Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CallManager and UCCX 8.X Patching

We are currently in the process of upgrading to CM and UCCX 8.X which all run on the same Linux OS.  I know I can only install the cisco approved updates to these servers.  What I am looking for is any documentation that might be available that explains Cisco's stance on patching.

My Security Department is requiring some sort of documentation stating that I cannot install patches such as Linux patches or Tomcat patches other than what is provided by Cisco, so I can get an exception for these servers.

Does anyone know if this documentation exists and where I might be able to find it?

Thanks!

  • Unified Communications Applications
7 REPLIES
Hall of Fame Super Silver

CallManager and UCCX 8.X Patching

There is no concept of independent OS patching with Cisco applications as these are appliances with no access to Linux Kernel, thus no way to patch OS independently.  OS is only patched along with Cisco UC application upgrade.  Major OS upgrades are also bundled in application upgrade, for example when going from CUCM/UCON 8.5 to 8.6 you are also upgrading the underlining Linux Red hat Enterprise 4 to 5.

HTH,

Chris

New Member

CallManager and UCCX 8.X Patching

Hi Chris.

On the back of that, is there a Cisco document that you know of that details the version of CUCM, CUC, CUPS etc to the corresponding version of Red Hat Linux? I have never found one.

Cisco Employee

CallManager and UCCX 8.X Patching

Tim,

I am affraid there isnt any document but if you provide me the product versions that you are looking at the linux version for, I can create a list for you from my LAB boxes.

GP.

New Member

CallManager and UCCX 8.X Patching

So Gajanan, are you saying there is no document from Cisco that states we can only apply Cisco approved patches that Cisco provides?  As I stated in my question, I know we are not able to do it, but I need a document to provide my Security Department with.

Cisco Employee

CallManager and UCCX 8.X Patching

Toby,

I meant there is no single document which has the Linux versions documented for the UC apps you mentioned. We need to find the version either from CLI or OS admin page.

This was w.r.t. your question " is there a Cisco document that you know of that details the version of CUCM, CUC, CUPS etc to the corresponding version of Red Hat Linux? "

GP.

New Member

CallManager and UCCX 8.X Patching

Actually that was Tim's question, not mine .  Thanks anyway though, I think the information Rob provided below might work.  I will submit it to them today and see if it will work.

Hall of Fame Super Red

Re: CallManager and UCCX 8.X Patching

Hi Toby,

Maybe this would help;

Delivers Robust Security

Because a unified communications system enables such valuable information and interactions,

security is paramount. The Cisco Unified Communications Manager offers businesses an

inherently more secure and resilient deployment environment than nonappliance models, helping

protect the mission-critical media and call-processing application from potentially harmful external

software. At the same time, organizations can confidently customize or develop value-added

applications using published APIs or the Cisco Unified Application Environment.

Prevent Unwanted Modifications or Installations

Preventing undesirable changes or installations to widely used software is one of the critical steps

to ensuring uninterrupted, optimized operations. The Cisco Unified Communications Manager

addresses this requirement in numerous ways. For example, the appliance OS includes only the

components needed to run the application, reducing complexity, improving efficiency, and

enhancing security. The appliance itself was designed to prevent changes to unsupported

hardware, the operating system, or the database, or installations of unsupported third-party

software.

In support of this approach, no external software is allowed on the Cisco media-convergenceserver

platform, translating into fewer outages due to security exploits or unsupported changes to

the operating system or software. To further ensure protection of critical processes, an N + 1

clustered redundancy model — comprising a "hub" publisher and several “spoke” subscribers

within the cluster — supports a white-list capability that organizations can use to prevent rogue

systems from joining the cluster.

Protect Against Outside Threats

In addition to preventing potentially damaging or harmful actions that originate from within the

organization, the appliance is designed to protect against outside risks. For instance, without the

local installation of a web browser or mail system, the appliance is less vulnerable to threats such

as malware. In addition, organizations do not need to worry about the authenticity of any software

installations related to the appliance because Cisco provides and digitally signs all software

needed to operate Cisco Unified Communications Manager.

To further boost security, Cisco Security Agent is integral to (and included with) Cisco Unified

Communications Manager. It provides protection against a wide variety of threats through the use

of specialized security policies created specifically for Cisco Unified Communications Manager.

Cisco Security Agent aggregates multiple security functions, combining host intrusion prevention,

distributed firewall, malicious mobile code protection, and operating system integrity assurance. As

an anomaly detection solution, Cisco Security Agent can enforce appropriate and expected

behavior, thereby preventing anomalous behavior that could compromise the integrity and

availability of the system.

Streamline Security Monitoring and Updates

Because of the integrated nature of the appliance model, administrators do not need to separately

monitor, schedule, and patch basic input/output system (BIOS), database, native operating

system, and Cisco Unified Communications Manager software releases. Instead, they monitor a

single site — the Cisco Product Security Incident Response Team site — for information about any

relevant exposures. When vulnerabilities are announced, administrators can securely and easily

download security patches and install them throughout the enterprise through a web browser or

CLI.

http://www.cisco.com/en/US/prod/collateral/voicesw/ps6788/vcallcon/ps556/solution_overview_c22-485095.pdf

Cheers!

Rob

"May your heart always be joyful And may your song always be sung May you stay forever young " - Dylan
476
Views
5
Helpful
7
Replies
This widget could not be displayed.