Cisco Unity Security Guide (With Microsoft Exchange), Release 4.x
Securing the Connection Between Cisco Unity, Cisco CallManager, and IP Phones

Table Of Contents

Securing the Connection Between Cisco Unity, Cisco CallManager, and IP Phones

Security Issues for Connections Between Cisco Unity, Cisco CallManager, and IP Phones

Cisco CallManager Security Features for Cisco Unity Voice Messaging Ports

Security Mode Settings for Cisco CallManager and Cisco Unity

Best Practices


Securing the Connection Between Cisco Unity, Cisco CallManager, and IP Phones


In this chapter, you will find descriptions of potential security issues related to connections between Cisco Unity, Cisco CallManager, and IP phones; information on any actions you need to take; recommendations that will help you make decisions; discussion of the ramifications of the decisions you make; and best practices.

See the following sections:

Security Issues for Connections Between Cisco Unity, Cisco CallManager, and IP Phones

Cisco CallManager Security Features for Cisco Unity Voice Messaging Ports

Security Mode Settings for Cisco CallManager and Cisco Unity

Best Practices

Security Issues for Connections Between Cisco Unity, Cisco CallManager, and IP Phones

A potential point of vulnerability for a Cisco Unity system is the connection between Cisco Unity, Cisco CallManager, and the IP phones. Possible threats include:

Man-in-the-middle attacks (when the information flow between Cisco CallManager and the Cisco Unity voice messaging ports is observed and modified)

Network traffic sniffing (when software is used to capture phone conversations and signaling information that flow between Cisco CallManager, the Cisco Unity voice messaging ports, and IP phones that are managed by Cisco CallManager)

Modification of call signaling between the Cisco Unity voice messaging ports and Cisco CallManager

Modification of the media stream between the Cisco Unity voice messaging ports and the endpoint (for example, an IP phone or a gateway)

Identity theft of the Cisco Unity voice messaging port (when a non-Cisco Unity device presents itself to Cisco CallManager as a Cisco Unity voice messaging port)

Identity theft of the Cisco CallManager server (when a non-Cisco CallManager server presents itself to Cisco Unity voice messaging ports as a Cisco CallManager server)

Cisco CallManager Security Features for Cisco Unity Voice Messaging Ports

Cisco CallManager 4.1(3) or later can secure the connection with Cisco Unity 4.0(5) or later against the threats listed in the "Security Issues for Connections Between Cisco Unity, Cisco CallManager, and IP Phones" section. The Cisco CallManager security features that Cisco Unity can take advantage of are described in Table 5-1.

Table 5-1 Cisco CallManager Security Features That Are Used by Cisco Unity 

Security Feature
Description

Signaling authentication

The process that uses the Transport Layer Security (TLS) protocol to validate that no tampering has occurred to signaling packets during transmission. Signaling authentication relies on the creation of the Cisco Certificate Trust List (CTL) file.

This feature protects against:

Man-in-the-middle attacks that modify the information flow between Cisco CallManager and the Cisco Unity voice messaging ports.

Modification of the call signalling.

Identity theft of the Cisco Unity voice messaging port.

Identity theft of the Cisco CallManager server.

Device authentication

The process that validates the identity of the device and ensures that the entity is what it claims to be. This process occurs between Cisco CallManager and Cisco Unity voice messaging ports when each device accepts the certificate of the other device. When the certificates are accepted, a secure connection between the devices is established. Device authentication relies on the creation of the Cisco Certificate Trust List (CTL) file.

This feature protects against:

Man-in-the-middle attacks that modify the information flow between Cisco CallManager and the Cisco Unity voice messaging ports.

Modification of the media stream.

Identity theft of the Cisco Unity voice messaging port.

Identity theft of the Cisco CallManager server.

Signaling encryption

The process that uses cryptographic methods to protect (through encryption) the confidentiality of all SCCP signaling messages that are sent between the Cisco Unity voice messaging ports and Cisco CallManager. Signaling encryption ensures that the information that pertains to the parties, DTMF digits that are entered by the parties, call status, media encryption keys, and so on are protected against unintended or unauthorized access.

This feature protects against:

Man-in-the-middle attacks that observe the information flow between Cisco CallManager and the Cisco Unity voice messaging ports.

Network traffic sniffing that observes the signaling information flow between Cisco CallManager and the Cisco Unity voice messaging ports.

Media encryption

The process whereby the confidentiality of the media occurs through the use of cryptographic procedures. This process uses Secure Real Time Protocol (SRTP) as defined in IETF RFC 3711, and ensures that only the intended recipient can interpret the media streams between Cisco Unity voice messaging ports and the endpoint (for example, a phone or gateway). Support includes audio streams only. Media encryption includes creating a media master key pair for the devices, delivering the keys to Cisco Unity and the endpoint, and securing the delivery of the keys while the keys are in transport. Cisco Unity and the endpoint use the keys to encrypt and decrypt the media stream.

This feature protects against:

Man-in-the-middle attacks that listen to the media stream between Cisco CallManager and the Cisco Unity voice messaging ports.

Network traffic sniffing that eavesdrops on phone conversations that flow between Cisco CallManager, the Cisco Unity voice messaging ports, and IP phones that are managed by Cisco CallManager.


Authentication and signaling encryption serve as the minimum requirements for media encryption; that is, if the devices do not support signaling encryption and authentication, media encryption cannot occur.


Note Cisco CallManager security (authentication and encryption) only protects calls to Cisco Unity. Messages recorded on the message store are not protected by the Cisco CallManager authentication and encryption features but can be protected by the Cisco Unity private secure messaging feature. For details on the Cisco Unity private secure messaging feature, see the "Private Secure Messaging (Cisco Unity Version 4.0(5) and Later)" section on page 10-2.


Security Mode Settings for Cisco CallManager and Cisco Unity

Cisco CallManager and Cisco Unity have the security mode options shown in Table 5-2 for voice messaging ports.


Caution The Cluster Security Mode setting for Cisco Unity voice messaging ports must match the security mode setting for the Cisco CallManager ports. Otherwise, Cisco CallManager authentication and encryption will fail.

Table 5-2 Security Mode Options for Voice Messaging Ports 

Setting
Effect

Non-secure

The integrity and privacy of call-signaling messages will not be ensured because call-signaling messages will be sent as clear (unencrypted) text and will be connected to Cisco CallManager through a non-authenticated port rather than an authenticated TLS port.

In addition, the media stream cannot be encrypted.

Authenticated

The integrity of call-signaling messages will be ensured because they will be connected to Cisco CallManager through an authenticated TLS port. However, the privacy of call-signaling messages will not be ensured because they will be sent as clear (unencrypted) text.

In addition, the media stream will not be encrypted.

Encrypted

The integrity and privacy of call-signaling messages will be ensured because they will be connected to Cisco CallManager through an authenticated TLS port, and the call-signaling messages will be encrypted.

In addition, the media stream can be encrypted.


Caution Both end points must be registered in encrypted mode for the media stream to be encrypted. However, when one end point is set for non-secure or authenticated mode and the other end point is set for encrypted mode, the media stream will not be encrypted. Also, if an intervening device (such as a transcoder or gateway) is not enabled for encryption, the media stream will not be encrypted.

Best Practices

If you have Cisco Unity 4.0(5) or later integrated with Cisco CallManager 4.1(3) or later, we recommend that you enable authentication and encryption for the voice messaging ports on both Cisco Unity and Cisco CallManager.

For information on enabling authentication and encryption, see the applicable Cisco CallManager integration guide, available at http://www.cisco.com/en/US/products/sw/voicesw/ps2237/products_installation_and_configuration_guides_list.html.