Security for the Enterprise Collaboration Preferred Architecture Laurent Pham, Technical Marketing Engineer BRKCOL-2425
Gartner estimates that IT security spending will soar from $75 billion-plus in 2015 to $101 billion in 2018. Research firm Markets and Markets sees the cybersecurity market hitting $170 billion by 2020. Investors.com BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Cisco Spark Ask Question, Get Answers www.ciscospark.com Use Cisco Spark to communicate with the speaker after the event! What if I have a question after visiting Cisco Live?... Cisco Spark Spark rooms will be available until July 29, 2016 How 1. Go to the Cisco Live Mobile app 2. Find this session 3. Click the join link in the session description 4. Navigate to the room, room name = Session ID 5. Enter messages in the room BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Agenda Security in Layers Encryption Certificate Management
What is a Preferred Architecture?
Collaboration Preferred Architecture (CPA) What products to use to enable users for Collaboration and Unified Communications for simple deployments. Prescriptive recommendations Concise Documents Preferred Architecture provides prescriptive design guidance that simplifies and drives design consistency for Cisco Collaboration deployments Preferred Architecture can be used as a design base for any customer using a modular and scalable approach Preferred Architecture team provides feedback on solution level gaps to product teams Preferred Architecture will help you scale! Tested best practices BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Collaboration Preferred Architectures & CVDs PA Overview www.cisco.com/go/cvd/collaboration! PA CVD Cisco Validated Design Cisco Validated Design Applications Pre-Sales Process Design Overview Document Targeted to Presales What (w/ Some Why)! Post-Sales process Detailed Design and Deployment Guidance Post Sales Design and Deployment What, Why, and How! Process Driven Guide Post-Sales Process Detailed, Deployment Guidance Post Sales Design and Deployment What, Why, and How! Process Driven Guide Plugs into the PA CVD 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Headquarters Expressway-E Cisco WebEx Mobile/Teleworker DMZ Endpoints Expressway-C IM and Presence Unified Communications Manager Integrated/Aggregated Services Router Internet Third-Party Solution MPLS WAN Integrated Services Router Call Control Collaboration Edge Unity Connection TelePresence Server Conductor PSTN / ISDN Remote Site Voice Messaging Deployment Conferencing Prime Collaboration License Manager Collaboration Management Services Provisioning TelePresence Management Suite Assurance/ Analytics Collaboration Preferred Architecture for the Enterprise BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Preferred Architecture for Collaboration Enterprise Cisco Validated Design (CVD) Call Control UCM, IM&P, ISR, CUBE Conferencing UCM, Conductor, TS, TMS Edge UCM, Expressway, CUBE, ISR Applications Ucx, PCD*, PLM * Bandwidth Management Sizing Functions: Dial Plan (Dialing Habits, Endpoints/ILS/GDPR), Trunking, SRST, CTI, DNS, EM Functions: Instant, Permanent, Scheduled, CMR, CMR Hybrid, Personal Multiparty Functions: Mobile Remote Access (MRA), B2B, IM&P Federation, PSTN Access, ISDN Video Functions: Applications and Tools: VM Deployment, Licensing, Voice Messaging Functions: QoS and Admission Control Functions: Sizing numbers for products built on a set of calculated assumptions Architecture: Component Role, HA, Security, Scalability Deployment: Process and Configuration S i z i n g BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Upcoming Chapters in CVD Collaboration Management Services PCD, PLM, PCP, PCA Security Security in Layers (including Toll Fraud), Encryption, Certificate Management Work in Progress CVD to be available later this year BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Examples of IP Communications Threats Denial of Service (DoS) Affecting call quality or ability to place calls SPAM SPIM, SPIT, and more SPAM Toll fraud Unauthorized or unbillable resource utilization Learning private information Caller ID, DTMF, password/accounts, calling patterns, Presence Information Eavesdropping Listening to another s call or Theft of intellectual property Media tampering Data Modification Impersonating others Identity Theft Learning private information Caller ID, DTMF, passwords/accounts, calling patterns, Presence information Session replay Replay a session, such as a bank transaction BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Security In Layers
Secure Physical Access First line of defense Once a user or attacker has physical access to one of the devices in a network, all kinds of problems could occur Action: Secure access to the building Secure access to the Data Center / servers (DoS, easier access to management, password recovery) Secure endpoints BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Secure the Infrastructure and the Network Segregation Virtual LANs (VLANs) separates voice and data traffic VLAN Access Control Lists (VACLs) limits traffic between devices on the voice VLAN QoS Packet Marking ensures UC traffic receives appropriate priority over other traffic Layer 2 DHCP Snooping creates binding table Dynamic ARP Inspection (DAI) examines ARP & GARP for violations Port Security limits the number of MAC addresses allowed per port 802.1x limits network access to authentic devices on assigned VLANs Multi-Domain Authentication (MDA) binds two devices to assigned VLANs MAC Authentication Bypass (MAB) provides a measure of control over devices which don t support 802.1x Layer 3 IP Source Guard examines physical port, VLAN, IP, & MAC for inconsistencies Firewalls/IPS/AMP ASA with FirePOWER Services BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Prevent Unauthorized Access - Platforms Hardened Platform Host Based Intrusion Protection (SELinux) host based firewall (iptables) 3 rd party software installation not allowed OS and applications are installed with a single package Root account disabled Software signed Secure Management (HTTPS, SSH, SFTP) Audit logging Also Configure If applicable, change default passwords (e.g. Expressway, TelePresence) Complex password policy Disable unnecessary protocols BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Prevent Unauthorized Access - Edge Expressway Host-based Firewall, Firewall Rules Host Based Intrusion Protection (not enabled by default) CUBE and Voice Gateways IP TRUST LIST: Don t respond to any SIP INVITEs if not originated from an IP address specified in this trust list CALL THRESHOLD: Protect against CPU, Memory & Total Call spike CALL SPIKE PROTECTION: Protect against spike of INVITE messages within a sliding window BANDWIDTH BASED CAC: Protect against excessive media MEDIA POLICING: Protect against negotiated Bandwidth overruns and RTP Floods USE NBAR POLICIES: Protect against overall SIP, RTP flood attacks from otherwise trusted sources DEFINE VOICE POLICIES: identify patterns of valid phone calls that might suggest potential abuse. BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Prevent Unauthorized Access - Endpoints Security features by default Signed firmware (.sbn extension) Signed configuration files (<devicename>.cnf.xml.sgn) Note: With Jabber, Unified CM needs to be in Mixed-Mode for those features (CTL File) This authenticates the firmware/configuration and protects against tampering Also add Physically secure the phones Disable Gratuitous ARP Configure 802.1X Disable web access / SSH access. Or configure ACL Disable PC port if not needed Optionally TFTP configuration file encryption BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Prevent Toll Fraud Toll Fraud can be external and also internal attacks Unified CM Unity Connection Edge (CUBE, Voice GW, Expressway) BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Unified CM Security Eliminate Toll Fraud (1) Deny unauthorized calls Partitions and Calling search spaces provide dial plan segmentation and access control Example: Avoid Unified CM sending back to the PSTN a call coming from the PSTN Don t include in Trunk CSS the partition for route patterns to PSTN Unified CM 3 2 Voice or Video GW 4 PSTN signaling media PSTN access partition Inbound CSS DN partition Multiparty meeting partition 1 BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Unified CM Security Eliminate Toll Fraud (2) Block offnet to offnet transfer (CallManager service parameter) Unified CM Voice or Video GW 4 6 3 2 1 PSTN 5 BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Unified CM Security Eliminate Toll Fraud (3) Device Pool Calling Search Space for Auto-registration to limit access to dial plan Employ Time of day routing to deactivate segments of the dial plan after hours Require Forced Authentication Codes on route patterns to restrict access on long distance or international calls. Drop Ad hoc Conferences (CallManager Service Parameter) Monitor Call Detail Records Employ Multilevel Administration BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Toll Fraud Prevention Unity Connection Unity Connection could be used to transfer a call Recommendations Use restriction tables to allow or block call patterns Change the Rerouting CSS on the trunk in the Unified CM side Reference CUC Security Guide: http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/11x/security/b_11xcucsecx.ht ml Troubleshoot Toll Fraud via Unity Connection TAC tech note: http://www.cisco.com/c/en/us/support/docs/unified-communications/unity-connection/119337- technote-cuc-00.html System Administration guide:http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/11x/administration/guide /b_cucsag/b_cucsag_chapter_0101.html BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Toll Fraud Prevention - Edge CUBE Call Source Authentication (IOS 15.1(2)T feature) enabled by default. Do not disable via no ip address trusted authenticate Only calls from trusted source IP addresses will be accepted voice service voip ip address trusted list ipv4 10.10.1.10 ipv4 66.66.66.66 Expressway Call Policy Rules (CPL) BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Monitor CDR and logs Unified CM Monitor CDR, audit logs, and other logs Authentication Failure 16:10:32.908 LogMessage UserID : administrator ClientAddress : 10.10.10.100 Severity : 4 EventType : UserLogging ResourceAccessed: Cisco CallManager Administration EventStatus : Failure CompulsoryEvent : No AuditCategory : AdministrativeEvent ComponentID : Cisco CCM Application AuditDetails : Failed to Log into Cisco CCM Webpages App ID: Cisco Tomcat Cluster ID: Node ID: cucm-pub Phone Added 16:13:48.823 LogMessage UserID : administrator ClientAddress : 10.10.10.100 Severity : 5 EventType : DeviceUpdate ResourceAccessed: CUCMAdmin EventStatus : Success CompulsoryEvent : No AuditCategory : AdministrativeEvent ComponentID : Cisco CUCM Administration AuditDetails : New Phone added with MAC address=aaaabbbbcccc, CAL mode=< None > and CAL value=< None > App ID: Cisco Tomcat Cluster ID: Node ID: cucm-pub BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Monitor CDR and logs Expressway: Monitor CDR, Search History, and logs BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Enable Encryption Protect against eavesdropping, data modification, session replay, impersonation Provides privacy, integrity, and authentication Authentication provided through certificates Can be one-way authentication or Mutual authentication (MTLS) BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Encryption 1010 1000101010101000111 011 01011011101001 00010
Links to Encrypt Administrative and user interfaces SIP trunks Endpoint Encryption Within Data Center Multiple clusters BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Links to Encrypt Administrative and user interfaces SIP trunks Phone Encryption Within Data Center Multiple clusters Most of them should be encrypted by default Ensure passwords are not sent in clear If integrated with LDAP, configure LDAP over SSL (import LDAP certificate into Tomcat-trust store) BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Links to Encrypt Administrative and user interfaces SIP trunks Phone Encryption (requires Unified CM in mixed-mode) Within Data Center Multiple clusters: ILS and LBM Typically: Authentication: Certificates Authorization: X.509 Subject Name in SIP Trunk Security Profile Does not require Unified CM in mixedmode SIP trunk encryption is recommended Conductor TelePresence Server Unity Connection Expressway CUBE / VG BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Links to Encrypt Administrative and user interfaces SIP trunks Endpoint Encryption Within Data Center Multiple clusters Mixed-Mode SRTP Encryption for the phone media and signaling requires Unified CM to be in Mixed-Mode Requires Export Restricted version of Unified CM IM messages are encrypted by default and do not required mixed-mode Secure call has a lock icon shown on the endpoint display BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Unified CM: Non-Secure vs. Mixed-Mode Feature Non Secure Cluster Mixed Mode Cluster Auto-registration * Signed & Encrypted Phone Configs Signed Phone Firmware Secure Phone Services (HTTPS) CAPF + LSC IP VPN Phone SIP Trunk encryption Secure Endpoints (TLS & SRTP) New in 11.5 BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Mixed-Mode for Unified CM Enable Mixed-Mode Hardware Security Token (USB Security Tokens) Tokenless CTL (10.0+) Migration See Unified CM Security Guide and TAC note http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118893-technote-cucm-00.html BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
USB Security Tokens vs. Tokenless Hardware Security Token (USB Security Tokens) Tokenless (10.0+) Pros: Less situations where endpoints loose trust relationship with Unified CM and easier to recover from this scenario Can be used across multiple Unified CM clusters and facilitates migration between clusters Cons: Have to purchase 2+ USB Security tokens Not manufactured in the US Require CTL Client installation on a desktop Pros: Easier to manage: No need to purchase USB security tokens, no need to install CTL client, easier to update CTL file Cons: More situations where endpoints loose trust relationship with Unified CM and more complex to recover from this scenario Requires more steps when migrating clusters BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Encrypted Endpoint Basic Configuration With Unified CM in mixed-mode, not all endpoints need to be configured with encryption, but all the endpoints get a CTL (Certificate Trust List) file Notes: There is also a Phone security profile which is independent from the phone type: Universal Device Template. Useful when deploying MRA Encryption using the Locally Significant Certificate (LSC) instead of Manufacturing Installed Certificate (MIC) requires additional step BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
MRA Voice/Video Encryption Voice/Video streams always SRTP encrypted between Exp-C and MRA client SIP TLS always enforced between MRA clients & Exp-E, Exp-C & Exp-E * Unified CM mixed mode required to achieve SRTP on internal network and SIP TLS between Exp-C and Unified CM Media and Signaling always encrypted SIP TLS* SIP TCP SIP TLS SIP TLS SRTP Expressway-C DMZ Expressway-E External Firewall Firewall BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Links to Encrypt Administrative and user interfaces SIP trunks Phone Encryption Within Data Center Multiple clusters Some communications have sensitive information or are easy to encrypt. Recommendation: Encrypt. Example: LDAP over SSL and SIP trunks Some communications are more difficult to encrypt requiring for example IPsec. Lower priority to encrypt, especially if servers locked down in Data Center and is trusted. Example: Communication between Unified CM nodes in the same cluster. If IPsec must be used, recommendation is to configure it on the infrastructure. BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Links to Encrypt Administrative and user interfaces SIP trunks Phone Encryption Within Data Center Multiple clusters In addition to SIP Trunk Encryption, encrypt ILS and LBM ILS (Intercluster Lookup Service) Certificates for authentication, Passwords for authorization (new in 11.5) LBM (Location Bandwidth Manager) Encrypt Intercluster LBM links ILS and LBM are using Tomcat certificates BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Cipher Suites Unified CM SIP TLS ECDHE_RSA with AES256_GCM_SHA384 Key Exchange Authenticated/Signed-with: ECDHE RSA (Elliptic Curve Diffie-Hellman Ephemeral RSA) Unified CM Options: RSA (only option prior to 10.5.2) ECDHE RSA (10.5.2+) ECDHE ECDSA (11+) Encryption Algorithm Authenticated with: AES256_GCM SHA384 (Advanced Encryption Standard at 256 bits, with Galois Counter Mode Secure Hash Algorithm at 384 bits) Unified CM Options: AES128_SHA1 (only option prior to 10.5.2) AES128_GCM_SHA256 (10.5.2+) AES256_GCM_SHA384 (10.5.2+) BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Cipher Suites Unified CM SIP TLS Strongest AES-256 SHA-384 only: RSA preferred ECDHE_RSA with AES256_GCM_SHA384 ECDHE_ECDSA with AES256_GCM_SHA384 Strongest AES 256-SHA-384 only: ECDSA preferred ECDHE_ECDSA with AES256_GCM_SHA384 ECDHE_RSA with AES256_GCM_SHA384 Medium AES-256 AES-128 only: RSA preferred ECDHE_RSA with AES256_GCM_SHA384 ECDHE_ECDSA with AES256_GCM_SHA384 ECDHE_RSA with AES128_GCM_SHA256 ECDHE_ECDSA with AES128_GCM_SHA256 Medium AES-256 AES-128 only: RSA preferred ECDHE_ECDSA with AES256_GCM_SHA384 ECDHE_RSA with AES256_GCM_SHA384 ECDHE_ECDSA with AES128_GCM_SHA256 ECDHE_RSA with AES128_GCM_SHA256 All Ciphers RSA preferred (default) ECDHE_RSA with AES256_GCM_SHA384 ECDHE_ECDSA with AES256_GCM_SHA384 ECDHE_RSA with AES128_GCM_SHA256 ECDHE_ECDSA with AES128_GCM_SHA256 RSA with AES_128_CBC-SHA1 All Ciphers ECDSA preferred ECDHE_ECDSA with AES256_GCM_SHA384 ECDHE_RSA with AES256_GCM_SHA384 ECDHE_ECDSA with AES128_GCM_SHA256 ECDHE_RSA with AES128_GCM_SHA256 RSA with AES_128_CBC-SHA1 General Recommendation: Use default setting BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Cipher Suites Unified CM SRTP Prior to Unified CM 10.5.2, SIP trunks and SIP Lines only supported SHA1 based media encryption ciphers AES_CM_128-SHA1 Version 10.5.2 introduces support for new GCM (Galois/Counter Mode) ciphers providing AEAD (Authentication Encryption with Associated Data) AEAD_AES_256_GCM AEAD_AES_128_GCM New ciphers are available by default on upgrade to Unified CM 10.5.2 Highest strength cipher will be offered or negotiated by default SHA1 based SRTP cipher compatibility remains for non-sip devices BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Cipher Suites Unified CM SRTP Strongest- AEAD AES-256 GCM cipher only AEAD AES-256 GCM-based cipher Medium- AEAD AES-256 GCM AES-128 GCM ciphers only AEAD AES-256 GCM AEAD AES-128 GCM All supported Ciphers (default) AEAD AES-256 GCM AEAD AES-128 GCM AES_CM_128-SHA1 ciphers General Recommendation: Use default setting BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Verify Supported Cipher Suites on Endpoints BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Certificate Management
Why Do We Need Certificates? What is a Digital Certificate? Includes public key and name of the certificate holder, signature Goal Authentication and encryption Two types of authentication One-way authentication With Web browsers or with Jabber login (UDS, XMPP, Unity Connection visual voice mail) Two-way authentication Endpoints in encrypted mode, MTLS trunks (e.g. Unified CM SIP trunk to Expressway) BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Endpoint Certificates Certificate Type MIC Manufacturer Installed Certificate LSC Locally Significant Certificate Required for Media/Signaling encryption and TFTP config file encryption Also can be used for phone VPN and 802.1x When both LSC and MIC are installed on a device, LSC takes preference BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Endpoint Certificates - MIC Cisco CA MIC Manufacturer Installed Certificate Manufacturer Installed Certificate (MIC)» Cisco IP Phones ship from the factory with a unique MIC pre-installed» MIC is valid for 10 years» No certificate revocation support Notes: New Manufacturing SHA2 CA: signs Cisco s newest IP Phones (88xx) Unified CM 10.5(1)+ includes and trusts the new SHA2 certificates For older Unified CM release, download the SHA2 CA certificates at http://www.cisco.com/security/pki/certs/cmca2.cer No MIC on Jabber 88xx BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Endpoint Certificates - LSC CAPF Service LSC Locally Significant Certificate Locally Significant Certificates (LSC)» LSC signed by Certificate Authority Proxy Function (CAPF) Service running on Unified CM Publisher (or signed by external CA)» Preferred certificate for endpoint identity» Endpoint support includes IP Phones, TelePresence, Jabber clients» LSC can be installed, re-issued, deleted in bulk with Unified CM Bulk Admin Tool Enhancements in Unified CM 11.5» LSC signed by CAPF valid for up to 5 years (validity configurable in 11.5, used to be fixed at 5 years)» Can track certificate expiration (new in 11.5, used to require paper process)» SHA2 support» RSA key length up to 4096 (used to be up to 2048). Use Cisco Unified Reporting to verify phone support New in 11.5 Only LSC are available with Jabber. LSCs required for configuration file signature and signaling/media encryption (except for Jabber over MRA) BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Endpoint Certificates - MIC vs. LSC MIC: Out of box certificate. Goal is to prove the phone is a genuine Cisco phone But MIC is not specific to your own Unified CM cluster It doesn t prove the phone is part of your Unified CM cluster MIC cannot be customized/updated/deleted Recommendation: Use MIC certificates to authenticate with CAPF for LSC certificate installation Use LSC for everything else (SIP TLS, VPN, 802.1x) BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
MRA with End-to-End Encryption Media and Signaling always encrypted SIP TLS SIP TLS SIP TLS For MRA end-to-end encryption, encryption inside the enterprise requires Unified CM in mixed mode and encrypted phone security profile, as usual But Expressway-C certificate is used (not the endpoint certificate) With Jabber 11.0+ using MRA, CAPF enrollment not required (LSC not required) Notes: Expressway- C DMZ Firewall SRTP Expressway-E External Firewall Also works for DX and TC series endpoints TFTP encrypted config still not supported for any MRA clients BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
MRA with End-to-End Encryption Expressway-C certificate is used (not the endpoint certificate) Phone security profiles of the MRA endpoints (in FDQN format) must be added as Subject Alternate Name (SAN) in the Expressway-C certificate With several phone types, each phone security profile must be added as SAN in the Expressway-C certificate To reduce the number of SANs in the Expressway-C certificate, a special type of Phone Security Profile can be used independently of the phone type: Universal Device Template. BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Unified CM Certificates Unified CM includes the certificate types:» Tomcat RSA and ECDSA (new in 11.5): web services» CallManager RSA and ECDSA (new in 11.0): SIP/SCCP TLS, TFTP config signing, etc.)» CAPF (CA cert used to sign LSC, only employed on the publisher)» IPSEC (ipsec tunnels to non-sip gateways or other Unified CM)» TVS (Trust Verification Service, security by default)» ITLRecovery (used as trust anchor to recover trust with endpoints) Notes: Default to self-signed certificates, valid for 5 years (except ITLRecovery valid for 20 years) Option to have signed by 3 rd party CA Key length: RSA certificates: key length up to 4096 (up to 2048 prior to 11.5), SHA1 or SHA256 ECDSA certificates: key length up to 521 and hash up to SHA512 BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
CA-signed Certificates In order to establish trust: Need to import remote certificate in the local trust store Otherwise, warning message or communications not established With certificates signed by an external Certification Authority (CA), only the CA certificate needs to be imported into the trust store. This simplifies management Note: Not all certificates need to be signed by a CA. Example: Unified CM TVS, CAPF, ITLRecovery Recommendation: Use CA-signed certificates for: Tomcat (Unified CM, IM&P, Unity Connection) CallManager, XMPP, XMPP-S2S certificates, Expressway, Conductor, and TelePresence Server BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Multi-Server Certificate Support Unified CM Cluster One CA-signed Multi-Server certificate for the entire Unified CM cluster Unified CM nodes IM&P nodes To simplify certificate management in clustered environments One single CA signed certificate and private key across all nodes in a cluster Each cluster node s FQDN included as Subject Alternative Name (SAN) in a single certificate, custom SANs can also be included Recommendation: Use Multi-Server certificates wherever available: Tomcat/Tomcat-ECDSA for Unified CM/IM&P and CUC, CallManager, CUP-XMPP, CUP- XMPP-S2S BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Public vs. Private CA SSL Certificates for Cisco Collaboration Infrastructure can be signed by public CAs (GeoTrust, Verisign/Symantec, GoDaddy, etc.) or by an organization s private CA* (Microsoft CA, DogTag, openssl, etc.) The tradeoff between the two options typically comes down to cost Public CAs have a higher cost per certificate, but are broadly trusted in browsers and beyond Your organization s private CA typically has a minimal cost per cert (if not $0) but are not broadly trusted, so the cost involves maintaining the private CA and distributing the trusted CA certificate to end users and devices via MDM, MS Group Policy, etc. Recommendation: - Public CA for Expressway-E certificates Public CA signed certificate - contained in firmware and most mobile devices - Your choice for the other certificates BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
How Do Endpoints Trust Servers? CTL/ITL CTL and ITL are signed files that contains a list of Unified CM certificates that the endpoint can trust Which file is present in Unified CM cluster? With Unified CM non-secure mode: ITL file only With Unified CM in mixed-mode: CTL + ITL files When an endpoint boots/resets, it requests: Certificate Trust List (CTL) file first (if Unified CM is in mixed-mode), then Initial Trust List (ITL) file Signature Endpoints verify the signature of the CTL/ITL With MRA: Endpoints verify Expressway-E certificate using the root CA certificates embedded in their firmware BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
WebEx Supported CAs Video CMR CMR Certificates Recommended Best Practice Current WebEx Certificate Verisign Class 3 Public Primary Certification Authority entrust_ev_ca digicert_global_root_ca verisign_style_2_public_primary_ca_-_g3 godaddy_style_2_ca_root_certificate Go Daddy Root Certification Authority - G2 verisign_style_3_public_primary_ca_-_g5 verisign_style_3_public_primary_ca_-_g3 dst_root_ca_x3 verisign_style_3_public_primary_ca_-_g2 equifax_secure_ca entrust_2048_ca* verisign_style_1_public_primary_ca_-_g3 ca_cert_signing_authority geotrust_global_ca globalsign_root_ca thawte_primary_root_ca geotrust_primary_ca addtrust_external_ca_root QuoVadis Root CA 2 Root Public CA Reference https://kb.webex.com/wbx83490 Signed Expressway-E Cert Public CA Verisign Class 3 Public Primary Certification Authority http://www.symantec.com/page.jsp?id=roots VeriSign Class 3 Primary CA - G5 http://www.symantec.com/page.jsp?id=roots VeriSign Class 3 Public Primary CA - G3 http://www.symantec.com/page.jsp?id=roots QuoVadis Root CA 2 https://www.quovadisglobal.com/qvrepository/downloadrootsandcrl.aspx Reference https://kb.webex.com/wbx87312 BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Monitor Certificate Expiration Monitor the server certificate expiration (OS Administration page) Monitor LSC certificate expiration (new in 11.5) BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Receive Certificate Expiration Notifications New in 11.5 Receive email notifications when certificates are about to expire For server certificates and for LSC certificates (since 11.5) BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Conclusion
Conclusion Security in Layer Physical security, network security, host access security, encryption Protection against toll-fraud Monitor CDR, logs, search history Encryption Encrypt admin interfaces, SIP trunks, LDAP Enable Unified CM mixed-mode and encrypt media and signaling for the endpoints For multi-cluster deployment, encrypt ILS and LBM-LBM communications Certificates Endpoints: Use LSCs for SIP TLS, 802.1x, VPN. Only use MIC to get a LSC Get some certificates signed by a CA: Tomcat, CallManager, XMPP, Expressway, TelePresence Expressway-E certificates to be signed by a public CA Use multi-server certificates wherever possible BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Conclusion Your journey to secure your deployment does not stop here Establish a good security policy Stay up-to-date on the latest security news and upgrade / install security updates when applicable Cisco Security Center https://tools.cisco.com/security/center/home.x Latest threat information Product Security Incident Response Team (PSIRT) Security advisories and responses Get Notifications BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Preferred Architectures Links Contact us via email: pa-feedback@cisco.com Mid-Market and Enterprise PA Documents: http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-collaboration/index.html Cisco Preferred Architecture for Enterprise Collaboration 11.x, Design Overview - June 2016 http://www.cisco.com/c/dam/en/us/td/docs/solutions/pa/enterprise/11x/clbpa11x.pdf Cisco Preferred Architecture for Enterprise Collaboration 11.x, CVD Nov 2015 http://www.cisco.com/c/en/us/td/docs/solutions/cvd/collaboration/enterprise/11x/collbcvd.html DCloud: Cisco Preferred Architecture for Enterprise Collaboration 10.6 v1 http://dcloud.cisco.com/ Collaboration Cisco Preferred Architecture for Enterprise Collaboration Design Overview 11.0 BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Related Sessions BRKUCC-1612: A solution Architect s Guide to Collaboration Security Monday, 8am BRKCOL-2614: Technical Overview of Preferred Architecture for Enterprise Collaboration, Tuesday, 1:30pm BRKUCC-2224: Deploying and Troubleshooting Secure UC Solution Tuesday, 8am BRKUCC-2501: Cisco UC Manager security Wednesday, 8am BRKUCC-2801: Cisco Expressway at the Collaboration Edge design session Tuesday, 1:30pm BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card. Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Please join us for the Service Provider Innovation Talk featuring: Yvette Kanouff Senior Vice President and General Manager, SP Business Joe Cozzolino Senior Vice President, Cisco Services Thursday, July 14 th, 2016 11:30 am - 12:30pm, In the Oceanside A room What to expect from this innovation talk Insights on market trends and forecasts Preview of key technologies and capabilities Innovative demonstrations of the latest and greatest products Better understanding of how Cisco can help you succeed Register to attend the session live now or watch the broadcast on cisco.com
Join the Customer Connection Program 19,000+ Members Strong Influence product direction Access to early adopter & beta trials Monthly technical & roadmap briefings Connect in private online community Exclusive perks at Cisco Live Collaboration NDA Roadmap Sessions Mon & Tues Q&A Open Forum with Collaboration Product Management Tues 4:00 5:30 Reserved seats at Collaboration Innovation Talk Thurs 8:00am 9:00am 2 new CCP tracks launching at Cisco Live: Security & Enterprise Networks Join in World of Solutions Collaboration zone Join at the Customer Connection stand New member thank-you gift * CCP ribbon for access to NDA sessions Join Online www.cisco.com/go/ccp Come to Collaboration zone to get your ribbon and new member gift * While supplies last BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Thank you