Table Of Contents
Securing the Connection Between Cisco Unity, Cisco CallManager, and IP Phones
Security Issues for Connections Between Cisco Unity, Cisco CallManager, and IP Phones
Cisco CallManager Security Features for Cisco Unity Voice Messaging Ports
Security Mode Settings for Cisco CallManager and Cisco Unity
Best Practices
Securing the Connection Between Cisco Unity, Cisco CallManager, and IP Phones
In this chapter, you will find descriptions of potential security issues related to connections between Cisco Unity, Cisco CallManager, and IP phones; information on any actions you need to take; recommendations that will help you make decisions; discussion of the ramifications of the decisions you make; and best practices.
See the following sections:
•
Security Issues for Connections Between Cisco Unity, Cisco CallManager, and IP Phones
•Cisco CallManager Security Features for Cisco Unity Voice Messaging Ports
•Security Mode Settings for Cisco CallManager and Cisco Unity
•Best Practices
Security Issues for Connections Between Cisco Unity, Cisco CallManager, and IP Phones
A potential point of vulnerability for a Cisco Unity system is the connection between Cisco Unity, Cisco CallManager, and the IP phones. Possible threats include:
•Man-in-the-middle attacks (when the information flow between Cisco CallManager and the Cisco Unity voice messaging ports is observed and modified)
•Network traffic sniffing (when software is used to capture phone conversations and signaling information that flow between Cisco CallManager, the Cisco Unity voice messaging ports, and IP phones that are managed by Cisco CallManager)
•Modification of call signaling between the Cisco Unity voice messaging ports and Cisco CallManager
•Modification of the media stream between the Cisco Unity voice messaging ports and the endpoint (for example, an IP phone or a gateway)
•Identity theft of the Cisco Unity voice messaging port (when a non-Cisco Unity device presents itself to Cisco CallManager as a Cisco Unity voice messaging port)
•Identity theft of the Cisco CallManager server (when a non-Cisco CallManager server presents itself to Cisco Unity voice messaging ports as a Cisco CallManager server)
Cisco CallManager Security Features for Cisco Unity Voice Messaging Ports
Cisco CallManager 4.1(3) or later can secure the connection with Cisco Unity 4.0(5) or later against the threats listed in the "Security Issues for Connections Between Cisco Unity, Cisco CallManager, and IP Phones" section. The Cisco CallManager security features that Cisco Unity can take advantage of are described in Table 5-1.
Table 5-1 Cisco CallManager Security Features That Are Used by Cisco Unity
Security Feature
|
Description
|
Signaling authentication
|
The process that uses the Transport Layer Security (TLS) protocol to validate that no tampering has occurred to signaling packets during transmission. Signaling authentication relies on the creation of the Cisco Certificate Trust List (CTL) file.
This feature protects against:
•Man-in-the-middle attacks that modify the information flow between Cisco CallManager and the Cisco Unity voice messaging ports.
•Modification of the call signalling.
•Identity theft of the Cisco Unity voice messaging port.
•Identity theft of the Cisco CallManager server.
|
Device authentication
|
The process that validates the identity of the device and ensures that the entity is what it claims to be. This process occurs between Cisco CallManager and Cisco Unity voice messaging ports when each device accepts the certificate of the other device. When the certificates are accepted, a secure connection between the devices is established. Device authentication relies on the creation of the Cisco Certificate Trust List (CTL) file.
This feature protects against:
•Man-in-the-middle attacks that modify the information flow between Cisco CallManager and the Cisco Unity voice messaging ports.
•Modification of the media stream.
•Identity theft of the Cisco Unity voice messaging port.
•Identity theft of the Cisco CallManager server.
|
Signaling encryption
|
The process that uses cryptographic methods to protect (through encryption) the confidentiality of all SCCP signaling messages that are sent between the Cisco Unity voice messaging ports and Cisco CallManager. Signaling encryption ensures that the information that pertains to the parties, DTMF digits that are entered by the parties, call status, media encryption keys, and so on are protected against unintended or unauthorized access.
This feature protects against:
•Man-in-the-middle attacks that observe the information flow between Cisco CallManager and the Cisco Unity voice messaging ports.
•Network traffic sniffing that observes the signaling information flow between Cisco CallManager and the Cisco Unity voice messaging ports.
|
Media encryption
|
The process whereby the confidentiality of the media occurs through the use of cryptographic procedures. This process uses Secure Real Time Protocol (SRTP) as defined in IETF RFC 3711, and ensures that only the intended recipient can interpret the media streams between Cisco Unity voice messaging ports and the endpoint (for example, a phone or gateway). Support includes audio streams only. Media encryption includes creating a media master key pair for the devices, delivering the keys to Cisco Unity and the endpoint, and securing the delivery of the keys while the keys are in transport. Cisco Unity and the endpoint use the keys to encrypt and decrypt the media stream.
This feature protects against:
•Man-in-the-middle attacks that listen to the media stream between Cisco CallManager and the Cisco Unity voice messaging ports.
•Network traffic sniffing that eavesdrops on phone conversations that flow between Cisco CallManager, the Cisco Unity voice messaging ports, and IP phones that are managed by Cisco CallManager.
|
Authentication and signaling encryption serve as the minimum requirements for media encryption; that is, if the devices do not support signaling encryption and authentication, media encryption cannot occur.
Security Mode Settings for Cisco CallManager and Cisco Unity
Cisco CallManager and Cisco Unity have the security mode options shown in Table 5-2 for voice messaging ports.
Caution The Cluster Security Mode setting for Cisco Unity voice messaging ports must match the security mode setting for the Cisco CallManager ports. Otherwise, Cisco CallManager authentication and encryption will fail.
Table 5-2 Security Mode Options for Voice Messaging Ports
Setting
|
Effect
|
Non-secure
|
The integrity and privacy of call-signaling messages will not be ensured because call-signaling messages will be sent as clear (unencrypted) text and will be connected to Cisco CallManager through a non-authenticated port rather than an authenticated TLS port.
In addition, the media stream cannot be encrypted.
|
Authenticated
|
The integrity of call-signaling messages will be ensured because they will be connected to Cisco CallManager through an authenticated TLS port. However, the privacy of call-signaling messages will not be ensured because they will be sent as clear (unencrypted) text.
In addition, the media stream will not be encrypted.
|
Encrypted
|
The integrity and privacy of call-signaling messages will be ensured because they will be connected to Cisco CallManager through an authenticated TLS port, and the call-signaling messages will be encrypted.
In addition, the media stream can be encrypted.
Caution Both end points must be registered in encrypted mode for the media stream to be encrypted. However, when one end point is set for non-secure or authenticated mode and the other end point is set for encrypted mode, the media stream will not be encrypted. Also, if an intervening device (such as a transcoder or gateway) is not enabled for encryption, the media stream will not be encrypted.
|
Best Practices
If you have Cisco Unity 4.0(5) or later integrated with Cisco CallManager 4.1(3) or later, we recommend that you enable authentication and encryption for the voice messaging ports on both Cisco Unity and Cisco CallManager.
For information on enabling authentication and encryption, see the applicable Cisco CallManager integration guide, available at http://www.cisco.com/en/US/products/sw/voicesw/ps2237/products_installation_and_configuration_guides_list.html.
Feedback
