Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

ASK THE EXPERT - SECURE IP COMMUNICATIONS

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update from Cisco experts Kevin Flynn, Troy Sherman and Larry Truesdale on how to secure IP-based unified communications.

Remember to use the rating system to let Kevin, Troy and Larry know if you have received an adequate response.

They might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through September 22, 2006. Visit this forum often to view responses to your questions and the questions of other community members.

21 REPLIES
New Member

Re: ASK THE EXPERT - SECURE IP COMMUNICATIONS

When might we see 802.1x(Port Based Network Access Control) capabilities rolled out to the standard 79XX phones, or is this something not on the roadmap at this time?

Cisco Employee

Re: ASK THE EXPERT - SECURE IP COMMUNICATIONS

You will see 802.1x on the phones this late 4th qtr or early 1st qtr next year. The 802.1x supplicant will only be phones above the 7960. The firmware load for the phones is planned to be 8.3.1. A design guide to deploy the phones is planned to be released as the same time as the supplicant.

Bronze

Re: ASK THE EXPERT - SECURE IP COMMUNICATIONS

So does this mean that the data switch will have to support multiple authentication (multiple dot1x-hosts on a port and every host is authenticated separately) on at aux/voice port ? Without using cdp ?

Cisco Employee

Re: ASK THE EXPERT - SECURE IP COMMUNICATIONS

Yes, if you are going to authenticate the phone and a PC plugged into a phone both of the devices will have to authenticate to the port per vlan. This feature is coming out on Cisco switches this fall to allow multiple authentications per port per vlan so this will be possible.

On the subject of CDP, the CDP will be allowed to pass between the phone and the switch so the phone can get the information it needs to determine which VLAN on the port is the voice VLAN. Once the phone has that information, it will attempt to authenticate into the voice vlan on the port of the switch.

New Member

Re: ASK THE EXPERT - SECURE IP COMMUNICATIONS

Hi all

With respect to security, how are Cisco solutions differentiated from competitors products? Can you elaborate?

Thanks,

Bill

New Member

Re: ASK THE EXPERT - SECURE IP COMMUNICATIONS

Good security requires a systemic approach. Since every aspect of a system can be a point of attack, every aspect needs to be a point of protection. Cisco's approach to security for unified communications incorporates both network security and UC specific security techniques and technologies. The Infrastructure, Call Management, Endpoints and Applications for Unified Security are secured by Cisco. At best, other vendors can secure only one or two of these components. The other good news is that many of the technologies to secure Unified Communications is already built in to Cisco products.

Silver

Re: ASK THE EXPERT - SECURE IP COMMUNICATIONS

Hello

What is required beyond normal provisioning to implement voice security in Cisco Unified CallManager?

Thanks,

Amrit

Cisco Employee

Re: ASK THE EXPERT - SECURE IP COMMUNICATIONS

There are many things that you can do to increase the security of the voice system. You can turn on features in the phones, you can enable extra security on the Call Manager, you can enable encryption for the signaling/media, increase the security within your data network. All of those things really depend on the security policy that you have with both your data flowing on your network and your network infrastructure. Each time you enable security within a system, there are usually some advantages and disadvantages to that security. Usually the best place to start is the security chapter of the SRND (Solution Reference Network Design which = design guide) for the version of Cisco Unified CallManager that you are running. We have tried to list some of the advantages and disadvantages for some of the security that could be enabled to protect your VoIP system in the SRND, to help in the process of securing a voice system.

Below are some links that can help you increase the security of the system based on how much security you would like the system to have:

The Unified Communications SRND (design guide)

http://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.html#anchor8

The security chapter of the SRND for Unified Communications CallManager 5.0

http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_implementation_design_guide_chapter09186a008063742b.html

The security chapter of the SRND for Unified Communications CallManager 4.x

http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_implementation_design_guide_chapter09186a008063742b.html

Cisco CallManager Security Guide Release 4.1(3)

http://www.cisco.com/univercd/cc/td/doc/product/voice/c_ipphon/english/ipp7960/sec_vir/sec413/index.htm

Cisco CallManager Security and Virus Protection Guides

http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/sec_vir/index.htm

New Member

Re: ASK THE EXPERT - SECURE IP COMMUNICATIONS

This might be out of the context of the forum and if it is I apologize in advance..

I have run into several engagements with customers questioning why the Unity servers can not be behind a firewall, when this question gets raised the usual answer involves the speed and accelation of the MAPI connections from the unity to the exchange mailstore, etc, etc...

This question usually comes out on the tail end of the "speeds and feeds" discussion about the FWSM/ASA that is implemented to guard the rest of the IPT equipment.

Is there any thought into having unity work with RPC over Http to allow a firewall to get in between them ??

Cisco Employee

Re: ASK THE EXPERT - SECURE IP COMMUNICATIONS

I was able to confirm what you aready know that scenerios where Unity is behind a firewall are not supported. The reason appears to be related more to traversal difficulties than performance though. However, I was not able to determine whether using HTTP to transport RPC has been considered before. So, I can't really answer your question, but I have sent that suggestion on to development so that it will be considered one way or another.

Bronze

Re: ASK THE EXPERT - SECURE IP COMMUNICATIONS

Hi

Is Cisco Security Agent (CSA) compatible with Voice and Unified Communications products? Can you give me details on this?

Thanks-

Beth

Cisco Employee

Re: ASK THE EXPERT - SECURE IP COMMUNICATIONS

Yes, CSA is compatible with most of our Voice products, it should be listed for most of the voice products with their documentation.

From a sever standpoint there are CSA policies build by Cisco for each of the supported servers. In the windows world, you can have just the CSA unmanaged client installed on your servers. You can also import the policy into the CSA management console and then have a managed version of CSA for your servers. The CSA client for the windows servers has to be installed after the installation of the OS and applications and is downloaded from the cisco.com web site. You can check the software download area for the CSA stand alone and managed client, below is the link to the CSA client for the CallManager & Voice Apps Crypto Software -

http://www.cisco.com/cgi-bin/tablebuild.pl/cmva-3des

With the Cisco Unified Call Manager appliance, that server can only run the unmanaged version of the CSA client as of today. That client is installed during the OS and applications installation and is there from the very start, nothing needs to be downloaded from cisco.com.

For information on the clients that are available, you can go to this link and see if the Voice product is supported, and if so, either download the client or the policy for the CSA Management console and install it from there. The software is usually listed under either security or Crypto.

http://cisco.com/kobayashi/sw-center/sw-voice.shtml

New Member

Re: ASK THE EXPERT - SECURE IP COMMUNICATIONS

is callmanager express 4.0 supports srtp or only cisco callmanager supports?

Cisco Employee

Re: ASK THE EXPERT - SECURE IP COMMUNICATIONS

Hello,

Voice can not be secured with SRTP in CallManager Express today, but will be supported in CallManager Express V4.2.

Bronze

Re: ASK THE EXPERT - SECURE IP COMMUNICATIONS

Hello,

Do you know if 802.1x is supported by Cisco phones?

Thanks,

Frank

Cisco Employee

Re: ASK THE EXPERT - SECURE IP COMMUNICATIONS

Copying Troy's answer from previously asked question...

You will see 802.1x on the phones this late 4th qtr or early 1st qtr next year. The 802.1x supplicant will only be phones above the 7960. The firmware load for the phones is planned to be 8.3.1. A design guide to deploy the phones is planned to be released as the same time as the supplicant.

Thanks,

Larry

New Member

Re: ASK THE EXPERT - SECURE IP COMMUNICATIONS

What is the best way to secure VOIP communicatio n via Internet ? VPN-s steel have big overhead.

What is alternative to VPN-s ?

Cisco Employee

Re: ASK THE EXPERT - SECURE IP COMMUNICATIONS

VPNs are often used to transport VoIP traffic over untrusted networks such as the Internet. Sometimes this is the only viable alternative if the traffic being transported is not already secured through other means such as TLS and/or SRTP. In most situations, the additional throughput required is not a serious concern. CallManager supports TLS for SIP and SCCP signaling and SRTP for voice.

New Member

Re: ASK THE EXPERT - SECURE IP COMMUNICATIONS

Hello,

We currently have IP phones running over VPN using an ASA 5500 and pix 501's. The remote phones seem to work fine for a while but then lose contact with the Call Managers and get stuck on registering. The tunnel never goes down. We have played with QOS over VPN with mixed results. Any suggestions as to other solutions we may have not considered?

Silver

Re: ASK THE EXPERT - SECURE IP COMMUNICATIONS

How are Voice and Unified Communications products protected from viruses, worms, and other malware?

Cisco Employee

Re: ASK THE EXPERT - SECURE IP COMMUNICATIONS

Hello,

The definitive source for information about malware protection on CallManager Systems (and other useful details like port usage) is:

http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/sec_vir/index.htm

Note that CallManager 5.0 is built on an appliance model and therefore does not require third-party malware protection.

55
Views
1
Helpful
21
Replies