Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ASK THE EXPERT- DEPLOYING SECURITY ON IP COMMUNICATIONS NETWORK

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss deploying security on IP communications network with the Cisco expert Greg Moore. Greg is a senior technical marketing engineer in Cisco’s IP Communications Business Unit focusing on Voice Security. He began his tenure at Cisco as a systems engineer in 1997. Remember to use the rating system to let Greg know if you have received an adequate response.

Greg might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through April 23. Visit this forum often to view responses to your questions and the questions of other community members.

12 REPLIES
New Member

Re: ASK THE EXPERT- DEPLOYING SECURITY ON IP COMMUNICATIONS NETW

Hello,

I have a simple question regarding cisco callmanager security. I hope you don't mind because it is not directly related to security on ip communications network.

Can you tell me anything about ssl (https) support for callmanager administration- and user-pages ?

TIA and regards,

Voipguy

New Member

Re: ASK THE EXPERT- DEPLOYING SECURITY ON IP COMMUNICATIONS NETW

HTTPS for secure remote administration and user access to CallManager is roadmapped for a future release. Please contact your local Cisco account manager about discussing the details under an NDA agreement.

Silver

Re: ASK THE EXPERT- DEPLOYING SECURITY ON IP COMMUNICATIONS NETW

Hi Greg,

What are the best practices for securing CallManager (and Unity if I may ask). More specifically, I have the CSA agent on both servers and have attempted to put access-lists on the router to add an extra layer of security. Basically, the data VLAN users can't get to the Unity server (on the Data VLAN) or the CCM on the voice vlan.

Problem is the TSP for dialing from Outlook, Unity's PCA, Unity's Viewmail for Outlook and other applications need access to the servers.

Should specific ports be opened for these applications or should access-list security be replaced with another security measure?

Thanks

New Member

Re: ASK THE EXPERT- DEPLOYING SECURITY ON IP COMMUNICATIONS NETW

I'm going to have to wait for the west coast guys to wake up to get a specific answer to your Unity question. More generally, the specific ACL configuration information you're looking for is contained in the SAFE IPT doc that can be found at www.cisco.com/go/safe. An update to that document is pending which will have new ACLs for a variety of deployment scenarios.

Greg

Silver

Re: ASK THE EXPERT- DEPLOYING SECURITY ON IP COMMUNICATIONS NETW

That's GREAT information. Thanks.

Looking forward to the Unity equalivent. (PCA, VMO, etc.)

thanks

New Member

Re: ASK THE EXPERT- DEPLOYING SECURITY ON IP COMMUNICATIONS NETW

Hi again. Sorry it took me a couple of days to get back with you. Here's a link to a Securing Unity whitepaper that talks about what ports to open in an ACL and how to deal with dynmaic RPC ports.

http://www.cisco.com/en/US/products/sw/voicesw/ps2237/products_white_paper09186a00801c129d.shtml

If you have additional questions after reading the, let me know and I'll get you in touch with the Unity folks who can help you directly.

Greg

Re: ASK THE EXPERT- DEPLOYING SECURITY ON IP COMMUNICATIONS NETW

Hello Greg,

I am wondering about end to end encryption for IP phone calls. It is my understnading in CM 4.0 one can have an encrypted conversation but this is only supported on the 7970 phones. Is full encryption of all streams between all models of phones something that is on the roadmap?

Thanks in advance!

New Member

Re: ASK THE EXPERT- DEPLOYING SECURITY ON IP COMMUNICATIONS NETW

Cisco is securing signaling with TLS and media with SRTP. More specifically, the TLS signaling is secured with X.509v3 certificates, RSA signatures, HMAC-SHA-1 authentication tags and AES-128 encryption. SRTP uses AES-128 for both authentication and encryption.

In CallManager 4.0, the 7970 does certificated authentication and encryption of both signaling and media. The 7940 and 7960 does certificated authentication of signaling.

The 7940 and 7960 are roadmapped for encryption of signaling and media in a pending release of CallManager. None of the other currently shipping phone models are roadmapped for authentication or encryption.

New Member

Re: ASK THE EXPERT- DEPLOYING SECURITY ON IP COMMUNICATIONS NETW

Hello,

I have confuse about the Cisco IPCC Agent Desktop in the IPCC Solution. Please help us to understand more about Cisco IPCC Agent Desktop, Cisco IPCC Agent Desktop with media-teminated and Cisco Softphone.

When I want to build the IPCC with Cisco IPCC Agent Desktop, do I need to buy the Cisco IP Softphone for the agents (We only use the Softphone for the agents, we don't use the Softphone for any other staft).

If we don't buy the softphone, can the IPCC work? How can the Callmanager mange the CAD. As I know with the IP Phone, when the agent login, the ICM will notice the Callmanager let him manage the IP Phone.

With the IPCC, how can we integrate the Softphone and Cisco Agent Desktop?

Thanks,

Kim Phong.

New Member

Re: ASK THE EXPERT- DEPLOYING SECURITY ON IP COMMUNICATIONS NETW

et me ask about partitions in CCM.

I’m not quite sure what is the relation of Calling Search Spaces to Partitions.

And where exactly should partitions be applied to route patterns or phone lines.

Are partitions required to control dialing rights (who and what can dial) or it can be controlled by Calling Search Spaces only.

Regards, and thanks in advance

Tomasz

ps. CCM 3.3.4

New Member

Re: ASK THE EXPERT- DEPLOYING SECURITY ON IP COMMUNICATIONS NETW

Fundamentally, a partition is a subset of all the DNs in a system. A calling search space is a list of partitions that any given device can call.

By way of simple example, let's say I had two partitions called Inside and Outside. Outside would match the 9.@ route pattern. Employee phones would have a calling search space called Both that would include both the Inside and Outside partitions. Lobby phones and other phones with public access would have a calling search space called Inside-Only that only has the Inside partition. Those phones would not be able to dial any number starting with 9.

Obviously there's a lot more to it than that. Refer to this doc for more information.

http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186a0080094b53.shtml

If you're hungry for more, check this out. That's the resulting list from search on www.cisco.com for understanding calling search spaces partitions

http://www.cisco.com/pcgi-bin/search/search.pl?searchPhrase=understanding+calling+search+spaces+partitions&nv=Search+All+cisco.com%23%23cisco.com&nv=Technical+Support+%26+documentation%23%23cisco.com%23TSD&language=en&country=US&accessLevel=Guest&sit...

Greg

New Member

Re: ASK THE EXPERT- DEPLOYING SECURITY ON IP COMMUNICATIONS NETW

Hi Greg:

How do you protect CallManager UDP ports (Callmanager tftp server is also the CCM backup). This is very cumbersome because CallManager tftp server opens a new udp port when a transfer begins. Can I change this?

Any list of All UDP, TCP port that I must block in Callmanager (3.1,3.2,3.3,4.0)?. The list on cisco web site is not full and has mistakes (example: RAS TCP 1719)

alex

42
Views
5
Helpful
12
Replies
CreatePlease to create content