Security for the Enterprise Collaboration Preferred Architecture
Laurent Pham, Technical Marketing Engineer
BRKCOL-2425
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Investors.com
“Gartner estimates that IT security spending will soar
from $75 billion-plus in 2015 to $101 billion in 2018.
Research firm Markets and Markets sees the
cybersecurity market hitting $170 billion by 2020.”
BRKCOL-2425 3
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco SparkAsk Question, Get Answers
Use Cisco Spark to communicate with the speaker after the event!
What if I have a question after visiting Cisco Live? ... Cisco Spark
1. Go to the Cisco Live Mobile app
2. Find this session
3. Click the join link in the session description
4. Navigate to the room, room name = Session ID
5. Enter messages in the room
How
Spark rooms will be available until July 29, 2016
www.ciscospark.com
BRKCOL-2425 4
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Collaboration Preferred Architecture (CPA)
• Preferred Architecture provides prescriptive design guidance that simplifies and drives design consistency for Cisco Collaboration deployments
• Preferred Architecture can be used as a design base for any customer using a modular and scalable approach
• Preferred Architecture team provides feedback on solution level gaps to product teams
• Preferred Architecture will help you scale!
What products to use to enable users for Collaboration and
Unified Communications for simple deployments.
Prescriptive
recommendations
Concise
Documents
Tested best
practices
BRKCOL-2425 7
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Post-Sales
process
Pre-Sales
Process
Collaboration Preferred Architectures & CVDs
PA OverviewPA CVD
Cisco Validated Design
• Design Overview Document
• Targeted to Presales
• What (w/ Some Why)!
• Detailed Design and Deployment
Guidance
• Post Sales Design and
Deployment
• What, Why, and How!
• Process Driven Guide
www.cisco.com/go/cvd/collaboration !
Cisco Validated Design
Applications
• Detailed, Deployment Guidance
• Post Sales Design and
Deployment
• What, Why, and How!
• Process Driven Guide
• Plugs into the PA CVD
Post-Sales
Process
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Collaboration Edge
Headquarters
WebExCisco
Conferencing
Collaboration Management Services
Internet
MPLS WAN
Remote Site
Mobile/Teleworker
TelePresenceServer
Expressway-C
PSTN /
ISDN
Integrated/Aggregated Services Router
Integrated Services Router
DMZ
TelePresence Management Suite
Prime Collaboration
Call Control
IM and Presence
Unified Communications
Manager
Expressway-E
Third-Party Solution
Voice Messaging
Unity Connection
Deployment ProvisioningLicense Manager
Assurance/ Analytics
Conductor
Endpoints
Collaboration Preferred
Architecture for the Enterprise
BRKCOL-2425 9
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Preferred Architecture for Collaboration Enterprise Cisco Validated Design (CVD)
• Functions: Dial Plan (Dialing Habits, Endpoints/ILS/GDPR), Trunking, SRST, CTI, DNS, EM
Call ControlUCM, IM&P, ISR, CUBE
• Functions: Instant, Permanent, Scheduled, CMR, CMR Hybrid, Personal Multiparty
ConferencingUCM, Conductor, TS, TMS
• Functions: Mobile Remote Access (MRA), B2B, IM&P Federation, PSTN Access, ISDN Video
EdgeUCM, Expressway, CUBE, ISR
• Functions: Applications and Tools: VM Deployment, Licensing, Voice Messaging
ApplicationsUcx, PCD*, PLM *
• Functions: QoS and Admission ControlBandwidth Management
• Functions: Sizing numbers for products built on a set of calculated assumptionsSizing
Architecture:
Component
Role, HA,
Security,
Scalability
Deployment:
Process and
Configuration
Sizing
BRKCOL-2425 10
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Upcoming Chapters in CVD
• Collaboration Management Services
• PCD, PLM, PCP, PCA
• Security
• Security in Layers (including Toll Fraud), Encryption, Certificate Management
Work in ProgressCVD to be available later this year
BRKCOL-2425 11
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Examples of IP Communications Threats
• Denial of Service (DoS)
Affecting call quality or ability to place calls
• SPAM
SPIM, SPIT, and more SPAM
• Toll fraud
Unauthorized or unbillable resource utilization
• Learning private information
Caller ID, DTMF, password/accounts, calling patterns, Presence Information
• EavesdroppingListening to another’s call or Theft of
intellectual property
• Media tampering
• Data Modification
• Impersonating others
Identity Theft
• Learning private information
Caller ID, DTMF, passwords/accounts,calling patterns, Presence information
• Session replay
Replay a session, such as a bank transaction
BRKCOL-2425 12
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Physical Access
• First line of defense
• Once a user or attacker has physical access to one of the devices in a network, all kinds of problems could occur…
• Action:
• Secure access to the building
• Secure access to the Data Center / servers (DoS, easier access to management, password recovery)
• Secure endpoints
BRKCOL-2425 14
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure the Infrastructure and the NetworkSegregation
• Virtual LANs (VLANs) separates voice and data traffic
• VLAN Access Control Lists (VACLs) limits traffic between devices on the voice VLAN
• QoS Packet Marking ensures UC traffic receives appropriate priority over other traffic
Layer 2
• DHCP Snooping creates binding table
• Dynamic ARP Inspection (DAI) examines ARP & GARP for violations
• Port Security limits the number of MAC addresses allowed per port
• 802.1x limits network access to authentic devices on assigned VLANs
•Multi-Domain Authentication (MDA) binds two devices to assigned VLANs
•MAC Authentication Bypass (MAB) provides a measure of control over devices which don’t support 802.1x
Layer 3• IP Source Guard examines physical port, VLAN, IP, & MAC for inconsistencies
Firewalls/IPS/AMP
• ASA with FirePOWER Services
BRKCOL-2425 15
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Prevent Unauthorized Access - Platforms
Hardened Platform
• Host Based Intrusion Protection (SELinux)
• host based firewall (iptables)
• 3rd party software installation not allowed
• OS and applications are installed with a single package
• Root account disabled
• Software signed
• Secure Management (HTTPS, SSH, SFTP)
• Audit logging
Also Configure
• If applicable, change default passwords (e.g. Expressway, TelePresence)
• Complex password policy
• Disable unnecessary protocols
BRKCOL-2425 16
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Prevent Unauthorized Access - Edge
Expressway
• Host-based Firewall, Firewall Rules
• Host Based Intrusion Protection (not enabled by default)
CUBE and Voice Gateways
• IP TRUST LIST: Don’t respond to any SIP INVITEs if not originated from an IP address specified in this trust list
• CALL THRESHOLD: Protect against CPU, Memory & Total Call spike
• CALL SPIKE PROTECTION: Protect against spike of INVITE messages within a sliding window
• BANDWIDTH BASED CAC: Protect against excessive media
• MEDIA POLICING: Protect against negotiated Bandwidth overruns and RTP Floods
• USE NBAR POLICIES: Protect against overall SIP, RTP flood attacks from otherwise “trusted” sources
• DEFINE VOICE POLICIES: identify patterns of valid phone calls that might suggest potential abuse.
BRKCOL-2425 17
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Prevent Unauthorized Access - Endpoints
• Security features by default
• Signed firmware (.sbn extension)
• Signed configuration files (<devicename>.cnf.xml.sgn)Note: With Jabber, Unified CM needs to be in Mixed-Mode for those features (CTL File)
• This authenticates the firmware/configuration and protects against tampering
• Also add
• Physically secure the phones
• Disable Gratuitous ARP
• Configure 802.1X
• Disable web access / SSH access. Or configure ACL
• Disable PC port if not needed
• Optionally TFTP configuration file encryption
BRKCOL-2425 18
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Prevent Toll Fraud
Toll Fraud can be external and also internal attacks
• Unified CM
• Unity Connection
• Edge (CUBE, Voice GW, Expressway)
BRKCOL-2425 19
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Unified CM Security – Eliminate Toll Fraud (1)
• Deny unauthorized calls
• Partitions and Calling search spaces provide dial plan segmentation and access control
• Example: Avoid Unified CM sending back to the PSTN a call coming from the PSTN
• Don’t include in Trunk CSS the partition for route patterns to PSTN
PSTN
Unified CM Voice or Video GW
1
2
3
4signaling
media
DN partition
Multiparty meeting partition
Inbound CSSPSTN access partition
BRKCOL-2425 20
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Unified CM Security – Eliminate Toll Fraud (2)
• “Block offnet to offnet transfer” (CallManager service parameter)
PSTN
Unified CM Voice or Video GW
2
3
46
1 5
BRKCOL-2425 21
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Unified CM Security – Eliminate Toll Fraud (3)
• Device Pool “Calling Search Space for Auto-registration” to limit access to dial plan
• Employ Time of day routing to deactivate segments of the dial plan after hours
• Require Forced Authentication Codes on route patterns to restrict access on long distance or international calls.
• “Drop Ad hoc Conferences” (CallManager Service Parameter)
• Monitor Call Detail Records
• Employ Multilevel Administration
BRKCOL-2425 22
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Toll Fraud Prevention – Unity Connection• Unity Connection could be used to transfer a call
• Recommendations• Use restriction tables to allow or block call patterns• Change the Rerouting CSS on the trunk in the
Unified CM side
• Reference
• CUC Security Guide: http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/11x/security/b_11xcucsecx.html
• “Troubleshoot Toll Fraud via Unity Connection” TAC tech note: http://www.cisco.com/c/en/us/support/docs/unified-communications/unity-connection/119337-technote-cuc-00.html
• System Administration guide:http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/11x/administration/guide/b_cucsag/b_cucsag_chapter_0101.html
BRKCOL-2425 23
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Toll Fraud Prevention - Edge
CUBE
• Call Source Authentication (IOS 15.1(2)T feature) enabled by default. Do not disable via “no ip address trusted authenticate”
• Only calls from “trusted” source IP addresses will be accepted
Expressway
• Call Policy Rules (CPL)
voice service voipip address trusted listipv4 10.10.1.10ipv4 66.66.66.66
BRKCOL-2425 24
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Monitor CDR and logs
• Unified CM Monitor CDR, audit logs, and other logs
Authentication Failure16:10:32.908 |LogMessage UserID : administrator ClientAddress : 10.10.10.100 Severity : 4 EventType : UserLogging ResourceAccessed: Cisco CallManager Administration EventStatus : Failure CompulsoryEvent : No AuditCategory : AdministrativeEvent ComponentID : Cisco CCM Application AuditDetails : Failed to Log into Cisco CCM Webpages App ID: Cisco Tomcat Cluster ID: Node ID: cucm-pub
Phone Added16:13:48.823 |LogMessage UserID : administrator ClientAddress : 10.10.10.100 Severity : 5 EventType : DeviceUpdate ResourceAccessed: CUCMAdmin EventStatus : Success CompulsoryEvent : No AuditCategory : AdministrativeEvent ComponentID : Cisco CUCM Administration AuditDetails : New Phone added with MAC address=AAAABBBBCCCC , CAL mode=< None > and CAL value=< None > App ID: Cisco Tomcat Cluster ID: Node ID: cucm-pub
BRKCOL-2425 25
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Monitor CDR and logs
• Expressway: Monitor CDR, Search History, and logs
BRKCOL-2425 26
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enable Encryption
• Protect against eavesdropping, data modification, session replay, impersonation
• Provides privacy, integrity, and authentication
• Authentication provided through certificates
• Can be one-way authentication or Mutual authentication (MTLS)
BRKCOL-2425 27
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Links to Encrypt
• Administrative and user interfaces
• SIP trunks
• Endpoint Encryption
• Within Data Center
• Multiple clusters
BRKCOL-2425 29
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Links to Encrypt
• Administrative and user interfaces
• SIP trunks
• Phone Encryption
• Within Data Center
• Multiple clusters• Most of them should be encrypted by
default
• Ensure passwords are not sent in clear
• If integrated with LDAP, configure LDAP over SSL (import LDAP certificate into Tomcat-trust store)
BRKCOL-2425 30
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Links to Encrypt
• Administrative and user interfaces
• SIP trunks
• Phone Encryption (requires Unified CM in mixed-mode)
• Within Data Center
• Multiple clusters: ILS and LBM
• Typically:
• Authentication: Certificates
• Authorization: X.509 Subject Name in SIP Trunk Security Profile
• Does not require Unified CM in mixed-mode
• SIP trunk encryption is recommended
ConductorTelePresence Server
Unity Connection
Expressway
CUBE / VG
BRKCOL-2425 31
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Links to Encrypt
• Administrative and user interfaces
• SIP trunks
• Endpoint Encryption
• Within Data Center
• Multiple clusters
• Encryption for the phone media and signaling requires Unified CM to be in “Mixed-Mode”
• Requires Export Restricted version of Unified CM
• IM messages are encrypted by default and do not required mixed-mode
• Secure call has a lock icon shown on the endpoint display
SRTP
Mixed-Mode
BRKCOL-2425 32
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Unified CM: Non-Secure vs. Mixed-Mode Feature Non Secure Cluster Mixed Mode Cluster
Auto-registration * |
Signed & Encrypted Phone Configs
Signed Phone Firmware
Secure Phone Services (HTTPS)
CAPF + LSC
IP VPN Phone
SIP Trunk encryption
Secure Endpoints (TLS & SRTP)
New
in 11.5
BRKCOL-2425 33
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Mixed-Mode for Unified CM
Hardware Security Token
(USB Security Tokens)
Tokenless CTL
(10.0+)
Enable Mixed-Mode
Migration
See Unified CM Security Guide and TAC note
http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118893-technote-cucm-00.html
BRKCOL-2425 34
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
USB Security Tokens vs. Tokenless
Hardware Security Token
(USB Security Tokens)
Tokenless
(10.0+)
Pros:
• Less situations where endpoints loose trust relationship with Unified CM and easier to recover from this scenario
• Can be used across multiple Unified CM clusters and facilitates migration between clusters
Cons:
• Have to purchase 2+ USB Security tokens
• Not manufactured in the US
• Require CTL Client installation on a desktop
Pros:
• Easier to manage: No need to purchase USB security tokens, no need to install CTL client, easier to update CTL file
Cons:
• More situations where endpoints loose trust relationship with Unified CM and more complex to recover from this scenario
• Requires more steps when migrating clusters
BRKCOL-2425 35
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Encrypted Endpoint – Basic Configuration
• With Unified CM in mixed-mode, not all endpoints need to be configured with encryption, but all the endpoints get a CTL (Certificate Trust List) file
• Notes:
There is also a Phone security profile which is independent from the phone type: Universal Device Template. Useful when deploying MRA
Encryption using the Locally Significant Certificate (LSC) instead of Manufacturing Installed Certificate (MIC) requires additional step
BRKCOL-2425 36
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MRA – Voice/Video Encryption
• Voice/Video streams always SRTP encrypted between Exp-C and MRA client
• SIP TLS always enforced between MRA clients & Exp-E, Exp-C & Exp-E
• * Unified CM mixed mode required to achieve SRTP on internal network and SIP TLS between Exp-C and Unified CM
DMZ
Firewall
Expressway-C Expressway-E External
Firewall
SIP TLSSIP TLS
SRTP
SIP TLS*
SIP TCP
Media and Signaling always encrypted
BRKCOL-2425 37
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Links to Encrypt
• Administrative and user interfaces
• SIP trunks
• Phone Encryption
• Within Data Center
• Multiple clusters
• Some communications have sensitive information or are easy to encrypt. Recommendation: Encrypt. Example: LDAP over SSL and SIP trunks
• Some communications are more difficult to encrypt requiring for example IPsec. Lower priority to encrypt, especially if servers locked down in Data Center and is trusted. Example: Communication between Unified CM nodes in the same cluster.If IPsec must be used, recommendation is to configure it on the infrastructure.
BRKCOL-2425 38
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Links to Encrypt
• Administrative and user interfaces
• SIP trunks
• Phone Encryption
• Within Data Center
• Multiple clusters
ILS (Intercluster Lookup Service)
• Certificates for authentication, Passwords for authorization (new in 11.5)
LBM (Location Bandwidth Manager)
• Encrypt Intercluster LBM links
ILS and LBM are using Tomcat certificates
In addition to SIP Trunk Encryption, encrypt ILS and LBM
BRKCOL-2425 39
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cipher Suites – Unified CM SIP TLS
ECDHE_RSA with AES256_GCM_SHA384
Key Exchange – Authenticated/Signed-with:ECDHE – RSA
(Elliptic Curve Diffie-Hellman Ephemeral – RSA)
Encryption Algorithm – Authenticated with:AES256_GCM – SHA384
(Advanced Encryption Standard at 256 bits,
with Galois Counter Mode – Secure Hash Algorithm at 384 bits)
Unified CM Options:RSA (only option prior to 10.5.2)
ECDHE – RSA (10.5.2+)
ECDHE – ECDSA (11+)
Unified CM Options:AES128_SHA1 (only option prior to 10.5.2)
AES128_GCM_SHA256 (10.5.2+)
AES256_GCM_SHA384 (10.5.2+)
BRKCOL-2425 40
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cipher Suites – Unified CM SIP TLS
All Ciphers ECDSA preferred
ECDHE_ECDSA with AES256_GCM_SHA384
ECDHE_RSA with AES256_GCM_SHA384
ECDHE_ECDSA with AES128_GCM_SHA256
ECDHE_RSA with AES128_GCM_SHA256
RSA with AES_128_CBC-SHA1
All Ciphers RSA preferred (default)
ECDHE_RSA with AES256_GCM_SHA384
ECDHE_ECDSA with AES256_GCM_SHA384
ECDHE_RSA with AES128_GCM_SHA256
ECDHE_ECDSA with AES128_GCM_SHA256
RSA with AES_128_CBC-SHA1
General Recommendation: Use default setting
Medium – AES-256 AES-128 only: RSA preferred
ECDHE_RSA with AES256_GCM_SHA384
ECDHE_ECDSA with AES256_GCM_SHA384
ECDHE_RSA with AES128_GCM_SHA256
ECDHE_ECDSA with AES128_GCM_SHA256
Strongest – AES 256-SHA-384 only: ECDSA preferred
ECDHE_ECDSA with AES256_GCM_SHA384
ECDHE_RSA with AES256_GCM_SHA384
Strongest – AES-256 SHA-384 only: RSA preferred
ECDHE_RSA with AES256_GCM_SHA384
ECDHE_ECDSA with AES256_GCM_SHA384
Medium – AES-256 AES-128 only: RSA preferred
ECDHE_ECDSA with AES256_GCM_SHA384
ECDHE_RSA with AES256_GCM_SHA384
ECDHE_ECDSA with AES128_GCM_SHA256
ECDHE_RSA with AES128_GCM_SHA256
BRKCOL-2425 41
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cipher Suites – Unified CM SRTP
• Prior to Unified CM 10.5.2, SIP trunks and SIP Lines only supported SHA1 based media encryption ciphers
AES_CM_128-SHA1
• Version 10.5.2 introduces support for new GCM (Galois/Counter Mode) ciphers providing AEAD (Authentication Encryption with Associated Data)
AEAD_AES_256_GCM
AEAD_AES_128_GCM
• New ciphers are available by default on upgrade to Unified CM 10.5.2
• Highest strength cipher will be offered or negotiated by default
• SHA1 based SRTP cipher compatibility remains for non-SIP devices
BRKCOL-2425 42
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cipher Suites – Unified CM SRTP
All supported Ciphers (default)
AEAD AES-256 GCM
AEAD AES-128 GCM
AES_CM_128-SHA1 ciphers
Strongest- AEAD AES-256 GCM cipher only
AEAD AES-256 GCM-based cipher
Medium- AEAD AES-256 GCM AES-128 GCM ciphers only
AEAD AES-256 GCM
AEAD AES-128 GCM
General Recommendation: Use default setting
BRKCOL-2425 43
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Verify Supported Cipher Suites on Endpoints
BRKCOL-2425 44
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why Do We Need Certificates?
• What is a Digital Certificate?
• Includes public key and name of the certificate holder, signature
• Goal
• Authentication and encryption
• Two types of authentication
• One-way authenticationWith Web browsers or with Jabber login (UDS, XMPP, Unity Connection visual voice mail)
• Two-way authenticationEndpoints in encrypted mode, MTLS trunks (e.g. Unified CM SIP trunk to Expressway)
BRKCOL-2425 46
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Endpoint Certificates
• Required for Media/Signaling encryption and TFTP config file encryption
• Also can be used for phone VPN and 802.1x
• When both LSC and MIC are installed on a device, LSC takes preference
MIC
Manufacturer Installed Certificate
LSC
Locally Significant Certificate
Certificate Type
BRKCOL-2425 47
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Endpoint Certificates - MIC
Manufacturer Installed Certificate (MIC)» Cisco IP Phones ship from the factory with a unique MIC pre-installed» MIC is valid for 10 years » No certificate revocation support
Notes:
• New Manufacturing SHA2 CA: signs Cisco’s newest IP Phones (88xx) Unified CM 10.5(1)+ includes and trusts the new SHA2 certificatesFor older Unified CM release, download the SHA2 CA certificates at http://www.cisco.com/security/pki/certs/cmca2.cer
• No MIC on Jabber
MIC
Manufacturer Installed Certificate
88xx
Cisco CA
BRKCOL-2425 48
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Endpoint Certificates - LSC
Locally Significant Certificates (LSC) » LSC signed by Certificate Authority Proxy Function (CAPF) Service running on Unified CM Publisher (or signed by
external CA)
» Preferred certificate for endpoint identity
» Endpoint support includes IP Phones, TelePresence, Jabber clients
» LSC can be installed, re-issued, deleted in bulk with Unified CM Bulk Admin Tool
Enhancements in Unified CM 11.5» LSC signed by CAPF valid for up to 5 years (validity configurable in 11.5, used to be fixed at 5 years)
» Can track certificate expiration (new in 11.5, used to require paper process)
» SHA2 support
» RSA key length up to 4096 (used to be up to 2048). Use Cisco Unified Reporting to verify phone support
Only LSC are available with Jabber. LSCs required for configuration file signature and signaling/media encryption (except for Jabber over MRA)
LSC
Locally Significant Certificate
CAPF Service
New in
11.5
BRKCOL-2425 49
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Endpoint Certificates - MIC vs. LSC
• MIC: Out of box certificate. Goal is to prove the phone is a genuine Cisco phone
• But…
• MIC is not specific to your own Unified CM cluster
It doesn’t prove the phone is part of your Unified CM cluster
• MIC cannot be customized/updated/deleted
Recommendation:
Use MIC certificates to authenticate with CAPF for LSC certificate installation
Use LSC for everything else (SIP TLS, VPN, 802.1x)
BRKCOL-2425 50
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MRA with End-to-End Encryption
• For MRA end-to-end encryption, encryption inside the enterprise requires Unified CM in mixed mode and encrypted phone security profile, as usual
• But Expressway-C certificate is used (not the endpoint certificate)
• With Jabber 11.0+ using MRA, CAPF enrollment not required (LSC not required)
• Notes:
• Also works for DX and TC series endpoints
• TFTP encrypted config still not supported for any MRA clients
DMZ
Firewall
Expressway-
C
Expressway-E External
Firewall
SIP TLSSIP TLS
SRTP
SIP TLS
Media and Signaling always encrypted
BRKCOL-2425 51
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MRA with End-to-End Encryption
• Expressway-C certificate is used (not the endpoint certificate)
• Phone security profiles of the MRA endpoints (in FDQN format) must be added as Subject Alternate Name (SAN) in the Expressway-C certificate
• With several phone types, each phone security profile must be added as SAN in the Expressway-C certificate
• To reduce the number of SANs in the Expressway-C certificate, a special type of Phone Security Profile can be used independently of the phone type: “Universal Device Template”.
BRKCOL-2425 52
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Unified CM Certificates
• Unified CM includes the certificate types:
» Tomcat RSA and ECDSA (new in 11.5): web services
» CallManager RSA and ECDSA (new in 11.0): SIP/SCCP TLS, TFTP config signing, etc.)
» CAPF (CA cert used to sign LSC, only employed on the publisher)
» IPSEC (ipsec tunnels to non-SIP gateways or other Unified CM)
» TVS (Trust Verification Service, security by default)
» ITLRecovery (used as trust anchor to recover trust with endpoints)
• Notes:• Default to self-signed certificates, valid for 5 years (except ITLRecovery valid for 20 years)
• Option to have signed by 3rd party CA
• Key length:• RSA certificates: key length up to 4096 (up to 2048 prior to 11.5), SHA1 or SHA256• ECDSA certificates: key length up to 521 and hash up to SHA512
BRKCOL-2425 53
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
CA-signed Certificates
• In order to establish trust:Need to import remote certificate in the local trust storeOtherwise, warning message or communications not established
• With certificates signed by an external Certification Authority (CA), only the CA certificate needs to be imported into the trust store.This simplifies management
• Note: Not all certificates need to be signed by a CA. Example: Unified CM TVS, CAPF, ITLRecovery
Recommendation:
Use CA-signed certificates for:
Tomcat (Unified CM, IM&P, Unity Connection)
CallManager, XMPP, XMPP-S2S certificates, Expressway, Conductor, and TelePresence Server
BRKCOL-2425 54
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Multi-Server Certificate Support
• To simplify certificate management in clustered environments
• One single CA signed certificate and private key across all nodes in a cluster
• Each cluster node’s FQDN included as Subject Alternative Name (SAN) in a single certificate,
custom SANs can also be included
Recommendation:
Use Multi-Server certificates wherever available:
Tomcat/Tomcat-ECDSA for Unified CM/IM&P and CUC, CallManager, CUP-XMPP, CUP-
XMPP-S2S
Unified CM Cluster
Unified CM nodes IM&P
nodes
One CA-signed Multi-Server certificate for the entire Unified CM cluster
BRKCOL-2425 55
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Public vs. Private CASSL Certificates for Cisco Collaboration Infrastructure can be signed by public CAs (GeoTrust, Verisign/Symantec, GoDaddy, etc.) or by an organization’s private CA* (Microsoft CA, DogTag, openssl, etc.)
The tradeoff between the two options typically comes down to cost
Public CAs have a higher cost per certificate, but are broadly trusted in browsers and beyond
Your organization’s private CA typically has a minimal cost per cert (if not $0) but are not broadly trusted, so the cost involves maintaining the private CA and distributing the trusted CA certificate to end users and devices via MDM, MS Group Policy, etc.
Recommendation:
- Public CA for Expressway-E certificates
Public CA signed certificate - contained in firmware and most mobile devices
- Your choice for the other certificates
BRKCOL-2425 56
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
How Do Endpoints Trust Servers?
• CTL and ITL are signed files that contains a list of Unified CM certificates that the endpoint can trust
• Which file is present in Unified CM cluster?
• With Unified CM non-secure mode: ITL file only
• With Unified CM in mixed-mode: CTL + ITL files
• When an endpoint boots/resets, it requests:
• Certificate Trust List (CTL) file first (if Unified CM is in mixed-mode), then
• Initial Trust List (ITL) file
• Endpoints verify the signature of the CTL/ITL
• With MRA: Endpoints verify Expressway-E certificate using the root CA certificates embedded in their firmware
Signature
CTL/ITL
BRKCOL-2425 57
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
CMR CertificatesRecommended Best Practice
entrust_ev_ca
digicert_global_root_ca
verisign_style_2_public_primary_ca_-_g3
godaddy_style_2_ca_root_certificate
Go Daddy Root Certification Authority - G2
verisign_style_3_public_primary_ca_-_g5
verisign_style_3_public_primary_ca_-_g3
dst_root_ca_x3
verisign_style_3_public_primary_ca_-_g2
equifax_secure_ca
entrust_2048_ca*
verisign_style_1_public_primary_ca_-_g3
ca_cert_signing_authority
geotrust_global_ca
globalsign_root_ca
thawte_primary_root_ca
geotrust_primary_ca
addtrust_external_ca_root
QuoVadis Root CA 2
Public CA
Vid
eo
CM
R
Verisign Class 3 Public Primary Certification Authority
http://www.symantec.com/page.jsp?id=roots
‘VeriSign Class 3 Primary CA - G5’
http://www.symantec.com/page.jsp?id=roots
‘VeriSign Class 3 Public Primary CA - G3’
http://www.symantec.com/page.jsp?id=roots
‘QuoVadis Root CA 2’
https://www.quovadisglobal.com/QVRepository/DownloadRootsAndCRL.aspx
Public CA
Root
Signed Expressway-E Cert
We
bE
x S
up
po
rte
d C
As
Current WebEx Certificate
Verisign Class 3 Public Primary Certification Authority
Reference https://kb.webex.com/WBX83490 Reference https://kb.webex.com/WBX87312
BRKCOL-2425 58
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Monitor Certificate Expiration
• Monitor the server certificate expiration (OS Administration page)
• Monitor LSC certificate expiration (new in 11.5)
BRKCOL-2425 59
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Receive Certificate Expiration Notifications
New
in 11.5
• Receive email notifications when certificates are about to expire
• For server certificates and for LSC certificates (since 11.5)
BRKCOL-2425 60
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Conclusion• Security in Layer
• Physical security, network security, host access security, encryption• Protection against toll-fraud• Monitor CDR, logs, search history
• Encryption• Encrypt admin interfaces, SIP trunks, LDAP• Enable Unified CM mixed-mode and encrypt media and signaling for the endpoints• For multi-cluster deployment, encrypt ILS and LBM-LBM communications
• Certificates• Endpoints: Use LSCs for SIP TLS, 802.1x, VPN. Only use MIC to get a LSC• Get some certificates signed by a CA: Tomcat, CallManager, XMPP, Expressway,
TelePresence• Expressway-E certificates to be signed by a public CA• Use multi-server certificates wherever possible
BRKCOL-2425 62
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Conclusion
• Your journey to secure your deployment does not stop here
• Establish a good security policy
• Stay up-to-date on the latest security news and upgrade / install security updates when applicable
• Cisco Security Center https://tools.cisco.com/security/center/home.x• Latest threat information
• Product Security Incident Response Team (PSIRT)
• Security advisories and responses
• Get Notifications
BRKCOL-2425 63
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Preferred Architectures Links• Contact us via email: [email protected]
• Mid-Market and Enterprise PA Documents:
http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-collaboration/index.html
• Cisco Preferred Architecture for Enterprise Collaboration 11.x, Design Overview - June 2016
http://www.cisco.com/c/dam/en/us/td/docs/solutions/PA/enterprise/11x/clbpa11x.pdf
• Cisco Preferred Architecture for Enterprise Collaboration 11.x, CVD – Nov 2015
http://www.cisco.com/c/en/us/td/docs/solutions/CVD/Collaboration/enterprise/11x/collbcvd.html
• DCloud: Cisco Preferred Architecture for Enterprise Collaboration 10.6 v1
http://dcloud.cisco.com/ Collaboration Cisco Preferred Architecture for Enterprise Collaboration Design Overview 11.0
BRKCOL-2425 64
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Related Sessions
• BRKUCC-1612: A solution Architect‘s Guide to Collaboration SecurityMonday, 8am
• BRKCOL-2614: Technical Overview of Preferred Architecture for Enterprise Collaboration, Tuesday, 1:30pm
• BRKUCC-2224: Deploying and Troubleshooting Secure UC SolutionTuesday, 8am
• BRKUCC-2501: Cisco UC Manager securityWednesday, 8am
• BRKUCC-2801: Cisco Expressway at the Collaboration Edge design sessionTuesday, 1:30pm
BRKCOL-2425 65
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.
• Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us.
BRKCOL-2425 66
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
BRKCOL-2425 67
Please join us for the Service Provider Innovation Talk featuring:
Yvette Kanouff | Senior Vice President and General Manager, SP Business
Joe Cozzolino | Senior Vice President, Cisco Services
Thursday, July 14th, 2016
11:30 am - 12:30pm, In the Oceanside A room
What to expect from this innovation talk
• Insights on market trends and forecasts
• Preview of key technologies and capabilities
• Innovative demonstrations of the latest and greatest products
• Better understanding of how Cisco can help you succeed
Register to attend the session live now or
watch the broadcast on cisco.com
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Join the Customer Connection Program19,000+
Members
Strong
• Influence product direction
• Access to early adopter & beta trials
• Monthly technical & roadmap briefings
• Connect in private online community
• Exclusive perks at Cisco Live
• Collaboration NDA Roadmap Sessions Mon & Tues
• Q&A Open Forum with Collaboration Product Management Tues 4:00 – 5:30
• Reserved seats at Collaboration Innovation Talk Thurs 8:00am – 9:00am
• 2 new CCP tracks launching at Cisco Live: Security & Enterprise Networks
Join in World of Solutions
Collaboration zone
Join at the Customer Connection stand
New member thank-you gift *
CCP ribbon for access to NDA sessions
Join Online
www.cisco.com/go/ccp
Come to Collaboration zone to get your
ribbon and new member gift
* While supplies last
BRKCOL-2425 69