Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get tips and techniques for securing the infrastructure, call management, endpoints and applications in a unified communications system with Cisco expert Kevin Flynn. Kevin is a senior manager, Security Technology Marketing for Unified Communications at Cisco Systems, Inc. He is a 11 year Cisco veteran, holding marketing and product management positions in the areas of Core Routing, Internet Security, Wireless and IP Communications Security. Prior to joining Cisco, Flynn was at Apple Computer where he held a number of positions, including product manager in Apple's Advanced Technology group. Flynn is a frequent speaker on security technologies at conferences and seminars worldwide.
Remember to use the rating system to let Kevin know if you have received an adequate response.
Kevin might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through September 21, 2007. Visit this forum often to view responses to your questions and the questions of other community members.
first thank you very much for this opportunity.
i'm new in security and do not have much knowledge, i used the cisco callmanager security guide to know how to secure callamanger environment but i was unable get many ideas and i did not find it helpful well.
so, i have a cisco callmanager 5.x system and i need to secure it, basically to secure ccm and endpoints, and i do not know much about security, do i need to learn more about security or attend a security course to be able to configure security related configurations?
are there good documents/links i can use to on ccm security other than ccm security guide?
There is a wealth of materials on Cisco's web page dedicated to Secure UC. The address is www.cisco.com/go/secureuc
The full URL is below.
The various "Best Practices" white papers should prove useful.
While configuring Call Manager in a secure manner does not necessarily require a strong security background, it doesn't hurt to have a working knowledge of network security.
Good Secure UC incorporates network security techniques and technologies. One can't have a secure UC implementation on top of an insecure network. For more information on Security check out www.cisco.com/go/security.
Let me know what other help we can provide.
while I was attending CallManager 5.0 course I learned about SAST. Recently, I was unable to find that USB dongle on Cisco GPL. Could you please put some light on this? Am I still able to buy this SAST thing or there is some other way for my CallManager to become certificate authority (without need for spending extra money on Cisco memory stick)?
The System Administrator Security Token (SAST) is not a "memory stick" even though it looks like one. It is a specialized device for securely storing cryptographic information including a public certificate and the private key which goes along with it.
The part number for it is: "KEY-CCM-ADMIN-K9="
Thanks a lot for the answer. What about case when I have CA in my own company? Can I use it instead SAST? I'm more VoIP person and less security one so I appologize if some of my questions sounds "funny" to you (I'm trying to avoid word stupid here). I see real competitive advantage here and would like to use it in my future implementations but I'm still at very begining.
The SASTs are used to sign certificate trust list (CTL) files. These files are provisioned in the phones and used to validate trusted servers. There is no provision for using any other means to establish the authenticity of the CTL files.
You will need two SASTs to enable signaling & media encryption on your CUCMs. When not using them, be sure to keep them safe (preferably not together). You would need at least one of them to make changes to CTL files provisioned in the phones.
There is an entirely different mechanism used for signing the locally significant certificates (LSC) provisioned in the phones. We do provide the ability to use an external CA for signing the LSCs, but few customers use it. A related alternative is to pre-provision a customer-provided certificate in CUCM for it to use when signing LSCs. The phones use their provisioned LSCs to authenticate themselves to CUCM.
Hope this helps,
Yes. Cisco Security Agent (CSA) is an important tool to protect end-point devices upon which UC applications run. As a matter of fact, CSA is bundled with Cisco Communications Manager.
We've been asked to put in place an application layer firewall. In addition, we are processing a high volume of SSL inbound calls (Web traffic and custom applications). I was looking for a device, some sort of SSL proxy, which could handle the SSL and do the content layer filtering if possible. I run accross the Cisco CSS 11500 series which appears to do that and much more. Questions are:
1- If SSL traffic, how can a standard firewall do content layer filtering, if firewall can NOT see the PAYLOAD. In other words, it seems to me the only way that could be done is if "firewall" acts as an SSL proxy because it sits in between the two end-points and can see the the "CONTENTS" of the packet.
2- Is this CSS 11500 device considered to be an "application layer firewall"?
The idea is to place this device in between our internet routers and our firewalls.
Thanks in advance.
The CSS11500 is an application switch, designed to provide robust application delivery (Layer 4 to 7) services for Internet and intranet data centers. It's not a true firewall.
You should take a look at the Adaptive Security Appliance (ASA).
Cisco ASA 5500 Series is a multi-function security appliance delivering application layer firewalling in addition to other security services (intrusion prevention services, IPSec/SSL VPN secure connectivity services, content security (anti-virus, anti-spam, URL filtering).
For the SSL traffic scenario you describe, the only way this can be done is if the firewall acts as an SSL proxy. Today, this is supported on the ASA for encrypted phone TLS traffic, but not for standard SSL web traffic. For standard SSL encrypted traffic, depending on the ASA configuration/firewall policy, the ASA can drop, allow or log the traffic without any inspection.
From a security perspective, what requirements will IP telephony systems have on my network infrastructure?
Thanks - Bill
If you already have a good network security implementation, there are few, if any, new requirements to be placed on your infrastructure. It's more a matter of taking advantage of existing functionalities and technologies such as VLANs, Qos/Rate-Limiting and traditional security features such as firewalling and IPS. For more information go to www.cisco.com/go/secureuc
The following question is most probably out of scope but you have been so helpful this far that I really can't help but ask: is there any firmware for Cisco IP phones that support IPv6? If not, can you check is that feature on any roadmap?
Hi again Kevin,
allow me first to say big THANKS for previous answers. You are really helpful and resourceful. That is the reason why I
have some more questions for you :)
Is CUCM 5.x (or newer) secured enough to be installed directly on public network? You explained about SAST and HTTPS is
used for provisioning so it seems to me this should work but would like to hear your opinion.
Any device containing sensitive data or providing a critical function (including CUCM) should be placed behind a firewall and not 'directly' on a public network. You might want to check out version 8.0 of the Cisco Adaptive Security Appliance (ASA. It has many features geared to Secure Unified Communications.
This is my last question, I promise: can we secure signaling (and media) for Nokia E series dual phones with installed SCCP client?I'm talking here about exchange of certificates between CUCM and E61 (I'm using here E61 as an example).
Happy to keep helping...
The SCCP signaling and RTP flows in the case of Nokia phones are over the managed WLAN enterprise network in the current offer. There is no encryption for the signaling or for the media traffic. The enterprise WLAN network is assumed to be secure and behind a firewall so there is no requirement to secure the traffic. The phones do come with a VPN client so in theory it's possible to setup a VPN/SSL tunnel over the public network between the phone and CCM - but we are not supporting this