Security for the Enterprise Collaboration Preferred Architecture

Similar documents
Understanding Cisco Unified Communications Security

Deploying B2B URI Dialing with Cisco UC Manager and VCS Expressway Solution

Securing Unified Communications and Certificate Deep Dive. Ryan Ratliff, Technical Leader - Services

TLS Setup. TLS Overview. TLS Prerequisites

Unified Communications Mobile and Remote Access via Cisco Expressway

Cisco Tetration Analytics

BRKCOC-2399 Inside Cisco IT: Integrating Spark with existing large deployments

Mobile and Remote Access Through Cisco Expressway

Unified Communications Mobile and Remote Access via Cisco VCS

Configuration Example for Secure SIP Integration Between CUCM and CUC based on Next Generation Encryption (NGE)

Unified Communications Mobile and Remote Access via Cisco Expressway

Cisco Desktop Collaboration Experience DX650 Security Overview

Encrypted Phone Configuration File Setup

Expressway for Mobile and Remote Access Deployments, page 1 Cisco AnyConnect Deployments, page 9 Survivable Remote Site Telephony, page 17

Cisco IP Phone Security

Configure Mobile and Remote Access

Mobile and Remote Access Through Cisco Expressway

Simplifying Collaboration Deployments with Prime Collaboration

Configure Centralized Deployment

Mobile and Remote Access Through Cisco Video Communication Server

Cisco Hosted Collaboration Solution (HCS) and Cisco Collaboration Cloud

Configure Voice and Video Communication

Setting Up a Cisco Unified Communications Manager SIP Trunk Integration, page 1

DEMO QUESTION 1 An engineer is performing an international multisite deployment and wants to create an effective backup method to access TEHO destinat

Cisco DX Series Video Endpoints: Best Practices for Desktop Collaboration Enablement David Scott Technical Marketing Engineer BRKCOL-2608

Compatibility Matrix for Cisco Unified Communications Manager and the IM and Presence Service, Release 11.5(1)SU5

BRKCOL-2614 Technical Overview of the Preferred Architecture for Enterprise Collaboration 12.0

CCNA Voice. Unified Communications Overview.

Migrating from VCS to CUCM

Cisco TelePresence Conductor with Cisco Unified Communications Manager

Multiparty Conferencing for Audio, Video and Web Collaboration using Cisco Meeting Server

Command or Action Step 1. Create and Configure Cisco Jabber Devices, on page 1. Configure a SIP Trunk, on page 6

Cisco IP Communicator Deployment Preparation

Cisco CTL Client Setup

Cisco Unified Communications XMPP Federation

Configure Call Control

Mobile and Remote Access Through Cisco Expressway

Configure Cisco IP Phones

Mobile and Remote Access Through Cisco Expressway

Cisco TelePresence Conductor with Unified CM

Mobile and Remote Access Through Cisco Video Communication Server

Implementing Jabber with VCS-Expressway and MRA

CAPPS: Implementing Cisco Collaboration Applications v1

Cisco Collaboration Mid-Market architecture with BE6K and BE7K

Cisco Unified Communications Manager TCP and UDP Port

Phone Security. Phone Security. This chapter provides information about phone security.

Mobile and Remote Access Through Cisco Video Communication Server

Cisco WebEx Meeting Center Enterprise Deployment Guide for Video Device-Enabled Meetings (WBS31 and WBS32)

OpenStack Enabling DevOps Shannon McFarland CCIE #5245 Distinguished DEVNET-1104

Internet Protocol Version 6 (IPv6)

Preparing to Deploy Cisco IP Communicator

examcollection.premium.exam.161q

Jabber for Windows - Quick Start Guide

Cisco TelePresence Conductor with Cisco Unified Communications Manager

VRF, MPLS and MP-BGP Fundamentals

Cisco Unified Communications Manager TCP and UDP Port

Mobile and Remote Access Through Cisco Expressway

Deploying TelePresence and Video Endpoints on Unified Communications Manager

Federating Cisco Jabber

Deploy Webex Video Mesh

Mobile and Remote Access Through Cisco Expressway

Cisco Unified CM SIP Trunking, Session Management, and Global Dial Plan Replication

CCNP COLLABORATION. Cisco Certified Network Professional Collaboration

Internet Protocol Version 6 (IPv6)

Cisco TelePresence Endpoints and Cisco Unified Communications Manager

cisco. Number: Passing Score: 800 Time Limit: 120 min.

SIMPLE (SIP for Instant Messaging and Presence Leveraging Extensions Used by CM-IMP. XMPP (extensible Messaging and Presence Protocol) Used by CM-IMP

Unified Communications Manager FAQ

INTEGRATING CISCO UNIFIED COMMUNICATIONS APPLICATIONS

Security and Certificates

Firewalls for Secure Unified Communications

Unified Communications Security: Design and Best Practices

Test-king. Number: Passing Score: 800 Time Limit: 120 min File Version:

Cisco Exam Questions & Answers

Enabling External Collaboration and Federation with Expressway

Chapter 5. Security Components and Considerations.

Cisco TelePresence Video Communication Server Basic Configuration (Control with Expressway)

Integrate Microsoft Office Communicator and Microsoft Lync Clients for Cisco UC

Cisco Meeting Server. Cisco Meeting Server Release 2.3. with Cisco Unified Communications Manager Deployment Guide

Cisco Spark Hybrid Call Services Architecture and Design

Designing Workspace of the Future for the Mobile Worker

Integrate Microsoft Office Communicator Client and Microsoft Lync Client for Cisco UC

Interdomain Federation Guide for IM and Presence Service on Cisco Unified Communications Manager, Release 11.5(1)SU2

Mobile and Remote Access Through Cisco Expressway

Deployment Guide for Cisco Spark Hybrid Call Services

Cisco Jabber Deployment for Multiple CUCM and IMP clusters using single Expressway-E and C.

HikCentral V1.3 for Windows Hardening Guide

CMR Cloud Product Update

Setup for Cisco Unified Communications Manager

Unified Communications Manager Express Toll Fraud Prevention

Designing Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015

Requirements. System Requirements

Command or Action Step 1. Create and Configure Cisco Jabber Devices, on page 1

Technical Overview of Cisco Preferred Architecture for Enterprise Collaboration

Cisco Unified Communications Domain Manager manual configuration

Default Security Setup

A. On the VCS, navigate to Configuration, Protocols, H.323, and set Auto Discover to off.

Cisco TelePresence Endpoints and Cisco Unified Communications Manager

What's new in Cisco Collaboration: Overview of New and Changed Across the Collaboration Systems Release

HikCentral V.1.1.x for Windows Hardening Guide

Transcription:

Security for the Enterprise Collaboration Preferred Architecture Laurent Pham, Technical Marketing Engineer BRKCOL-2425

Gartner estimates that IT security spending will soar from $75 billion-plus in 2015 to $101 billion in 2018. Research firm Markets and Markets sees the cybersecurity market hitting $170 billion by 2020. Investors.com BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 3

Cisco Spark Ask Question, Get Answers www.ciscospark.com Use Cisco Spark to communicate with the speaker after the event! What if I have a question after visiting Cisco Live?... Cisco Spark Spark rooms will be available until July 29, 2016 How 1. Go to the Cisco Live Mobile app 2. Find this session 3. Click the join link in the session description 4. Navigate to the room, room name = Session ID 5. Enter messages in the room BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 4

Agenda Security in Layers Encryption Certificate Management

What is a Preferred Architecture?

Collaboration Preferred Architecture (CPA) What products to use to enable users for Collaboration and Unified Communications for simple deployments. Prescriptive recommendations Concise Documents Preferred Architecture provides prescriptive design guidance that simplifies and drives design consistency for Cisco Collaboration deployments Preferred Architecture can be used as a design base for any customer using a modular and scalable approach Preferred Architecture team provides feedback on solution level gaps to product teams Preferred Architecture will help you scale! Tested best practices BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 7

Collaboration Preferred Architectures & CVDs PA Overview www.cisco.com/go/cvd/collaboration! PA CVD Cisco Validated Design Cisco Validated Design Applications Pre-Sales Process Design Overview Document Targeted to Presales What (w/ Some Why)! Post-Sales process Detailed Design and Deployment Guidance Post Sales Design and Deployment What, Why, and How! Process Driven Guide Post-Sales Process Detailed, Deployment Guidance Post Sales Design and Deployment What, Why, and How! Process Driven Guide Plugs into the PA CVD 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Headquarters Expressway-E Cisco WebEx Mobile/Teleworker DMZ Endpoints Expressway-C IM and Presence Unified Communications Manager Integrated/Aggregated Services Router Internet Third-Party Solution MPLS WAN Integrated Services Router Call Control Collaboration Edge Unity Connection TelePresence Server Conductor PSTN / ISDN Remote Site Voice Messaging Deployment Conferencing Prime Collaboration License Manager Collaboration Management Services Provisioning TelePresence Management Suite Assurance/ Analytics Collaboration Preferred Architecture for the Enterprise BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

Preferred Architecture for Collaboration Enterprise Cisco Validated Design (CVD) Call Control UCM, IM&P, ISR, CUBE Conferencing UCM, Conductor, TS, TMS Edge UCM, Expressway, CUBE, ISR Applications Ucx, PCD*, PLM * Bandwidth Management Sizing Functions: Dial Plan (Dialing Habits, Endpoints/ILS/GDPR), Trunking, SRST, CTI, DNS, EM Functions: Instant, Permanent, Scheduled, CMR, CMR Hybrid, Personal Multiparty Functions: Mobile Remote Access (MRA), B2B, IM&P Federation, PSTN Access, ISDN Video Functions: Applications and Tools: VM Deployment, Licensing, Voice Messaging Functions: QoS and Admission Control Functions: Sizing numbers for products built on a set of calculated assumptions Architecture: Component Role, HA, Security, Scalability Deployment: Process and Configuration S i z i n g BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 10

Upcoming Chapters in CVD Collaboration Management Services PCD, PLM, PCP, PCA Security Security in Layers (including Toll Fraud), Encryption, Certificate Management Work in Progress CVD to be available later this year BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 11

Examples of IP Communications Threats Denial of Service (DoS) Affecting call quality or ability to place calls SPAM SPIM, SPIT, and more SPAM Toll fraud Unauthorized or unbillable resource utilization Learning private information Caller ID, DTMF, password/accounts, calling patterns, Presence Information Eavesdropping Listening to another s call or Theft of intellectual property Media tampering Data Modification Impersonating others Identity Theft Learning private information Caller ID, DTMF, passwords/accounts, calling patterns, Presence information Session replay Replay a session, such as a bank transaction BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 12

Security In Layers

Secure Physical Access First line of defense Once a user or attacker has physical access to one of the devices in a network, all kinds of problems could occur Action: Secure access to the building Secure access to the Data Center / servers (DoS, easier access to management, password recovery) Secure endpoints BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 14

Secure the Infrastructure and the Network Segregation Virtual LANs (VLANs) separates voice and data traffic VLAN Access Control Lists (VACLs) limits traffic between devices on the voice VLAN QoS Packet Marking ensures UC traffic receives appropriate priority over other traffic Layer 2 DHCP Snooping creates binding table Dynamic ARP Inspection (DAI) examines ARP & GARP for violations Port Security limits the number of MAC addresses allowed per port 802.1x limits network access to authentic devices on assigned VLANs Multi-Domain Authentication (MDA) binds two devices to assigned VLANs MAC Authentication Bypass (MAB) provides a measure of control over devices which don t support 802.1x Layer 3 IP Source Guard examines physical port, VLAN, IP, & MAC for inconsistencies Firewalls/IPS/AMP ASA with FirePOWER Services BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 15

Prevent Unauthorized Access - Platforms Hardened Platform Host Based Intrusion Protection (SELinux) host based firewall (iptables) 3 rd party software installation not allowed OS and applications are installed with a single package Root account disabled Software signed Secure Management (HTTPS, SSH, SFTP) Audit logging Also Configure If applicable, change default passwords (e.g. Expressway, TelePresence) Complex password policy Disable unnecessary protocols BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 16

Prevent Unauthorized Access - Edge Expressway Host-based Firewall, Firewall Rules Host Based Intrusion Protection (not enabled by default) CUBE and Voice Gateways IP TRUST LIST: Don t respond to any SIP INVITEs if not originated from an IP address specified in this trust list CALL THRESHOLD: Protect against CPU, Memory & Total Call spike CALL SPIKE PROTECTION: Protect against spike of INVITE messages within a sliding window BANDWIDTH BASED CAC: Protect against excessive media MEDIA POLICING: Protect against negotiated Bandwidth overruns and RTP Floods USE NBAR POLICIES: Protect against overall SIP, RTP flood attacks from otherwise trusted sources DEFINE VOICE POLICIES: identify patterns of valid phone calls that might suggest potential abuse. BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 17

Prevent Unauthorized Access - Endpoints Security features by default Signed firmware (.sbn extension) Signed configuration files (<devicename>.cnf.xml.sgn) Note: With Jabber, Unified CM needs to be in Mixed-Mode for those features (CTL File) This authenticates the firmware/configuration and protects against tampering Also add Physically secure the phones Disable Gratuitous ARP Configure 802.1X Disable web access / SSH access. Or configure ACL Disable PC port if not needed Optionally TFTP configuration file encryption BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 18

Prevent Toll Fraud Toll Fraud can be external and also internal attacks Unified CM Unity Connection Edge (CUBE, Voice GW, Expressway) BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 19

Unified CM Security Eliminate Toll Fraud (1) Deny unauthorized calls Partitions and Calling search spaces provide dial plan segmentation and access control Example: Avoid Unified CM sending back to the PSTN a call coming from the PSTN Don t include in Trunk CSS the partition for route patterns to PSTN Unified CM 3 2 Voice or Video GW 4 PSTN signaling media PSTN access partition Inbound CSS DN partition Multiparty meeting partition 1 BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 20

Unified CM Security Eliminate Toll Fraud (2) Block offnet to offnet transfer (CallManager service parameter) Unified CM Voice or Video GW 4 6 3 2 1 PSTN 5 BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 21

Unified CM Security Eliminate Toll Fraud (3) Device Pool Calling Search Space for Auto-registration to limit access to dial plan Employ Time of day routing to deactivate segments of the dial plan after hours Require Forced Authentication Codes on route patterns to restrict access on long distance or international calls. Drop Ad hoc Conferences (CallManager Service Parameter) Monitor Call Detail Records Employ Multilevel Administration BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 22

Toll Fraud Prevention Unity Connection Unity Connection could be used to transfer a call Recommendations Use restriction tables to allow or block call patterns Change the Rerouting CSS on the trunk in the Unified CM side Reference CUC Security Guide: http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/11x/security/b_11xcucsecx.ht ml Troubleshoot Toll Fraud via Unity Connection TAC tech note: http://www.cisco.com/c/en/us/support/docs/unified-communications/unity-connection/119337- technote-cuc-00.html System Administration guide:http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/11x/administration/guide /b_cucsag/b_cucsag_chapter_0101.html BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

Toll Fraud Prevention - Edge CUBE Call Source Authentication (IOS 15.1(2)T feature) enabled by default. Do not disable via no ip address trusted authenticate Only calls from trusted source IP addresses will be accepted voice service voip ip address trusted list ipv4 10.10.1.10 ipv4 66.66.66.66 Expressway Call Policy Rules (CPL) BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 24

Monitor CDR and logs Unified CM Monitor CDR, audit logs, and other logs Authentication Failure 16:10:32.908 LogMessage UserID : administrator ClientAddress : 10.10.10.100 Severity : 4 EventType : UserLogging ResourceAccessed: Cisco CallManager Administration EventStatus : Failure CompulsoryEvent : No AuditCategory : AdministrativeEvent ComponentID : Cisco CCM Application AuditDetails : Failed to Log into Cisco CCM Webpages App ID: Cisco Tomcat Cluster ID: Node ID: cucm-pub Phone Added 16:13:48.823 LogMessage UserID : administrator ClientAddress : 10.10.10.100 Severity : 5 EventType : DeviceUpdate ResourceAccessed: CUCMAdmin EventStatus : Success CompulsoryEvent : No AuditCategory : AdministrativeEvent ComponentID : Cisco CUCM Administration AuditDetails : New Phone added with MAC address=aaaabbbbcccc, CAL mode=< None > and CAL value=< None > App ID: Cisco Tomcat Cluster ID: Node ID: cucm-pub BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

Monitor CDR and logs Expressway: Monitor CDR, Search History, and logs BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 26

Enable Encryption Protect against eavesdropping, data modification, session replay, impersonation Provides privacy, integrity, and authentication Authentication provided through certificates Can be one-way authentication or Mutual authentication (MTLS) BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 27

Encryption 1010 1000101010101000111 011 01011011101001 00010

Links to Encrypt Administrative and user interfaces SIP trunks Endpoint Encryption Within Data Center Multiple clusters BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 29

Links to Encrypt Administrative and user interfaces SIP trunks Phone Encryption Within Data Center Multiple clusters Most of them should be encrypted by default Ensure passwords are not sent in clear If integrated with LDAP, configure LDAP over SSL (import LDAP certificate into Tomcat-trust store) BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 30

Links to Encrypt Administrative and user interfaces SIP trunks Phone Encryption (requires Unified CM in mixed-mode) Within Data Center Multiple clusters: ILS and LBM Typically: Authentication: Certificates Authorization: X.509 Subject Name in SIP Trunk Security Profile Does not require Unified CM in mixedmode SIP trunk encryption is recommended Conductor TelePresence Server Unity Connection Expressway CUBE / VG BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 31

Links to Encrypt Administrative and user interfaces SIP trunks Endpoint Encryption Within Data Center Multiple clusters Mixed-Mode SRTP Encryption for the phone media and signaling requires Unified CM to be in Mixed-Mode Requires Export Restricted version of Unified CM IM messages are encrypted by default and do not required mixed-mode Secure call has a lock icon shown on the endpoint display BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

Unified CM: Non-Secure vs. Mixed-Mode Feature Non Secure Cluster Mixed Mode Cluster Auto-registration * Signed & Encrypted Phone Configs Signed Phone Firmware Secure Phone Services (HTTPS) CAPF + LSC IP VPN Phone SIP Trunk encryption Secure Endpoints (TLS & SRTP) New in 11.5 BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 33

Mixed-Mode for Unified CM Enable Mixed-Mode Hardware Security Token (USB Security Tokens) Tokenless CTL (10.0+) Migration See Unified CM Security Guide and TAC note http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118893-technote-cucm-00.html BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 34

USB Security Tokens vs. Tokenless Hardware Security Token (USB Security Tokens) Tokenless (10.0+) Pros: Less situations where endpoints loose trust relationship with Unified CM and easier to recover from this scenario Can be used across multiple Unified CM clusters and facilitates migration between clusters Cons: Have to purchase 2+ USB Security tokens Not manufactured in the US Require CTL Client installation on a desktop Pros: Easier to manage: No need to purchase USB security tokens, no need to install CTL client, easier to update CTL file Cons: More situations where endpoints loose trust relationship with Unified CM and more complex to recover from this scenario Requires more steps when migrating clusters BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 35

Encrypted Endpoint Basic Configuration With Unified CM in mixed-mode, not all endpoints need to be configured with encryption, but all the endpoints get a CTL (Certificate Trust List) file Notes: There is also a Phone security profile which is independent from the phone type: Universal Device Template. Useful when deploying MRA Encryption using the Locally Significant Certificate (LSC) instead of Manufacturing Installed Certificate (MIC) requires additional step BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 36

MRA Voice/Video Encryption Voice/Video streams always SRTP encrypted between Exp-C and MRA client SIP TLS always enforced between MRA clients & Exp-E, Exp-C & Exp-E * Unified CM mixed mode required to achieve SRTP on internal network and SIP TLS between Exp-C and Unified CM Media and Signaling always encrypted SIP TLS* SIP TCP SIP TLS SIP TLS SRTP Expressway-C DMZ Expressway-E External Firewall Firewall BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 37

Links to Encrypt Administrative and user interfaces SIP trunks Phone Encryption Within Data Center Multiple clusters Some communications have sensitive information or are easy to encrypt. Recommendation: Encrypt. Example: LDAP over SSL and SIP trunks Some communications are more difficult to encrypt requiring for example IPsec. Lower priority to encrypt, especially if servers locked down in Data Center and is trusted. Example: Communication between Unified CM nodes in the same cluster. If IPsec must be used, recommendation is to configure it on the infrastructure. BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 38

Links to Encrypt Administrative and user interfaces SIP trunks Phone Encryption Within Data Center Multiple clusters In addition to SIP Trunk Encryption, encrypt ILS and LBM ILS (Intercluster Lookup Service) Certificates for authentication, Passwords for authorization (new in 11.5) LBM (Location Bandwidth Manager) Encrypt Intercluster LBM links ILS and LBM are using Tomcat certificates BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 39

Cipher Suites Unified CM SIP TLS ECDHE_RSA with AES256_GCM_SHA384 Key Exchange Authenticated/Signed-with: ECDHE RSA (Elliptic Curve Diffie-Hellman Ephemeral RSA) Unified CM Options: RSA (only option prior to 10.5.2) ECDHE RSA (10.5.2+) ECDHE ECDSA (11+) Encryption Algorithm Authenticated with: AES256_GCM SHA384 (Advanced Encryption Standard at 256 bits, with Galois Counter Mode Secure Hash Algorithm at 384 bits) Unified CM Options: AES128_SHA1 (only option prior to 10.5.2) AES128_GCM_SHA256 (10.5.2+) AES256_GCM_SHA384 (10.5.2+) BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 40

Cipher Suites Unified CM SIP TLS Strongest AES-256 SHA-384 only: RSA preferred ECDHE_RSA with AES256_GCM_SHA384 ECDHE_ECDSA with AES256_GCM_SHA384 Strongest AES 256-SHA-384 only: ECDSA preferred ECDHE_ECDSA with AES256_GCM_SHA384 ECDHE_RSA with AES256_GCM_SHA384 Medium AES-256 AES-128 only: RSA preferred ECDHE_RSA with AES256_GCM_SHA384 ECDHE_ECDSA with AES256_GCM_SHA384 ECDHE_RSA with AES128_GCM_SHA256 ECDHE_ECDSA with AES128_GCM_SHA256 Medium AES-256 AES-128 only: RSA preferred ECDHE_ECDSA with AES256_GCM_SHA384 ECDHE_RSA with AES256_GCM_SHA384 ECDHE_ECDSA with AES128_GCM_SHA256 ECDHE_RSA with AES128_GCM_SHA256 All Ciphers RSA preferred (default) ECDHE_RSA with AES256_GCM_SHA384 ECDHE_ECDSA with AES256_GCM_SHA384 ECDHE_RSA with AES128_GCM_SHA256 ECDHE_ECDSA with AES128_GCM_SHA256 RSA with AES_128_CBC-SHA1 All Ciphers ECDSA preferred ECDHE_ECDSA with AES256_GCM_SHA384 ECDHE_RSA with AES256_GCM_SHA384 ECDHE_ECDSA with AES128_GCM_SHA256 ECDHE_RSA with AES128_GCM_SHA256 RSA with AES_128_CBC-SHA1 General Recommendation: Use default setting BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 41

Cipher Suites Unified CM SRTP Prior to Unified CM 10.5.2, SIP trunks and SIP Lines only supported SHA1 based media encryption ciphers AES_CM_128-SHA1 Version 10.5.2 introduces support for new GCM (Galois/Counter Mode) ciphers providing AEAD (Authentication Encryption with Associated Data) AEAD_AES_256_GCM AEAD_AES_128_GCM New ciphers are available by default on upgrade to Unified CM 10.5.2 Highest strength cipher will be offered or negotiated by default SHA1 based SRTP cipher compatibility remains for non-sip devices BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 42

Cipher Suites Unified CM SRTP Strongest- AEAD AES-256 GCM cipher only AEAD AES-256 GCM-based cipher Medium- AEAD AES-256 GCM AES-128 GCM ciphers only AEAD AES-256 GCM AEAD AES-128 GCM All supported Ciphers (default) AEAD AES-256 GCM AEAD AES-128 GCM AES_CM_128-SHA1 ciphers General Recommendation: Use default setting BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 43

Verify Supported Cipher Suites on Endpoints BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 44

Certificate Management

Why Do We Need Certificates? What is a Digital Certificate? Includes public key and name of the certificate holder, signature Goal Authentication and encryption Two types of authentication One-way authentication With Web browsers or with Jabber login (UDS, XMPP, Unity Connection visual voice mail) Two-way authentication Endpoints in encrypted mode, MTLS trunks (e.g. Unified CM SIP trunk to Expressway) BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 46

Endpoint Certificates Certificate Type MIC Manufacturer Installed Certificate LSC Locally Significant Certificate Required for Media/Signaling encryption and TFTP config file encryption Also can be used for phone VPN and 802.1x When both LSC and MIC are installed on a device, LSC takes preference BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 47

Endpoint Certificates - MIC Cisco CA MIC Manufacturer Installed Certificate Manufacturer Installed Certificate (MIC)» Cisco IP Phones ship from the factory with a unique MIC pre-installed» MIC is valid for 10 years» No certificate revocation support Notes: New Manufacturing SHA2 CA: signs Cisco s newest IP Phones (88xx) Unified CM 10.5(1)+ includes and trusts the new SHA2 certificates For older Unified CM release, download the SHA2 CA certificates at http://www.cisco.com/security/pki/certs/cmca2.cer No MIC on Jabber 88xx BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 48

Endpoint Certificates - LSC CAPF Service LSC Locally Significant Certificate Locally Significant Certificates (LSC)» LSC signed by Certificate Authority Proxy Function (CAPF) Service running on Unified CM Publisher (or signed by external CA)» Preferred certificate for endpoint identity» Endpoint support includes IP Phones, TelePresence, Jabber clients» LSC can be installed, re-issued, deleted in bulk with Unified CM Bulk Admin Tool Enhancements in Unified CM 11.5» LSC signed by CAPF valid for up to 5 years (validity configurable in 11.5, used to be fixed at 5 years)» Can track certificate expiration (new in 11.5, used to require paper process)» SHA2 support» RSA key length up to 4096 (used to be up to 2048). Use Cisco Unified Reporting to verify phone support New in 11.5 Only LSC are available with Jabber. LSCs required for configuration file signature and signaling/media encryption (except for Jabber over MRA) BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 49

Endpoint Certificates - MIC vs. LSC MIC: Out of box certificate. Goal is to prove the phone is a genuine Cisco phone But MIC is not specific to your own Unified CM cluster It doesn t prove the phone is part of your Unified CM cluster MIC cannot be customized/updated/deleted Recommendation: Use MIC certificates to authenticate with CAPF for LSC certificate installation Use LSC for everything else (SIP TLS, VPN, 802.1x) BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 50

MRA with End-to-End Encryption Media and Signaling always encrypted SIP TLS SIP TLS SIP TLS For MRA end-to-end encryption, encryption inside the enterprise requires Unified CM in mixed mode and encrypted phone security profile, as usual But Expressway-C certificate is used (not the endpoint certificate) With Jabber 11.0+ using MRA, CAPF enrollment not required (LSC not required) Notes: Expressway- C DMZ Firewall SRTP Expressway-E External Firewall Also works for DX and TC series endpoints TFTP encrypted config still not supported for any MRA clients BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 51

MRA with End-to-End Encryption Expressway-C certificate is used (not the endpoint certificate) Phone security profiles of the MRA endpoints (in FDQN format) must be added as Subject Alternate Name (SAN) in the Expressway-C certificate With several phone types, each phone security profile must be added as SAN in the Expressway-C certificate To reduce the number of SANs in the Expressway-C certificate, a special type of Phone Security Profile can be used independently of the phone type: Universal Device Template. BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 52

Unified CM Certificates Unified CM includes the certificate types:» Tomcat RSA and ECDSA (new in 11.5): web services» CallManager RSA and ECDSA (new in 11.0): SIP/SCCP TLS, TFTP config signing, etc.)» CAPF (CA cert used to sign LSC, only employed on the publisher)» IPSEC (ipsec tunnels to non-sip gateways or other Unified CM)» TVS (Trust Verification Service, security by default)» ITLRecovery (used as trust anchor to recover trust with endpoints) Notes: Default to self-signed certificates, valid for 5 years (except ITLRecovery valid for 20 years) Option to have signed by 3 rd party CA Key length: RSA certificates: key length up to 4096 (up to 2048 prior to 11.5), SHA1 or SHA256 ECDSA certificates: key length up to 521 and hash up to SHA512 BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 53

CA-signed Certificates In order to establish trust: Need to import remote certificate in the local trust store Otherwise, warning message or communications not established With certificates signed by an external Certification Authority (CA), only the CA certificate needs to be imported into the trust store. This simplifies management Note: Not all certificates need to be signed by a CA. Example: Unified CM TVS, CAPF, ITLRecovery Recommendation: Use CA-signed certificates for: Tomcat (Unified CM, IM&P, Unity Connection) CallManager, XMPP, XMPP-S2S certificates, Expressway, Conductor, and TelePresence Server BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 54

Multi-Server Certificate Support Unified CM Cluster One CA-signed Multi-Server certificate for the entire Unified CM cluster Unified CM nodes IM&P nodes To simplify certificate management in clustered environments One single CA signed certificate and private key across all nodes in a cluster Each cluster node s FQDN included as Subject Alternative Name (SAN) in a single certificate, custom SANs can also be included Recommendation: Use Multi-Server certificates wherever available: Tomcat/Tomcat-ECDSA for Unified CM/IM&P and CUC, CallManager, CUP-XMPP, CUP- XMPP-S2S BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 55

Public vs. Private CA SSL Certificates for Cisco Collaboration Infrastructure can be signed by public CAs (GeoTrust, Verisign/Symantec, GoDaddy, etc.) or by an organization s private CA* (Microsoft CA, DogTag, openssl, etc.) The tradeoff between the two options typically comes down to cost Public CAs have a higher cost per certificate, but are broadly trusted in browsers and beyond Your organization s private CA typically has a minimal cost per cert (if not $0) but are not broadly trusted, so the cost involves maintaining the private CA and distributing the trusted CA certificate to end users and devices via MDM, MS Group Policy, etc. Recommendation: - Public CA for Expressway-E certificates Public CA signed certificate - contained in firmware and most mobile devices - Your choice for the other certificates BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 56

How Do Endpoints Trust Servers? CTL/ITL CTL and ITL are signed files that contains a list of Unified CM certificates that the endpoint can trust Which file is present in Unified CM cluster? With Unified CM non-secure mode: ITL file only With Unified CM in mixed-mode: CTL + ITL files When an endpoint boots/resets, it requests: Certificate Trust List (CTL) file first (if Unified CM is in mixed-mode), then Initial Trust List (ITL) file Signature Endpoints verify the signature of the CTL/ITL With MRA: Endpoints verify Expressway-E certificate using the root CA certificates embedded in their firmware BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 57

WebEx Supported CAs Video CMR CMR Certificates Recommended Best Practice Current WebEx Certificate Verisign Class 3 Public Primary Certification Authority entrust_ev_ca digicert_global_root_ca verisign_style_2_public_primary_ca_-_g3 godaddy_style_2_ca_root_certificate Go Daddy Root Certification Authority - G2 verisign_style_3_public_primary_ca_-_g5 verisign_style_3_public_primary_ca_-_g3 dst_root_ca_x3 verisign_style_3_public_primary_ca_-_g2 equifax_secure_ca entrust_2048_ca* verisign_style_1_public_primary_ca_-_g3 ca_cert_signing_authority geotrust_global_ca globalsign_root_ca thawte_primary_root_ca geotrust_primary_ca addtrust_external_ca_root QuoVadis Root CA 2 Root Public CA Reference https://kb.webex.com/wbx83490 Signed Expressway-E Cert Public CA Verisign Class 3 Public Primary Certification Authority http://www.symantec.com/page.jsp?id=roots VeriSign Class 3 Primary CA - G5 http://www.symantec.com/page.jsp?id=roots VeriSign Class 3 Public Primary CA - G3 http://www.symantec.com/page.jsp?id=roots QuoVadis Root CA 2 https://www.quovadisglobal.com/qvrepository/downloadrootsandcrl.aspx Reference https://kb.webex.com/wbx87312 BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 58

Monitor Certificate Expiration Monitor the server certificate expiration (OS Administration page) Monitor LSC certificate expiration (new in 11.5) BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 59

Receive Certificate Expiration Notifications New in 11.5 Receive email notifications when certificates are about to expire For server certificates and for LSC certificates (since 11.5) BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 60

Conclusion

Conclusion Security in Layer Physical security, network security, host access security, encryption Protection against toll-fraud Monitor CDR, logs, search history Encryption Encrypt admin interfaces, SIP trunks, LDAP Enable Unified CM mixed-mode and encrypt media and signaling for the endpoints For multi-cluster deployment, encrypt ILS and LBM-LBM communications Certificates Endpoints: Use LSCs for SIP TLS, 802.1x, VPN. Only use MIC to get a LSC Get some certificates signed by a CA: Tomcat, CallManager, XMPP, Expressway, TelePresence Expressway-E certificates to be signed by a public CA Use multi-server certificates wherever possible BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 62

Conclusion Your journey to secure your deployment does not stop here Establish a good security policy Stay up-to-date on the latest security news and upgrade / install security updates when applicable Cisco Security Center https://tools.cisco.com/security/center/home.x Latest threat information Product Security Incident Response Team (PSIRT) Security advisories and responses Get Notifications BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 63

Preferred Architectures Links Contact us via email: pa-feedback@cisco.com Mid-Market and Enterprise PA Documents: http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-collaboration/index.html Cisco Preferred Architecture for Enterprise Collaboration 11.x, Design Overview - June 2016 http://www.cisco.com/c/dam/en/us/td/docs/solutions/pa/enterprise/11x/clbpa11x.pdf Cisco Preferred Architecture for Enterprise Collaboration 11.x, CVD Nov 2015 http://www.cisco.com/c/en/us/td/docs/solutions/cvd/collaboration/enterprise/11x/collbcvd.html DCloud: Cisco Preferred Architecture for Enterprise Collaboration 10.6 v1 http://dcloud.cisco.com/ Collaboration Cisco Preferred Architecture for Enterprise Collaboration Design Overview 11.0 BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 64

Related Sessions BRKUCC-1612: A solution Architect s Guide to Collaboration Security Monday, 8am BRKCOL-2614: Technical Overview of Preferred Architecture for Enterprise Collaboration, Tuesday, 1:30pm BRKUCC-2224: Deploying and Troubleshooting Secure UC Solution Tuesday, 8am BRKUCC-2501: Cisco UC Manager security Wednesday, 8am BRKUCC-2801: Cisco Expressway at the Collaboration Edge design session Tuesday, 1:30pm BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 65

Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card. Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 66

Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 67

Please join us for the Service Provider Innovation Talk featuring: Yvette Kanouff Senior Vice President and General Manager, SP Business Joe Cozzolino Senior Vice President, Cisco Services Thursday, July 14 th, 2016 11:30 am - 12:30pm, In the Oceanside A room What to expect from this innovation talk Insights on market trends and forecasts Preview of key technologies and capabilities Innovative demonstrations of the latest and greatest products Better understanding of how Cisco can help you succeed Register to attend the session live now or watch the broadcast on cisco.com

Join the Customer Connection Program 19,000+ Members Strong Influence product direction Access to early adopter & beta trials Monthly technical & roadmap briefings Connect in private online community Exclusive perks at Cisco Live Collaboration NDA Roadmap Sessions Mon & Tues Q&A Open Forum with Collaboration Product Management Tues 4:00 5:30 Reserved seats at Collaboration Innovation Talk Thurs 8:00am 9:00am 2 new CCP tracks launching at Cisco Live: Security & Enterprise Networks Join in World of Solutions Collaboration zone Join at the Customer Connection stand New member thank-you gift * CCP ribbon for access to NDA sessions Join Online www.cisco.com/go/ccp Come to Collaboration zone to get your ribbon and new member gift * While supplies last BRKCOL-2425 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 69

Thank you

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback