Professional Documents
Culture Documents
Brkcol 2014
Brkcol 2014
Introduction to
Cisco UC Security
#CLUS
Cybercriminals:
IP Telephony is a Wonderful Thing
Toll Fraud
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Secure Your Deployment
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Speakers
• Rado Drabik
Technical Consulting Engineer
• Laurent Pham
Technical Marketing Engineer
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Agenda
• UC Security Overview
• PKI and Certificate Fundamentals
• TLS and Cryptography
• Securing CUCM, Phones, CUBE, and Jabber
• Expressway Mobile and Remote Access
• Conclusion
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
UC Security Overview
Attack Examples
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Multi-Layered Security
Secure Servers
Secure Endpoints
Secure Network
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Secure Physical Access
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Secure Network
• Layer 2/3 Security
• Separate VLAN for voice and data
• Port Security limits the number of MAC addresses allowed per
Secure Servers port, against CAM table flooding
Secure Endpoints • DHCP Snooping against rogue DHCP, DHCP starvation, also
creates binding table
Secure Network • IP Source Guard against spoofed IP addresses
• Perimeter Security
• Firewalls/IPS, ASA with FirePOWER Services
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Secure Endpoints
Default Security Features
• Signed firmware
• Secure boot (select models)
Secure Servers
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Secure Endpoints
Additional Security Features
• Disable settings if not used:
PC port, PC Voice VLAN Access, Gratuitous ARP,
Secure Servers
•
Secure Endpoints
Web Access, Settings button, SSH, console…
• Encrypt IP Phone Services (HTTPS), e.g. EM
Secure Network
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Secure Servers – Unified CM - Features
Security Features
• Encryption for network links available (LDAP, SIP…)
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Unified CM Security Modes
Feature Non Secure Cluster Mixed Mode Cluster
New in
Auto-registration 11.5
CAPF + LSC
IP VPN Phone
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
CUBE / IOS Security voice service voip
ip address trusted list
ipv4 10.1.1.10
Security Features ipv4 66.66.66.66
• IP Trust List: Don’t respond to any SIP INVITEs if not originated from an IP address
specified in this trust list
• Call Threshold: Protect against CPU, Memory & Total Call spike
• Call Spike Protection: Protect against spike of INVITE messages within a sliding
window
• Bandwidth Based CAC: Protect against excessive media
• Media Policing: Protect against negotiated Bandwidth overruns and RTP Floods
• NBAR policies: Protect against overall SIP, RTP flood attacks from otherwise
“trusted” sources
• Voice Policies: Identify patterns of valid phone calls that might suggest potential
abuse
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Secure Servers – Toll Fraud
CUCM Toll Fraud Prevention
• Partitions and Calling search spaces provide dial plan
segmentation and access control
Secure Servers • “Block offnet to offnet transfer” (CallManager service
parameter)
Secure Endpoints
• “Drop Ad hoc Conferences” (CallManager service parameter)
Secure Network
• Device Pool “Calling Search Space for Auto-registration” to
Secure Physical Access limit access to dial plan
• Employ Time of day routing to deactivate segments of the dial
plan after hours
• Require Forced Authentication Codes on route patterns to
restrict access on long distance or international calls.
• Monitor Call Detail Records
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Secure Servers – Toll Fraud
Unity Connection could be used to transfer a call
• Use restriction tables to allow or block call patterns
• Change the Rerouting CSS on the trunk in the
Secure Servers CUCM side
Secure Endpoints
CUBE
Secure Network
• Use IP Trust List
Secure Physical Access
Expressway
• Call Policy Rules (CPL)
• Search History
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Balancing Risk
Cost - Complexity - Resources - Performance - Manpower - Overhead
Low Medium High
Easy or Default Moderate and Reasonable Advanced or Not Integrated
Hardened Platform Secure Directory Integration (SLDAP) UC-Aware Firewall (Inspection)
SELinux – Host Based Intrusion
Encrypted Configuration 802.1x & NAC
Protection
iptables - Integrated Host Firewall OAuth with Refresh Token IPsec
Signed Firmware & Configuration TLS & SRTP for Phones & Gateways Rate Limiting
HTTPS TLS & SRTP for Jabber w/ SIP OAuth Managed VPN (Remote Worker)
Separate Voice & Data VLANs QoS Packet Marking Network Anomaly Detection
Basic Layer 3 ACL’s (Stateless) Dynamic ARP Inspection TLS & SRTP for Jabber w/o SIP OAuth
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Cisco Secure Development Lifecycle
www.cisco.com/go/csdl
- CSDL
Repeatable and measurable
process designed to increase
Cisco product resiliency and
trustworthiness.
- Product Security Baseline
Internal Requirements on important
security components (credential
and key management,
cryptography standards, sensitive
data disposal…)
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Cisco PSIRT has your back
Product Security Incident Response Team (PSIRT) - www.cisco.com/go/psirt
• Dedicated, global team
managing security vulnerability
information related to Cisco
products and networks
• Responsible for Cisco Security
Advisories, Responses and
Notices
• Interface with security
researchers and hackers
• Assist Cisco product teams in
securing products
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
PKI and Certificate
Fundamentals
Symmetric Encryption
Same Key
Key characteristics:
• Shared key / shared secret: single key to encrypt and decrypt
• Extremely fast
• Easy to implement in hardware (DES, 3DES, AES and RC4)
Limitation:
• Secret Key can be compromised & the data decrypted.
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Asymmetric Encryption
Version
Issued By: Cisco Systems Serial Number
Signature Algorithm
Serial Number: 63542
Signature Hash
Algorithm
Certificate Validity: May 4th, 2020 Issuer
Lorem ipsum dolor sit
amet, consectetur
adipiscing elit. Valid From
John Doe
5/4/20 CCIE# 63542 Valid To
Subject Name
Public Key
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Public Key Infrastructure
Private Key
Public Key
Certificate
Authority
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Certificate Authority and PKI
Private Key
Public Key
Certificate
Alice Authority
Bob
Private Key
Public Key
Public Key
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Digital Certificates
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6 (0x6)
Signature Algorithm: sha1WithRSAEncryption
Certificate properties Issuer: CN=root, OU=ca, O=cisco
Validity
Not Before: Mar 25 10:46:17 2013 GMT
Not After : Mar 25 10:46:17 2014 GMT
Subject: CN=router, OU=TAC, O=Cisco, C=BE
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c2:e5:4d:45:50:8b:18:86:45:ca:b6:b2:f0:f1:
Issuer identity
[...]
& signature 36:c2:16:ca:a2:df:ac:8e:3d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Signature Algorithm: sha1WithRSAEncryption
Subject identity, key 03:65:af:30:c5:8d:e4:45:b1:00:1b:4f:e0:22:8b:ef:3b:d3:
& attributes [...]
c3:5d:37:ac
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Types of Certificates
Signs Signs
Certificate
Authority
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
CA-signed Certificate Trust Chain
Trust
Chain
Certificate
Authority
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Why to use CA-Signed certificates?
Pros:
• Simplified certificate management Certificate
• Identity of the certificate holder is Authority
verified by a trusted third party
Cons:
• Initially more administrative effort
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Multi-Server Certificate Support
Unified CM Cluster
Recommendation:
Use Multi-Server certificates wherever available:
Tomcat/Tomcat-ECDSA for Unified CM/IM&P and CUC, CallManager, CUP-XMPP, CUP-XMPP-
S2S
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Transport Layer
Security and
Ciphers
TLS Session Establishment
Client Server
ClientHello
(version, cipher list)
ServerHello
Certificate
ServerKeyExchange (DH)
ServerHelloDone
ClientKeyExchange
ChangeCipherSpec
Finished
ChangeCipherSpec
Finished
TLS Established
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
TLS Session Establishment - Mutual TLS
Client Server
ClientHello
(version, cipher list)
ServerHello
Certificate
ServerKeyExchange
Certificate (MTLS) CertificateRequest (MTLS)
ClientKeyExchange ServerHelloDone
CertificateVerify (MTLS)
[ChangeCipherSpec] Private Key
Finished
[ChangeCipherSpec]
Finished
Private Key TLS Established
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
TLS v1.2
• More secure version
• Supports stronger ciphers
• May be required for security or compliance reasons
• Requirements:
Ability to disable TLS 1.1, 1.0, SSL 3.0
and lower protocols
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
TLS v1.2 Support
Product Support
Supports Disable Disable Notes
TLS 1.2 TLS 1.0 TLS 1.1
CUCM/IM&P, UCxn, CER, PLM*, PCD, TMS, secure System Release 12 and earlier (e.g.
CUBE (G2/G3)
backport to 11.5)
Other infrastructure (CMS, Conductor, TP Server, System Release 12
Expressway, Contact Center, PCP, secure SIP PSTN
GW/CUBE/MTP/CFB G2/G3, secure SRST G3, secure
analog VG)
CE Endpoints (DX70/80, MX 200/300 G2, MX 700/800, 9.1.3
SX, IX 5000
78xx/88xx 12.1(1)
Newer TC endpoints (could run CE) Can SW upgrade to CE
(MX 200/300 G2, MX 700/800, SX)
Legacy TC endpoints End of Sale
(C-series, EX, MX 200/300 G1, Profile)
Legacy Immersive End of Sale
(TX 9000 series, CTS)
Older IP phones (e.g., 79xx series, 69xx, 99xx, 89xx, No support or partial support
DX on Android, IP Communicator)
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
TLS 1.2 Compatibility Matrix
TLS 1.2 Support Disabling TLS 1.0/1/1
(Interop) (PCI Compliance)
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/uc_system/unified/communications/system/Compatibility/TLS/TLS1-2-Compatibility-Matrix.html
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Deconstructing the Cipher Suite
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Key Exchange
• { }: RSA Message Authentication Code
• ECDHE/DHE: (Elliptic Curve) • SHA1
10.5(2)
Diffie-Hellman Ephemeral • SHA2 with key size 10.5(2)
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Cipher Management Control
ALL TLS
HTTPS TLS
SIP TLS
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Cipher Management Control
SSH Ciphers
SSH MAC
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
CUCM Certificates
and Trust Stores
CUCM Certificate Trust Stores
Type Type-trust
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
CUCM Certificate Types
CallManager
Tomcat CAPF
IPSec TVS
ITLRECOVERY
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
CUCM Certificate Truststores
CallManager-Trust
Tomcat-Trust CAPF-Trust
Truststores for
Services and Functions
IPSec-Trust TVS-Trust
Phone-VPN-Trust
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
CUCM Certificate Truststores
Identity Trust
CallManager CallManager-Trust
CallManager-ECDSA Tomcat-Trust
Tomcat CAPF-Trust
CAPF TVS-Trust
TVS IPSec-Trust
IPSec Phone-Trust
ITLRecovery Phone-CTL-Trust
Phone-CTL-ASA-Trust (12.0+)
Phone-SAST-Trust
Userlicensing-Trust
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Phone Certificates
and Trust Lists
Phone Certificate Types
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Phone Certificate Trust Chains
Manufacture-Installed Certificate (MIC)
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
LSC signing options
LSC
Locally Significant Certificate
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Online CAPF - concept
• IP Phone generates CSR and sends it to CAPF service that is running on CUCM PUB
• CAPF later on ‘talks’ to new service called Cisco Certificate Enrolment Service and this service
is responsible for sending CSR to CA in order to get is signed
• Signed LSC is being sent back to CUCM and finally CAPF is pushing that LSC to IP Phone
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
How Do Endpoints Trust Servers?
CTL / ITL
• CTL (Certificate Trust List) and ITL (Initial Trust List) are
signed files that contains a list of certificates that the
endpoint can trust
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
CUCM Non-Secure Mode
Security by Default
Feature Non Secure Cluster
Auto-registration
CAPF + LSC
IP VPN Phone
ITLFile.tlv
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
CUCM non-secure
Endpoint supporting ITL
CTLFile.tlv
CTL not
found 1
Trust ITL if
none on the ITLFile.tlv TFTP Server
phone.
Otherwise
2
validate ITL
signature
Validate
with ITL Signed
config
3 (.xml.sgn)
(optional)
Encrypted
ITLFile.tlv Validate config
with 4 Signed
Signed existing
Firmware
config firmware
(.sbn)
Signed
Firmware
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Contents of the ITL and Trust Anchor
Certificate ITLFile.tlv
CallManager from TFTP only, all nodes 12.0+
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Loss of Trust
Before CUCM version 12.0 Signed by
CallManager TFTP
cert
ITLFile
Check ITL
signature
1
Unable to
verify config
Signed
file config
signature
3
TVS
2
ITLFile
Unable to
establish
TLS
connection
with TVS
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
CUCM Mixed
Mode
Mixed mode
Feature Non Secure Cluster Mixed mode Cluster
Auto-registration
CAPF + LSC
IP VPN Phone
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
CUCM Mixed Mode and Generating CTL
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Phone Trust List and Verification
CTLFile.tlv
ITLFile.tlv
Trust Verification Service
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
CUCM in mixed mode
Trust CTL if CTLFile.tlv
no ITL/CTL
present.
Otherwise
check CTL 1
signature
Validate
with
CTL/ITL
Signed
3 config
CTLFile.tlv
ITLFile.tlv
Validate with 4 Signed
Signed CTL/ITL
Firmware
config
Signed
Firmware
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Contents of CTL
Certificate CTLFile.tlv
CallManager from all nodes
Signing Certificate
USB Token Certificates
(USB eTokens)
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Contents of the CTL if using USB eTokens
Certificate CTLFile.tlv
CallManager from all nodes
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Contents of the CTL if using Tokenless
Certificate CTLFile.tlv
CallManager (from all nodes)
Signing Certificate or
ITLRECOVERY As of 12.0
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Phone Security Modes
• Authenticated mode – provides integrity and authentication for TLS connection. Be aware
that, neither the signaling nor the media is encrypted.
• Encrypted mode – on the endpoint provides integrity, authentication, and encryption of
signaling. Media is also encrypted using SRTP if other communicating party support it as well.
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
High Level View of a Secure Phone Registration
Phone with security profile set to Encrypted mode
Client Hello
CallManager-Trust store
Trust
Yes
it?
MIC or LSC
ITLFile.tlv
CTLFile.tlv
TLS
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
What’s Secure RTP?
• As per RFC 3711: SRTP is a profile of the Real-time Transport Protocol (RTP), which can
provide confidentiality, message authentication, and replay protection to the RTP traffic“
• It uses AES (Advanced Encryption Standard) as the default cipher for stream encryption
• HMAC (Hash-based Message Authentication Code) is used to authenticate the message and
protect its integrity
ITLFile ITLFile
SRTP
CTLFile CTLFile
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Secure to Non-Secure Interworking
ITLFile ITLFile
RTP
CTLFile CTLFile
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Phone Security Status Icons
Authenticated None
Secure
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Monitoring Certificate Expiration
Handled by
the Cisco Certificate Expiry Monitor
service
New in 11.5.1
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
CUBE Certificates
and Trustpoints
Trustpoint and Generating CSR
• Define The trustpoint
crypto pki trustpoint <trustpoint_name>
• Generate CSR
crypto pki enroll <trustpoint_name>
<trustpoint_name>
CUBE Certificate
Authority
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Importing Trustchain and Identity Certificate
• Import CA root certificate
crypto pki authenticate <trustpoint_name>
<trustpoint_names>
CUBE Certificate
Authority
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Associating Trustpoint to SIP Trunk
• Associate the trust point to SIP trunk
sip-ua
crypto signaling remote-addr 10.1.1.100 255.255.255.255 trustpoint <trustpoint_name>
crypto signaling remote-addr 10.1.2.0 255.255.255.0 trustpoint <trustpoint_name>
crypto signaling default trustpoint default trustpoint <trustpoint_name>
<trustpoint_name>
SIP Trunk
CUBE
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
High Level View of a Secure Connection
Do I trust this
Yes
device?
Trust
Yes
it?
Trustpoint (s)
TLS
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Securing Cisco
Jabber
Authentication options for Jabber clients
3 2
SAML SSO: SAML LDAP
Directory LDAP Authentication:
• CUCM/IM&P, Unity Connection IdP
IdP
• CUCM/IM&P and Unity
and Expressway set up SAML
Connection use LDAP bind to
agreements with IdP
CUCM + IM&P authenticate end-users against
• All end-user authentication is
external directory
delegated to the IdP
• Equivalent to local authN for
• Jabber relies on platform
Expressway/MRA
browser to interact with IdP
1
Unity Local Authentication :
Connection • Built-in user databases in CUCM/
IM&P and Unity Connection
• Expressway forwards authN
Jabber requests to CUCM/Unity for MRA
clients Expressway E/C
Jabber clients
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
OAuth - Implicit Grant flow – Old Flow
OAuth
Expressway E/C
OAuth
OAuth
Expressway E/C
Jabber on-premises
(SAML SSO) OAuth token OAuth token (12.5) OAuth token OAuth token
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Securing Jabber softphone on premises
Device Security Modes
• Non-Secure
• Encrypted (LSC)
Encrypted
Encrypted Non-secure
LSC installation & mixed mode required (OAuth)
CM CM CM
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Expressway and
Mobile and
Remote Access
(MRA)
MRA Media and Signaling Encryption
• On the Internet and in the traversal zone: Media and Signaling are
always encrypted
• In the internal network, Media and Signaling encryption depends on
the Unified CM configuration for the MRA endpoint
SIP TCP
SRTP
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
MRA Authentication
MRA Endpoint Authenticating Expressway-E
• MRA endpoints verify the Expressway-E Server Certificate
• ITL/CTL not used
• Jabber Clients rely on the underlying platform trusted CA list
• Hardware endpoints rely on a trusted CA list included in firmware
=> Expressway-E certificate needs to be CA-signed
SIP TCP
CTLFile
SRTP
ITLFile
Expressway-C DMZ Expressway-E External
Firewall CTLFile
Firewall ITLFile
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
MRA Authentication
Authenticating the MRA Endpoint (without activation code onboarding)
• Expressway-E does not verify the MRA endpoint certificate (MIC/LSC).
Instead:
• Username/password for initial HTTPS connection
• For SIP: Digest Authentication (local/LDAP authentication) or OAuth (SSO and/or
OAuth)
Username/pwd
SIP TCP
SRTP
MIC/LSC
Expressway-C DMZ Expressway-E External
Firewall Firewall
MIC/LSC
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Activation code Device onboarding over MRA - 12.5(1) SU1
1. Admin configures Cloud/Hybrid communication.
0 CUCM onboards with cloud/GDS, creates MRA
mra.foo.com target which includes Expressway address
0 3.
2 Admin requests activation code for this device.
Admin Device Activation Service gets code from GDS.
2.
1 Admin creates full device config without specifying
MAC address (BAT, AXL, GUI)
Admin 3.
2 Admin requests activation code for this device
DHCP
4 0 4.
3 Activation code is sent to the user by the admin, or
Intranet 2 the enduser gets it via the Self Care Portal.
5 CUCM 5.
4 Phone gets CUCM target from DHCP/Static config,
6
downloads the XMLDefault file, detects that
1 activation code onboarding is in use, and the user
enters the activation code.
User
3 6.
5 Phone authenticates to CUCM using MIC +
activation code in an SRP handshake.
MAC ? 6
MAC1234 7.
6 Device activation service updates device config in
Activation Code the database with phone MAC and sends success
2 to the phone.
SRTP
SRTP
SIP TLS
Expressway-C DMZ Expressway-E External
Firewall Firewall
With ICE
• Media Path Optimization
• Single SRTP encryption key
SIP TLS
TURN SRTP
SIP TLS
TURN: Traversal Using Relay NAT Expressway-C DMZ Expressway-E External
ICE: Interactive Connectivity Establishment Firewall with TURN server Firewall
STUN: Session Traversal Utilities for NAT
Jabber must be configured with SIP OAuth
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
For Your
ICE Minimum Release Requirements Reference
• Expressway X12.5
• Unified CM 12.5(1) (Unified CM 11.5 if Jabber is not deployed)
• CE release 9.6
7800/8800 release 12.5(1)SR1
Unified CM mixed-mode required
• Jabber 12.5
SIP OAuth required
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Conclusion
Secure Your Deployment
• Deploy Multi-Layered Security
• Simplify certificate management
• Embrace security by default (especially with Unified CM 12.0+)
• Enable CUCM mixed-mode and configure endpoints in encrypted
mode
• Enable OAuth (with refresh token) / SIP OAuth / Encryption for
Jabber (12.5+) (enabling encryption difficult if no SIP OAuth)
• Enable encryption on the links (IP Phone Services, SIP Trunk, LDAP)
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Security is a Journey, Not a Destination
• Stay up-to-date on the latest security news and upgrade / install
security updates when applicable
• Monitor PSIRT (Product Security Incident Response Team)
publications
• Security advisories, responses, and notices
• www.cisco.com/go/psirt
• Subscribe to Cisco
notification service
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Additional UC Security Sessions
• BRKCOL-3224: Implementing and Troubleshooting Secure Voice on Network Edge
Devices
• Tuesday, June 11th at 4pm
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Complete your
online session • Please complete your session survey
evaluation after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live water bottle.
• All surveys can be taken in the Cisco Live
Mobile App or by logging in to the Session
Catalog on ciscolive.cisco.com/us.
Cisco Live sessions will be available for viewing
on demand after the event at ciscolive.cisco.com.
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Continue your education
Demos in the
Walk-in labs
Cisco campus
#CLUS Session ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Thank you
#CLUS
#CLUS
Appendix
References
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
For Your
Cipher Suites Support Reference
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Identity Certificates used by Communications
Manager For your reference
Tomcat • Used for HTTPS connections to Web services (TCP port 8443)
• Used to sign SSO SAML Requests (if required by IdP)
Tomcat-EC
TVS • For TLS connections to the TVS service (TCP port 2445)
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Identity Certificates used by Communications
Manager For your reference
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Certificate Trust Stores used with Client
Connections For your reference
• Used for Intermediate and Root certificates that are issuers to CA-
TVS-trust signed TVS certificates
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Certificate Trust Stores used with Client
Connections For your reference
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Architecture Evolution
Jabber SIP and Media Security – CSR 12.5
Internet DMZ Enterprise
CUCM
SIP/TLS
SIP/TLS SIP/TLS
Jabber Jabber
clients TURN clients
SIP/TLS SIP/TLS
CUCM SIP/TLS
Expressway E Expressway C
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 115