Brkcol 2014

#CLUS
Introduction to
Cisco UC Security
Rado Drabik– Technical Consulting Engineer

Laurent Pham – Technical Marketing Engineer
BRKCOL-2014
#CLUS
Cybercriminals:
IP Telephony is a Wonderful Thing
Toll Fraud
#CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Secure Your Deployment
• Do not just rely on the default

configuration and built-in security
• Do not just hope
Speakers
• Rado Drabik
Technical Consulting Engineer
• Laurent Pham
Technical Marketing Engineer
Agenda
• UC Security Overview
• PKI and Certificate Fundamentals
• TLS and Cryptography
• Securing CUCM, Phones, CUBE, and Jabber
• Expressway Mobile and Remote Access
• Conclusion
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
Webex Teams will be moderated cs.co/ciscolivebot#BRKCOL-2014

by the speaker until June 16, 2019.
#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
UC Security Overview
Attack Examples
Multi-Layered Security
Secure Servers
Secure Endpoints
Secure Network
Secure Physical Access
• Secure physical access to the

Secure Servers Buildings, Data Centers, servers,
Secure Endpoints network devices
Secure Network

• Secure VMware
• Through VMware, can mount DVD and
recover password
• Access to VMDK and disk content
Secure Network
• Layer 2/3 Security
• Separate VLAN for voice and data
• Port Security limits the number of MAC addresses allowed per
Secure Servers port, against CAM table flooding
Secure Endpoints • DHCP Snooping against rogue DHCP, DHCP starvation, also
creates binding table
Secure Network • IP Source Guard against spoofed IP addresses

• Dynamic ARP Inspection (DAI) examines ARP & GARP for
violations (against ARP spoofing)
• 802.1x limits network access to authenticate devices on
assigned VLANs (phones do support 802.1x)
• QoS helps during Denial of Service attacks
• Perimeter Security
• Firewalls/IPS, ASA with FirePOWER Services
Secure Endpoints
Default Security Features
• Signed firmware
• Secure boot (select models)
Secure Servers
Secure Endpoints • Manufacturer Installed Certificate (MIC)

Secure Network • Signed configuration files
Secure Endpoints
Additional Security Features
• Disable settings if not used:
PC port, PC Voice VLAN Access, Gratuitous ARP,
Secure Servers
•
Secure Endpoints
Web Access, Settings button, SSH, console…
• Encrypt IP Phone Services (HTTPS), e.g. EM
Secure Network
• Issue LSC (Locally Significant Certificates) from

CAPF or Microsoft CA (new online mode in 12.5)
• Encrypt config files
• Encrypt Media and Signaling
Reference: Cisco IP Phone 7800 and 8800 Series Security Overview

Secure Servers - Platform
Platform Security
• Host Based Intrusion Protection (SELinux)
• Host based firewall (IPTables)
Secure Servers
• No 3rd party software allowed
Secure Endpoints
• Root account disabled
Secure Network
• Signed upgrade software

• Secure management protocols

-------------------------------------------
• Available security mode: FIPS, Enhanced Security,
Common Criteria
• Available option to use Self-Encrypting Drives
Secure Servers – Unified CM - Features
Security Features
• Encryption for network links available (LDAP, SIP…)
Secure Servers • TLS version control, granular cipher control

Secure Endpoints • Certificate Management Features (notification of
Secure Network
certificate expiration, multi-SAN certificates)
Secure Physical Access • Built-in CA (CAPF)
• Encrypted Backups (always enabled)
• Multi-Level Administration
• Audit Logging
Unified CM Security Modes
Feature Non Secure Cluster Mixed Mode Cluster
New in
Auto-registration 11.5
Signed & Encrypted Phone Configs
Signed Phone Firmware
Secure Phone Services (HTTPS)
CAPF + LSC
IP VPN Phone
Encrypted SIP Trunk
Secure Phones (TLS & SRTP)
New in 12.5 with

Secure Jabber (TLS & SRTP) SIP OAuth
CUBE / IOS Security voice service voip
ip address trusted list
ipv4 10.1.1.10
Security Features ipv4 66.66.66.66
• IP Trust List: Don’t respond to any SIP INVITEs if not originated from an IP address
specified in this trust list
• Call Threshold: Protect against CPU, Memory & Total Call spike
• Call Spike Protection: Protect against spike of INVITE messages within a sliding
window
• Bandwidth Based CAC: Protect against excessive media
• Media Policing: Protect against negotiated Bandwidth overruns and RTP Floods
• NBAR policies: Protect against overall SIP, RTP flood attacks from otherwise
“trusted” sources
• Voice Policies: Identify patterns of valid phone calls that might suggest potential
abuse
Secure Servers – Toll Fraud
CUCM Toll Fraud Prevention
• Partitions and Calling search spaces provide dial plan
segmentation and access control
Secure Servers • “Block offnet to offnet transfer” (CallManager service
parameter)
Secure Endpoints
• “Drop Ad hoc Conferences” (CallManager service parameter)
Secure Network
• Device Pool “Calling Search Space for Auto-registration” to
Secure Physical Access limit access to dial plan
• Employ Time of day routing to deactivate segments of the dial
plan after hours
• Require Forced Authentication Codes on route patterns to
restrict access on long distance or international calls.
• Monitor Call Detail Records
Secure Servers – Toll Fraud
Unity Connection could be used to transfer a call
• Use restriction tables to allow or block call patterns
• Change the Rerouting CSS on the trunk in the
Secure Servers CUCM side
Secure Endpoints
CUBE
Secure Network
• Use IP Trust List
Expressway
• Call Policy Rules (CPL)
• Search History
Balancing Risk
Cost - Complexity - Resources - Performance - Manpower - Overhead
Low Medium High
Easy or Default Moderate and Reasonable Advanced or Not Integrated
Hardened Platform Secure Directory Integration (SLDAP) UC-Aware Firewall (Inspection)
SELinux – Host Based Intrusion
Encrypted Configuration 802.1x & NAC
Protection
iptables - Integrated Host Firewall OAuth with Refresh Token IPsec
Signed Firmware & Configuration TLS & SRTP for Phones & Gateways Rate Limiting
HTTPS TLS & SRTP for Jabber w/ SIP OAuth Managed VPN (Remote Worker)
Separate Voice & Data VLANs QoS Packet Marking Network Anomaly Detection
STP, BPDU Guard, SmartPorts DHCP Snooping Scavenger Class QoS
Basic Layer 3 ACL’s (Stateless) Dynamic ARP Inspection TLS & SRTP for Jabber w/o SIP OAuth
Phone Security Settings IP Source Guard, Port Security
Cisco Secure Development Lifecycle
www.cisco.com/go/csdl
- CSDL
Repeatable and measurable
process designed to increase
Cisco product resiliency and
trustworthiness.
- Product Security Baseline
Internal Requirements on important
security components (credential
and key management,
cryptography standards, sensitive
data disposal…)
Cisco PSIRT has your back
Product Security Incident Response Team (PSIRT) - www.cisco.com/go/psirt
• Dedicated, global team
managing security vulnerability
information related to Cisco
products and networks
• Responsible for Cisco Security
Advisories, Responses and
Notices
• Interface with security
researchers and hackers
• Assist Cisco product teams in
securing products
PKI and Certificate
Fundamentals
Symmetric Encryption
Same Key
Shared key Shared key

Alice Bob
Hello! fj#23+r Hello!

Encrypt Decrypt
Key characteristics:
• Shared key / shared secret: single key to encrypt and decrypt
• Extremely fast
• Easy to implement in hardware (DES, 3DES, AES and RC4)
Limitation:
• Secret Key can be compromised & the data decrypted.
Asymmetric Encryption
Public Key Private Key

Alice Bob
Hello! fj#23+r Hello!

Encrypt Decrypt
Uses two keys

• Public key – to encrypt the data (distributed freely)
• Private key – to decrypt the data (kept hidden)
Generated together
Private key never shared!
Private key also used to generate digital signatures.
What’s a Digital Certificate?
Issued To: John Doe X.509 Certificate
Version
Issued By: Cisco Systems Serial Number
Signature Algorithm
Serial Number: 63542
Signature Hash
Algorithm
Certificate Validity: May 4th, 2020 Issuer
Lorem ipsum dolor sit
amet, consectetur
adipiscing elit. Valid From
John Doe
5/4/20 CCIE# 63542 Valid To
Subject Name
Public Key
Public Key Infrastructure
• Provides a uniform way for different organizations to identify people or other

entities through X.509 identity certificates containing public keys.
• These certificates and keys can be used through secured connections

(TLS/SSL) to positively establish the identity of the entities on the
connection.
Private Key
Public Key
Certificate
Authority
Certificate Authority and PKI
Private Key
Public Key
Certificate
Alice Authority
Bob
abcde 01011 abcde

fghijk 11001 fghijk
lmnop 10100 lmnop
qrstuv 00010 qrstuv
Private Key
Public Key
Public Key
Digital Certificates
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6 (0x6)
Signature Algorithm: sha1WithRSAEncryption
Certificate properties Issuer: CN=root, OU=ca, O=cisco
Validity
Not Before: Mar 25 10:46:17 2013 GMT
Not After : Mar 25 10:46:17 2014 GMT
Subject: CN=router, OU=TAC, O=Cisco, C=BE
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c2:e5:4d:45:50:8b:18:86:45:ca:b6:b2:f0:f1:
Issuer identity
[...]
& signature 36:c2:16:ca:a2:df:ac:8e:3d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Signature Algorithm: sha1WithRSAEncryption
Subject identity, key 03:65:af:30:c5:8d:e4:45:b1:00:1b:4f:e0:22:8b:ef:3b:d3:
& attributes [...]
c3:5d:37:ac
Types of Certificates
Root CA Intermediate CA Identity

Certificates Certificates Certificates
Self-Signed certificates used Certificates signed by a Root Certificates issued to a specific
by Certificate Authorities to sign CA and in turn can sign other entity (a device) and signed or
other certificates. identity certificates. issued by a root CA and
sometimes also by intermediate
CAs.
Certificate Trust Chain
Root CA Public Certificates

Must be stored in Clients’
Trust Store(s)
Root Intermediate Identity

Certificate Certificates Certificate
Signs Signs
Trust Chain Identity

Generating Certificate Signing Request (CSR)
Certificate
Authority
CA-signed Certificate Trust Chain
Trust
Chain
Certificate
Authority
Why to use CA-Signed certificates?
Pros:
• Simplified certificate management Certificate
• Identity of the certificate holder is Authority
verified by a trusted third party
Cons:
• Initially more administrative effort
Multi-Server Certificate Support
Unified CM Cluster
One CA-signed Multi-Server certificate for

the entire Unified CM cluster
• To simplify certificate management in clustered environments

• One single CA-signed certificate and private key pushed automatically across all nodes in a cluster
• Each cluster node’s FQDN included as Subject Alternative Name (SAN) in a single certificate,
custom SANs can also be included
Recommendation:
Use Multi-Server certificates wherever available:
Tomcat/Tomcat-ECDSA for Unified CM/IM&P and CUC, CallManager, CUP-XMPP, CUP-XMPP-
S2S
Transport Layer
Security and
Ciphers
TLS Session Establishment
Client Server
ClientHello
(version, cipher list)
ServerHello
Certificate
ServerKeyExchange (DH)
ServerHelloDone
ClientKeyExchange
ChangeCipherSpec
Finished
ChangeCipherSpec
Finished
TLS Established
TLS Session Establishment - Mutual TLS
Client Server
ClientHello
(version, cipher list)
ServerHello
Certificate
ServerKeyExchange
Certificate (MTLS) CertificateRequest (MTLS)
ClientKeyExchange ServerHelloDone
CertificateVerify (MTLS)
[ChangeCipherSpec] Private Key
Finished
[ChangeCipherSpec]
Finished
Private Key TLS Established
TLS v1.2
• More secure version
• Supports stronger ciphers
• May be required for security or compliance reasons
• Requirements:
Ability to disable TLS 1.1, 1.0, SSL 3.0
and lower protocols
TLS 1.2 support
TLS v1.2 Support
Product Support
Supports Disable Disable Notes
TLS 1.2 TLS 1.0 TLS 1.1
CUCM/IM&P, UCxn, CER, PLM*, PCD, TMS, secure    System Release 12 and earlier (e.g.
CUBE (G2/G3)

backport to 11.5)
Other infrastructure (CMS, Conductor, TP Server,    System Release 12
Expressway, Contact Center, PCP, secure SIP PSTN
GW/CUBE/MTP/CFB G2/G3, secure SRST G3, secure
analog VG)
CE Endpoints (DX70/80, MX 200/300 G2, MX 700/800,    9.1.3
SX, IX 5000
78xx/88xx    12.1(1)
Newer TC endpoints (could run CE)    Can SW upgrade to CE
(MX 200/300 G2, MX 700/800, SX)
Legacy TC endpoints    End of Sale
(C-series, EX, MX 200/300 G1, Profile)
Legacy Immersive    End of Sale
(TX 9000 series, CTS)
Older IP phones (e.g., 79xx series, 69xx, 99xx, 89xx,    No support or partial support
DX on Android, IP Communicator)
TLS 1.2 Compatibility Matrix
TLS 1.2 Support Disabling TLS 1.0/1/1
(Interop) (PCI Compliance)
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/uc_system/unified/communications/system/Compatibility/TLS/TLS1-2-Compatibility-Matrix.html
Deconstructing the Cipher Suite
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Key Exchange
• { }: RSA Message Authentication Code
• ECDHE/DHE: (Elliptic Curve) • SHA1
10.5(2)
Diffie-Hellman Ephemeral • SHA2 with key size 10.5(2)
Signature Algorithm Bulk Encryption

• RSA • AES: Advanced Encryption
SIP HTTPS Phones
Standard
• ECDSA 11.0 11.5 12.5
• AES GCM: AES Galois Counter
Mode 10.5(2)
3DES: Removed in 11.5(1)SU4 and 12.0(1)SU2

Cipher Management Control in Unified CM and
phones
Interface Prior to 12.5 12.5+
HTTPS ECDSA disable/enable Can configure a list of allowed

ciphers
SIP Strongest, Medium, All - Can configure a list of allowed
ECDSA or RSA preferred ciphers
Other TLS Interfaces None Can configure a list of allowed
ciphers
SSH None Can configure a list of allowed
ciphers, MAC, KEX
7800/8800 None Can selectively disable ciphers
Cipher Management Control
ALL TLS
HTTPS TLS
SIP TLS
Cipher Management Control
SSH Ciphers
SSH Key Exchange
SSH MAC
CUCM Certificates
and Trust Stores
CUCM Certificate Trust Stores
Identity Certificate Trusted Certificates
Type Type-trust
CUCM Certificate Types
CallManager
Tomcat CAPF
Identity Certificates for

different Services and
Functions
IPSec TVS
ITLRECOVERY
CUCM Certificate Truststores
CallManager-Trust
Tomcat-Trust CAPF-Trust
Truststores for
Services and Functions
IPSec-Trust TVS-Trust
Phone-VPN-Trust
CUCM Certificate Truststores
Identity Trust
CallManager CallManager-Trust
CallManager-ECDSA Tomcat-Trust
Tomcat CAPF-Trust
CAPF TVS-Trust
TVS IPSec-Trust
IPSec Phone-Trust
authz (12.0+) Phone-VPN-Trust
ITLRecovery Phone-CTL-Trust
Phone-CTL-ASA-Trust (12.0+)
Phone-SAST-Trust
Userlicensing-Trust
Phone Certificates
and Trust Lists
Phone Certificate Types
Manufacture-Installed Certificate (MIC)
• Signed by Cisco Manufacturing CA

• Automatically installed in supported phone models
• Used to authenticate with CAPF for LSC installation or
downloading an encrypted configuration file
• Cannot be overwritten or deleted or revoked
Locally Significant Certificate (LSC)
• Used for authentication and encryption

• Signed by CAPF certificate
• Takes precedence over MIC
Phone Certificate Trust Chains
Manufacture-Installed Certificate (MIC)
Locally Significant Certificate (LSC)
LSC signing options
LSC
Locally Significant Certificate
Signed by CAPF Signed by external CA
Offline Online (CUCM 12.5+)
 Manual Process  Easy Enrollment

 Microsoft CA only
Online CAPF - concept
• IP Phone generates CSR and sends it to CAPF service that is running on CUCM PUB
• CAPF later on ‘talks’ to new service called Cisco Certificate Enrolment Service and this service
is responsible for sending CSR to CA in order to get is signed
• Signed LSC is being sent back to CUCM and finally CAPF is pushing that LSC to IP Phone
How Do Endpoints Trust Servers?
CTL / ITL
• CTL (Certificate Trust List) and ITL (Initial Trust List) are
signed files that contains a list of certificates that the
endpoint can trust
• When an endpoint boots/resets, it requests:

1. CTL file Signature
2. ITL file (no support on Jabber)
• Endpoints verify the signature of the CTL/ITL
CUCM Non-Secure Mode
Security by Default
Feature Non Secure Cluster
Auto-registration
CAPF + LSC
IP VPN Phone
Encrypted SIP Trunk
Secure Endpoints (TLS & SRTP)
New in 12.5 with

Secure Jabber (TLS & SRTP) SIP OAuth
Security by Default
ITLFile.tlv
Trust Verification Service
CUCM non-secure
Endpoint supporting ITL
CTLFile.tlv
CTL not
found 1
Trust ITL if
none on the ITLFile.tlv TFTP Server
phone.
Otherwise
2
validate ITL
signature
Validate
with ITL Signed
config
3 (.xml.sgn)
(optional)
Encrypted
ITLFile.tlv Validate config
with 4 Signed
Signed existing
Firmware
config firmware
(.sbn)
Signed
Firmware
Contents of the ITL and Trust Anchor
Certificate ITLFile.tlv
CallManager from TFTP only, all nodes 12.0+
CallManager EC from TFTP only, all nodes 12.0+
TVS all nodes
CAPF pub only, if activated
ITLRECOVERY CUCM 10.0+
CallManager Certificate (TFTP) Before 12.0

Signing Certificate
ITLRECOVERY As of 12.0
Loss of Trust
Before CUCM version 12.0 Signed by
CallManager TFTP
cert
ITLFile
Check ITL
signature
1
Unable to
verify config
Signed
file config
signature
3
TVS
2
ITLFile
Unable to
establish
TLS
connection
with TVS
CUCM Mixed
Mode
Mixed mode
Feature Non Secure Cluster Mixed mode Cluster
Auto-registration
CAPF + LSC
IP VPN Phone
Encrypted SIP Trunk
Secure Endpoints (TLS & SRTP)
New in 12.5 with

Secure Jabber (TLS & SRTP)
SIP OAuth
CUCM Cluster Security Mode
Non-Secure or Mixed
• NOT On/Off
Mixed
Mixed Mode Requirements:
• Export Restricted version of UCM
• 11.5(1)SU3+: Encryption License
12.0: Export-controlled Functionality
allowed
Non-Secure
CUCM Mixed Mode and Generating CTL
OR utils ctl set-cluster mixed-mode
Phone Trust List and Verification
CTLFile.tlv
ITLFile.tlv
Trust Verification Service
CUCM in mixed mode
Trust CTL if CTLFile.tlv
no ITL/CTL
present.
Otherwise
check CTL 1
signature
ITLFile.tlv TFTP Server

Validate 2
with
CTL/ITL
Validate
with
CTL/ITL
Signed
3 config
CTLFile.tlv
ITLFile.tlv
Validate with 4 Signed
Signed CTL/ITL
Firmware
config
Signed
Firmware
Contents of CTL
Certificate CTLFile.tlv
CallManager from all nodes
ITLRECOVERY CUCM 10.5Su2+
Signing Certificate
USB Token Certificates
(USB eTokens)
Pub. CallManager certificate Before 12.0

Signing Certificate
or
(Tokenless method)
Contents of the CTL if using USB eTokens
CallManager from all nodes
ITLRECOVERY CUCM 10.5Su2+
Signing Certificate USB Token Certificates
Contents of the CTL if using Tokenless
CallManager (from all nodes)
CAPF (pub only)
ITLRECOVERY (CUCM 10.5Su2+)
Publisher CallManager certificate Before 12.0
Signing Certificate or
Phone Security Modes
• Authenticated mode – provides integrity and authentication for TLS connection. Be aware
that, neither the signaling nor the media is encrypted.
• Encrypted mode – on the endpoint provides integrity, authentication, and encryption of
signaling. Media is also encrypted using SRTP if other communicating party support it as well.
High Level View of a Secure Phone Registration
Phone with security profile set to Encrypted mode
Client Hello
CallManager-Trust store
Do I trust this CallManager cert

Yes
device?
Trust
Yes
it?
MIC or LSC
ITLFile.tlv
CTLFile.tlv
TLS
What’s Secure RTP?
• As per RFC 3711: SRTP is a profile of the Real-time Transport Protocol (RTP), which can
provide confidentiality, message authentication, and replay protection to the RTP traffic“
• It uses AES (Advanced Encryption Standard) as the default cipher for stream encryption
• HMAC (Hash-based Message Authentication Code) is used to authenticate the message and
protect its integrity
a=crypto:<tag> <crypto-suite> <key-params> [<session-params>]
SDP for RTP SDP for SRTP

m=audio 8256 RTP/AVP 0 m=audio 8264 RTP/SAVP 0
c=IN IP4 14.50.248.31 c=IN IP4 14.50.248.31
a=rtpmap:0 PCMU/8000 a=rtpmap:0 PCMU/8000
a=crypto:1 AES_CM_128_HMAC_SHA1_32 inline:
Detailed information
L5+zq2AXJxLk+058lu/XRQWJZiK0c0D0
End-to-End Phone Encryption
Phones with security profile set to Encrypted mode
INVITE sip:2000@10.1.1.1;user=phone SIP/2.0 SIP/2.0 200 OK

<output omitted> <output omitted>
m=audio 8264 RTP/SAVP 0 m=audio 3820 RTP/SAVP 0

c=IN IP4 10.1.1.2 c=IN IP4 10.1.1.3
a=rtpmap:0 PCMU/8000 a=rtpmap:0 PCMU/8000
a=crypto:1 AES_CM_128_HMAC_SHA1_32 inline: a=crypto:1 AES_CM_128_HMAC_SHA1_32 inline:
L5+zq2AXJxLk+058lu/XRQWJZiK0c0D0 YUJDZGVmZ2hpSktMbW9QUXJzVHVWd3l6MTIzND
U2|1066:4
ITLFile ITLFile
SRTP
CTLFile CTLFile
Secure to Non-Secure Interworking
ITLFile ITLFile
RTP
CTLFile CTLFile
Phone Security Status Icons
Phones That Display Both Phones That Display

Media and Device Types In the Call
Shield and Lock Icons Only the Lock Icon
Non Secure None None

Authenticated None
Secure
Monitoring Certificate Expiration
Handled by
the Cisco Certificate Expiry Monitor
service
New in 11.5.1
CUBE Certificates
and Trustpoints
Trustpoint and Generating CSR
• Define The trustpoint
crypto pki trustpoint <trustpoint_name>
• Generate CSR
crypto pki enroll <trustpoint_name>
<trustpoint_name>
CUBE Certificate
Authority
Importing Trustchain and Identity Certificate
• Import CA root certificate
crypto pki authenticate <trustpoint_name>
• Import Identity certificate

crypto pki import <trustpoint_name> certificate
<trustpoint_names>
CUBE Certificate
Authority
Associating Trustpoint to SIP Trunk
• Associate the trust point to SIP trunk
sip-ua
crypto signaling remote-addr 10.1.1.100 255.255.255.255 trustpoint <trustpoint_name>
crypto signaling remote-addr 10.1.2.0 255.255.255.0 trustpoint <trustpoint_name>
crypto signaling default trustpoint default trustpoint <trustpoint_name>
<trustpoint_name>
SIP Trunk
CUBE
High Level View of a Secure Connection
CUCM Client Hello CUBE

CallManager-trust
Do I trust this
Yes
device?
Trust
Yes
it?
Trustpoint (s)
TLS
Securing Cisco
Jabber
Authentication options for Jabber clients
3 2
SAML SSO: SAML LDAP
Directory LDAP Authentication:
• CUCM/IM&P, Unity Connection IdP
IdP
• CUCM/IM&P and Unity
and Expressway set up SAML
Connection use LDAP bind to
agreements with IdP
CUCM + IM&P authenticate end-users against
• All end-user authentication is
external directory
delegated to the IdP
• Equivalent to local authN for
• Jabber relies on platform
Expressway/MRA
browser to interact with IdP
1
Unity Local Authentication :
Connection • Built-in user databases in CUCM/
IM&P and Unity Connection
• Expressway forwards authN
Jabber requests to CUCM/Unity for MRA
clients Expressway E/C
Jabber clients
OAuth - Implicit Grant flow – Old Flow
IDP authentication using

SAML
SAML SSO is the only IdP
IdP
Oauth Token (Access token):
authentication option available • used by Jabber to gain
with Implicit Grant flow. CUCM/IM&P
access to CUCM resources
• Issued by AuthZ service
Unity Cxn which is active only if SAML
SSO is enabled
• validity time of 60 min by
default
OAuth
OAuth
Expressway E/C
• Introduced in CUCM 10.0.1

OAuth - Authorization code grant – New Flow
(optional)
Authorization code grant benefits: Refresh tokens
SAML LDAP
• Authentication options expanded IdP IdP Directory • allow new access tokens
(IdP/SSO, LDAP or local auth.) to be obtained without
CUCM/IM&P repeated authentication
• Access and Refresh tokens for the validity period of
• Access policy support (token scopes) Unity Cxn the refresh token
OAuth
OAuth
Expressway E/C
• Introduced in CUCM 11.5(1)SU3

OAuth - Authorization code grant with CUCM
12.x
HTTP (CUCM) SIP XMPP HTTP (Unity Cxn)

Jabber on-premises
OAuth token OAuth token (12.5) OAuth token OAuth token
(Local/Ldap AuthN)
Jabber via MRA

OAuth token OAuth token OAuth token OAuth token
(Local/Ldap AuthN)
Jabber on-premises
(SAML SSO) OAuth token OAuth token (12.5) OAuth token OAuth token
Jabber via MRA

OAuth token OAuth token OAuth token OAuth token
(SAML SSO)
Securing Jabber softphone on premises
Device Security Modes
• Non-Secure
No media & signaling encryption
• Encrypted (LSC)
Encrypted
Encrypted Non-secure
LSC installation & mixed mode required (OAuth)
CM CM CM
Inconvenient – multiple device installation,

credential roaming
• Encrypted (SIP OAuth) - New in 12.5!

TLS mTLS TCP
SIP signaling authenticated and encrypted (+ OAuth in SIP) (+ LSC)
(TLS + OAuth token)
No need for CUCM mixed mode and CAPF enrollment
Expressway and
Mobile and
Remote Access
(MRA)
MRA Media and Signaling Encryption
• On the Internet and in the traversal zone: Media and Signaling are
always encrypted
• In the internal network, Media and Signaling encryption depends on
the Unified CM configuration for the MRA endpoint
Media and Signaling

can be encrypted Media and Signaling always encrypted
SIP TLS* SIP TLS SIP TLS
SIP TCP
SRTP
Expressway-C DMZ Expressway-E External

Firewall Firewall
MRA Authentication
MRA Endpoint Authenticating Expressway-E
• MRA endpoints verify the Expressway-E Server Certificate
• ITL/CTL not used
• Jabber Clients rely on the underlying platform trusted CA list
• Hardware endpoints rely on a trusted CA list included in firmware
=> Expressway-E certificate needs to be CA-signed
HTTPS HTTPS HTTPS
SIP TCP
CTLFile
SRTP
ITLFile
Firewall CTLFile
Firewall ITLFile
MRA Authentication
Authenticating the MRA Endpoint (without activation code onboarding)
• Expressway-E does not verify the MRA endpoint certificate (MIC/LSC).
Instead:
• Username/password for initial HTTPS connection
• For SIP: Digest Authentication (local/LDAP authentication) or OAuth (SSO and/or
OAuth)
Username/pwd
HTTPS HTTPS HTTPS
SIP TCP
SRTP
MIC/LSC
Firewall Firewall
MIC/LSC
Activation code Device onboarding over MRA - 12.5(1) SU1
1. Admin configures Cloud/Hybrid communication.
0 CUCM onboards with cloud/GDS, creates MRA
mra.foo.com target which includes Expressway address
2. Admin creates full device configuration without

GDS 1 specifying MAC address (BAT, AXL, GUI)
0 3.
2 Admin requests activation code for this device.
Admin Device Activation Service gets code from GDS.
4 7 Activation code sent to a user/admin

2 4.
3
Internet CUCM 5. User enters activation code. GDS uses ATLS to
4 trust the phone. Phone gets MRA target from GDS
5 6. Phone learns location of Expressway and
6 5 authenticates to MRA/CUCM using MIC + activation
code in an SRP handshake
mra.foo.com
1 7. Device activation service updates device
6 configuration in the database with phone MAC and
User sends success to the phone.
3 The phone can now register and get its phone
MAC ?
6 specific configuration file from TFTP like normal
MAC1234 MRA, and register with CCM.
Activation Code
8. Device Activation Service releases code from GDS
7
2 #CLUS BRKCOL-2014 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Activation code Device onboarding also for on-premises
12.5(1)
1.
0 Admin allows activation codes
2.
1 Admin creates full device config without specifying
MAC address (BAT, AXL, GUI)
Admin 3.
2 Admin requests activation code for this device
DHCP
4 0 4.
3 Activation code is sent to the user by the admin, or
Intranet 2 the enduser gets it via the Self Care Portal.
5 CUCM 5.
4 Phone gets CUCM target from DHCP/Static config,
6
downloads the XMLDefault file, detects that
1 activation code onboarding is in use, and the user
enters the activation code.
User
3 6.
5 Phone authenticates to CUCM using MIC +
activation code in an SRP handshake.
MAC ? 6
MAC1234 7.
6 Device activation service updates device config in
Activation Code the database with phone MAC and sends success
2 to the phone.
The phone can now register and get its phone

specific configuration file from TFTP like normal, and
register with CCM.
MRA and ICE
Without ICE
SIP TLS
SRTP
SRTP
SIP TLS
Firewall Firewall
With ICE
• Media Path Optimization
• Single SRTP encryption key
SIP TLS
TURN SRTP
SIP TLS
TURN: Traversal Using Relay NAT Expressway-C DMZ Expressway-E External
ICE: Interactive Connectivity Establishment Firewall with TURN server Firewall
STUN: Session Traversal Utilities for NAT
Jabber must be configured with SIP OAuth
For Your
ICE Minimum Release Requirements Reference
• Expressway X12.5
• Unified CM 12.5(1) (Unified CM 11.5 if Jabber is not deployed)
• CE release 9.6
7800/8800 release 12.5(1)SR1
Unified CM mixed-mode required
• Jabber 12.5
SIP OAuth required
Conclusion
Secure Your Deployment
• Deploy Multi-Layered Security
• Simplify certificate management
• Embrace security by default (especially with Unified CM 12.0+)
• Enable CUCM mixed-mode and configure endpoints in encrypted
mode
• Enable OAuth (with refresh token) / SIP OAuth / Encryption for
Jabber (12.5+) (enabling encryption difficult if no SIP OAuth)
• Enable encryption on the links (IP Phone Services, SIP Trunk, LDAP)
Security is a Journey, Not a Destination
• Stay up-to-date on the latest security news and upgrade / install
security updates when applicable
• Monitor PSIRT (Product Security Incident Response Team)
publications
• Security advisories, responses, and notices
• www.cisco.com/go/psirt
• Subscribe to Cisco
notification service
Additional UC Security Sessions
• BRKCOL-3224: Implementing and Troubleshooting Secure Voice on Network Edge
Devices
• Tuesday, June 11th at 4pm
• BRKCOL-3501: Implementing and Troubleshooting Secure IP Phones and Endpoints

• Wednesday, June 12th at 8:00am
• BRKUCC-2801: Enabling External Collaboration with Expressway (Monday 1 pm)

• BRKCOL-2000: Media path optimization with ICE for MRA devices (Monday 8 am)
Complete your
online session • Please complete your session survey
evaluation after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live water bottle.
• All surveys can be taken in the Cisco Live
Mobile App or by logging in to the Session
Catalog on ciscolive.cisco.com/us.
Cisco Live sessions will be available for viewing
on demand after the event at ciscolive.cisco.com.
Continue your education
Demos in the
Walk-in labs
Cisco campus
Meet the engineer

Related sessions
1:1 meetings
#CLUS Session ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Thank you
#CLUS
#CLUS
Appendix
References
• TLS 1.2 Compatibility Matrix

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/uc_system/unified/commun
ications/system/Compatibility/TLS/TLS1-2-Compatibility-Matrix.html
• TLS 1.2 White Paper

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/uc_system/TLS/TLS-1-2-
for-On-Premises-Cisco-Collaboration-Deployments.html
• TLS 1.2 Configuration Overview

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/uc_system/TLS/TLS-1-2-
Configuration-Overview-Guide.html
For Your
Cipher Suites Support Reference
• CUCM 10.5(2): Added SIP support of

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
And SRTP support of AEAD_AES_256_GCM and AEAD_AES_128_GCM
• CUCM 11.0: Added SIP support on CUCM for
• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 and
• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
• CUCM 11.5: Added HTTPS support for ECDSA based cipher suites
• 3DES being removed in CUCM 11.5(1)SU4+ and CUCM 12.0(1)SU2+ (for
TLS and SSH)
Identity Certificates used by Communications
Manager For your reference
• Used for TLS connections to CallManager service (TCP port 5061

CallManager for SIP or 2443 for SCCP)
CallManager-EC • Signs TFTP files: configuration files, localization files, etc
• Use for TLS connections to CAPF service (TCP port 3804)

CAPF • Signer of the phones Locally Significant Certificates (LSC)
Tomcat • Used for HTTPS connections to Web services (TCP port 8443)
• Used to sign SSO SAML Requests (if required by IdP)
Tomcat-EC
TVS • For TLS connections to the TVS service (TCP port 2445)
Identity Certificates used by Communications
Manager For your reference
IPSec • Used for IPSec connections and inter-cluster

communication by DRS during backup operations
• Included in ITL file beginning with 10.0, CTL in 11.0

ITLRecovery
• Used by TFTP to sign TL files in certain scenarios
Certificate Trust Stores used with Client
Connections For your reference
• Used to Validate Certificates when CallManager is the Client side

CallManager-trust • IE: Outbound SIP TLS Connections
• Used for CAPF Service to Validate Client side Certificate (mutual-

CAPF-trust authentication) when Authenticating Phones using MIC while
installing their Locally Significant Certificates (LSC)
• Used to Validate Certificates for all Web Applications’ Client requests

Tomcat-trust as well as LDAPS (DirSync + Ldap Authentication)
• IE: EMCC, CTI Manager LDAPS Authentication
• Used for Intermediate and Root certificates that are issuers to CA-
TVS-trust signed TVS certificates
Certificate Trust Stores used with Client
Connections For your reference
Userlicensing-trust • Used by ELM and PLM
• Allows TVS to authenticate certificates used by IP Phone

Phone-trust
Services
Phone-vpn-trust • Holds server certificates for the Phone VPN feature
• Allows TVS to authenticate certificates used by TFTP to

Phone-sast-trust
sign files
• Used to include a certificate in a CTL file.

Phone-ctl-trust
• Only works for tokenless-CTL after version 11.5
Architecture Evolution
Jabber SIP and Media Security – CSR 12.5
Internet DMZ Enterprise
CUCM
SIP/TLS
SIP/TLS SIP/TLS
Jabber Jabber
clients TURN clients
SIP/TLS SIP/TLS
CUCM SIP/TLS
Expressway E Expressway C
Jabber over MRA: Jabber on-premises:

• SIP signaling is authenticated (TLS + • SIP signaling is authenticated (TLS +
OAuth token) and encrypted OAuth token) and encrypted
• Expwy-C uses mTLS with CUCM • Media is encrypted (no need for CAPF
• Media is encrypted end-to-end enrollment or mixed-mode)
• ICE media path optimization is possible

Brkcol 2014

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brkcol 2014

Uploaded by

Copyright:

Available Formats

#CLUS

Rado Drabik– Technical Consulting Engineer

• Do not just rely on the default

Webex Teams will be moderated cs.co/ciscolivebot#BRKCOL-2014

Secure Physical Access

• Secure physical access to the

Secure Physical Access

Secure Physical Access

Secure Endpoints • Manufacturer Installed Certificate (MIC)

• Issue LSC (Locally Significant Certificates) from

Reference: Cisco IP Phone 7800 and 8800 Series Security Overview

• Signed upgrade software

• Secure management protocols

Secure Servers • TLS version control, granular cipher control

Signed & Encrypted Phone Configs

Signed Phone Firmware

Secure Phone Services (HTTPS)

Encrypted SIP Trunk

Secure Phones (TLS & SRTP)

New in 12.5 with

STP, BPDU Guard, SmartPorts DHCP Snooping Scavenger Class QoS

Phone Security Settings IP Source Guard, Port Security

Shared key Shared key

Hello! fj#23+r Hello!

Public Key Private Key

Hello! fj#23+r Hello!

Uses two keys

Issued To: John Doe X.509 Certificate

• Provides a uniform way for different organizations to identify people or other

• These certificates and keys can be used through secured connections

abcde 01011 abcde

Root CA Intermediate CA Identity

Root CA Public Certificates

Root Intermediate Identity

Trust Chain Identity

One CA-signed Multi-Server certificate for

• To simplify certificate management in clustered environments

TLS 1.2 support

Signature Algorithm Bulk Encryption

3DES: Removed in 11.5(1)SU4 and 12.0(1)SU2

HTTPS ECDSA disable/enable Can configure a list of allowed

SSH Key Exchange

Identity Certificate Trusted Certificates

Identity Certificates for

authz (12.0+) Phone-VPN-Trust

Manufacture-Installed Certificate (MIC)

• Signed by Cisco Manufacturing CA

Locally Significant Certificate (LSC)

• Used for authentication and encryption

Locally Significant Certificate (LSC)

Signed by CAPF Signed by external CA

Offline Online (CUCM 12.5+)

 Manual Process  Easy Enrollment

• When an endpoint boots/resets, it requests:

• Endpoints verify the signature of the CTL/ITL

Signed Phone Firmware

Signed & Encrypted Phone Configs

Secure Phone Services (HTTPS)

Encrypted SIP Trunk

Secure Endpoints (TLS & SRTP)

New in 12.5 with

Trust Verification Service

CallManager EC from TFTP only, all nodes 12.0+