Other Cisco Call Center Applications
The following sections discuss security considerations for other Cisco Call Center applications.
Cisco Unified ICM Router
The file dbagent.acl is an internal, background file. Do not edit this file. However, this file must have the READ permission set, so that the file can allow users to connect to the router's real-time feed.
Peripheral Gateways (PGs) and Agent Login
There’s a rate limit of Unified CCE agent login attempts with incorrect password. By default, the agent account is disabled for 15 minutes after three incorrect password attempts, counted over a period of 15 minutes.
You can change this default by using registry keys. The registry keys are under: HKLM\SOFTWARE\Cisco Systems, Inc.\\ICM\<inst>\PG(n)[A/B]\PG\CurrentVersion\PIMS\pim(n)\EAGENTData\Dynamic
The registry keys include the following:
-
AccountLockoutDuration: Default
After the account is locked out because of unsuccessful login attempts, this value is the number of minutes the account remains locked out.
-
AccountLockoutResetCountDuration: The default is 15. Number of minutes before the AccountLockoutThreshold count goes back to zero. This is applicable if the account doesn’t get locked out, but you have unsuccessful login attempts less than the value mentioned in AccountLockoutThreshold.
-
AccountLockoutThreshold: The default is 3. This is the number of unsuccessful login attempts after which the account is locked out.
Note
These settings are applicable only on Desktop solutions other than Cisco Finesse, such as CTI OS with a System Peripheral Gateway.
Finesse blocks access to user accounts, if agents or supervisors try to sign in to the desktop five times consecutively with a wrong password. The lockout period is five minutes. For more information about these settings, see the Cisco Finesse Administration Guide at https://www.cisco.com/c/en/us/support/customer-collaboration/finesse/products-maintenance-guides-list.html.
When Single Sign-On (SSO) is enabled for an agent, the account lockout mechanism is managed by the associated identity provider.
Endpoint Security
Agent Desktops
Cisco Finesse supports HTTPS (TLS 1.2 only) for the Administration Console and agent and supervisor clients.
Unified IP Phone Device Authentication
When designing a contact center enterprise solution, you can implement device authentication for the Cisco Unified IP Phones. Contact center enterprise solutions support Unified Communications Manager’s Authenticated Device Security Mode, which ensures the following:
-
Device Identity—Mutual authentication using X.509 certificates
-
Signaling Integrity—SIP messages authenticated using HMAC-SHA-1
-
Signaling Privacy—SIP message content encrypted using AES-128-CBC
Media Encryption (SRTP) Considerations
Before enabling SRTP in your deployment, consider the following points:
-
To use secure media on the agent leg, ensure that the installed IP phones are compatible with SRTP.
-
The Virtualized Voice Browser supports SRTP for the VRU leg.
-
The IOS VXML Gateway does not support SRTP.
-
Mobile Agents cannot use SRTP.
-
The Cisco Outbound Option Dialers do not support SRTP. While calls are connected to the Dialer, the calls cannot use SRTP. But, calls can negotiate SRTP once the call is no longer connected to the Dialer.
IP Phone Hardening
With the IP phone device configuration in Unified CM, you can disable certain phone features to harden the phones. For example, you can disable the phone's PC port or restrict a PC from accessing the voice VLAN. Changing some of these settings can disable the monitoring and recording features of the contact center enterprise solution. The settings are defined as follows:
-
PC Voice VLAN Access—Indicates whether the phone allows a device attached to the PC port to access the Voice VLAN. Disabling Voice VLAN Access prevents the attached PC from sending and receiving data on the Voice VLAN. It also prevents the PC from receiving data sent and received by the phone. Disabling this feature disables desktop-based monitoring and recording.
This setting is Enabled (the default).
-
Span to PC Port—Indicates whether the phone forwards packets transmitted and received on the Phone Port to the PC Port. To use this feature, enable PC Voice VLAN access. Disabling this feature disables desktop-based monitoring and recording.
This setting is Enabled.
Disable the following setting to prevent man-in-the-middle (MITM) attacks. Some third-party monitoring and recording applications use this mechanism for capturing voice streams.
-
Gratuitous ARP—Indicates whether the phone learns MAC addresses from Gratuitous ARP responses.
This setting is Disabled.