Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VCS Expressway security best practices

I'm looking for some best practices for hardening the VCS expressway from a security stand point. Feel free to pass along any and all tips.

thx,

robert

Everyone's tags (1)
3 REPLIES
Cisco Employee

Re: VCS Expressway security best practices

Hi,

If I understand you right from a security point in terms of deploying the VCSe then static NAT and dual interface architecture in DMZ zone would be relatively more secure.

Please refer the section Static NAT and Dual interface architecture in the document :

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Basic_Configuration_Cisco_VCS_Control_with_Cisco_VCS_Expressway_Deployment_Guide_X7-1.pdf

Hope this helps.

Thanks

Sudheer

New Member

VCS Expressway security best practices

Sudheer,

Dual Interfaces and static NAT are certainly one of the items, for securing and hardening the VCS, but I'm looking beyond that and hoping the "old school" Tandberg folks have some additional best practices.

Such as:

Disabling Telnet

Disabling Http

Locking out the front panel LCD

Using allow/deny lists

Using device Authentication

Using Certificates

Encryption

etc, etc...

Also, does anybody have any practical experience using the Advanced Account Security option? Any white papers floating around on this?

Gold

VCS Expressway security best practices

Hi Robert,

there isn't one single document which will cover all of these areas.

There are however documents which cover specific areas which you will probably find useful (All of these documents are available at

http://www.cisco.com/en/US/partner/products/ps11337/products_installation_and_configuration_guides_list.html)

:

Basic VCS Control/Expressway configuration guide (Mentioned earlier by Sudheer):

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Basic_Configuration_Cisco_VCS_Control_with_Cisco_VCS_Expressway_Deployment_Guide_X7-1.pdf

Device authentication:

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Authenticating_Devices_Deployment_Guide_X6-1.pdf

Using certificates:

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Certificate_Creation_and_Use_Deployment_Guide.pdf

Regarding the use of allow/deny lists for registrations (Which really is not a proper security measure but rather obfuscation, and could be used in combination with authentication) and the use of CPL for preventing unauthorised access to specific resources such as ISDN gateways, please refer to the VCS Admin guide for X7.1.

The admin guide as well as the VCS Control/Expressway Basic Configuration guide has a set of example CPL scripts which should be useful.

As far as Telnet and SNMP goes, these are disabled by default on an X7.1 VCS (Since they are considered "unsecure" protocols).

Advanced Account Security (AAS) mode is also described in the VCS admin guide.

Hope this helps,

Andreas

3435
Views
0
Helpful
3
Replies
CreatePlease login to create content