that administrators and/or users have to change their voice mail password (for phone) and web application password at a specific interval (e.g., 30/60/90 day), etc.

4) The other things to look for are that you do not run the DB Proxy service unless you need to (allows access to DB remotely via a user with a Remote Administrator role assigned).  This is used for COBRAS migrations and etc...not typically needed day-to-day.

5) You can also lock down SMTP access to CUC using access lists (within CUC).  Alternatively, you can allow untrusted SMTP connections but require authentication using TLS.

That should get you started.

Hailey

Please rate helpful posts!

Actions

This Discussion