by Jason WydraSecuring an IP Telephony Installation
In today's IP telephony environments, it is crucial to have a sound security solution in place for your network. The Cisco SAFE Blueprint outlines common practices for securing an IP telephony environment. The following sections will explain the different options for securing an IP telephony network to include IP phones and the CallManager server.
Cisco allows for end-to-end encryption between IP phones. This is accomplished using the Secure Real-Time Protocol (SRTP). SRTP supports the Advanced Encryption Standard (AES) and is an Internet Engineering Task Force (IETF) standard (RFC 3711). Media encryption using SRTP is more bandwidth-efficient than IPSec.
The first step in securing a CallManager server is to keep it in a restricted area where unauthorized personnel cannot gain access. Make sure that the Administrator password used to log into Microsoft Windows and CallManager itself is not something that can be easily guessed or cracked with a hacker's tool. You should make sure that your password is at least 6 characters long and that it uses special characters, numbers, and both upper and lower case letters.
Implementing authentication and encryption in the CallManager system prevents identity theft of the phones and CallManager. It also thwarts data tampering and call signaling or media-stream tampering. To prevent these threats, the network should be configured to maintain authenticated communication streams, digitally sign files before transfer to the phone, and encrypt media streams and call signaling between Cisco IP Phones.
Cisco SAFE network design provides a blueprint for considering the functional requirements of today's enterprise networks. In order of priority, the following should be considered.
Security and attack mitigation based on policy
Security implementation throughout the infrastructure
Secure management and reporting
Authentication and Authorization of users and administrators to critical network resources
Intrusion detection for critical resources and subnets
Support for emerging networked applications
The principal goal of SAFE is to provide best practice information on designing and implementing secure networks. The idea is to focus on expected threats and their common methods of intrusion. The end goal is to have a layered approach where, if one layer of security is breached, the entire network is not compromised.
CallManager and SSL refer to using Hypertext Transfer Protocol over Secure Sockets Layer (SSL) (HTTPS). This provides a secure communication between the IIS (Internet Information Server) and the web browser. The IIS hosts most of the web pages that you access for configuration purposes. So this adds en extra layer of security by encrypting any information sent between the web browser and the IIS server. A digital certificate and a public key are used to encrypt the data and passwords sent over the Web. The following applications are supported by HTTPS: Cisco CallManager Administration, Cisco CallManager Serviceability, the Cisco IP Phone User Option Pages, the Bulk Administration Tool (BAT), TAPS, Cisco CDR Analysis and Reporting (CAR), Trace Collection Tool, and the Real-Time Monitoring Tool.
CallManager and IPSec refer to the use of VPNs between CallManager main sites and remote branch gateways. Cisco recommends that you provision IPSec in the infrastructure rather than in the Cisco CallManager itself. Before you configure IPSec, consider existing IPSec or VPN connections, platform CPU impact, bandwidth implications, jitter or latency, and other performance metrics.
A Certificate Trust List (CTL) file is created when you install and configure the Cisco Certificate Trust List (CTL) client on a Windows 2000 server. It can even be installed on a CallManager server. Device, file, and signaling authentication rely on the CTL. The CTL file contains entries for the following servers or security tokens:
Site Administrator Security Token (SAST)
Cisco CallManager and Cisco TFTP running on the same server
Certificate Authority Proxy Function (CAPF)
Alternate Cisco TFTP
The CTL file contains a server certificate, public key, serial number, signature, issuer name, subject name, server function, DNS name, and IP address for servers. After the CTL file is created and the phone boots, it downloads the CTL file from the TFTP server. If the CTL file contains a TFTP server entry that has a self-signed certificate, the phone requests a signed configuration file in .sgn format. If none of the TFTP servers contains a certificate, the phone requests an unsigned file.
After you install and configure the Cisco CTL client, you must configure the device for authentication or encryption. The phone then establishes a TLS (Transport Layer Security) connection through a TLS SCCP port, which is a configured number added to 443. By default, the phone connects to port 2443 by using TLS. The handshake authenticates the certificates and establishes a secure connection.
Note: The CAPF (Cisco Authority Proxy Function) service must be activated before installing the CTL client.
Multilevel administration provides multiple levels of security to Cisco CallManager Administration. This application allows you to grant only required privileges to a select group of users. It can also limit the configuration parameters that particular users have access to. Before MLA, there was only one login for CallManager Administration and that login had access to all configuration parameters.
CallManager Administration functions can be separated into groups. Each group can be given different access levels, such as no access, read-only access, and full access. MLA also provides audit logs of user logins. This allows you to see who is making modifications to CallManager databases.
CCMadministrator is the default username for MLA and it is stored in LDAP with other accounts defined by the Administrator. Before MLA, the Administrator account was the local Windows NT account and it was the only account used to login to CallManager administration.
Toll Fraud is the malicious act of a PSTN user or employee gaining access to an IP phone or other device and setting the device to transfer all incoming calls to a particular number on the PSTN. That number could be a long distance number. This helps the malicious caller save money on long distance bills by placing a local call into the CallManager network and having the device they called transfer the call back out to a long distance number on the PSTN. CallManager route patterns have a parameter called Call Classification. Call Classification determines whether the call that is routed through a route pattern is OffNet or OnNet. The default is OffNet. When adding a route plan, you can set the Call Classification as OnNet. This route pattern can be used to prevent toll fraud by prohibiting OffNet-to-OffNet call transfers. Since the Call Classification is set to OnNet, this route pattern can only route to devices that do not leave to network out to the PSTN (OffNet).