The Empowered Branch Webinar Deploying Secure Unified Communications in Branch Networks

© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1

The Empowered Branch Webinar Deploying Secure Unified Communications in Branch Networks

Christina Hattingh, Technical Marketing EngineerShashi Kiran, Manager, Network Systems Marketing

© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2

Agenda

Changing Traffic Patterns and models

The Secure UC Framework

Securing UC in the Branch or Small Office

Security Capabilities on the Cisco Integrated Services Router Cisco Unified Communications Voice

Gateways

Cisco Survivable Remote Site Telephony (SRST)

Cisco Unified Communications Manager Express (CME)

Summary


2. Changing Traffic Patterns

Is Traditional Data Security Good Enough for Voice?

Dynamics of Converged Networks1. Changing Traffic Types

01011

110110

1011011

001011

10100

IP Convergence

a b cVoIP Calls

Traditional Phone Calls

t

Ado

ptio

n

a40–60%Savings

bPeer-to-Peer Traffic

cVoice Over Wi-FiVoIP growth

Voice Video Data “Data”


Threat Perceptions

Traditional Voice Converged “Data”Toll Fraud Yes Yes

Eavesdropping (Loss of Privacy) Yes -Wiretapping Yes – Complex, $$

Denial of Service Low threat Yes - Worms, Virus

Caller ID spoofing Yes Yes – Easier to spoof Caller ID

SPAM Yes SPIT

Multi-media Threats No IM, Video, Voice, Presence

Service Thefts Yes Yes

Security Enforcement Not end-user controlled End-user/ Branch I.T

Threats are similar – attack types vary


=+

Secure Voice deployment challenges

Data Only Voice Network Converged Voice Network

Disparate security infrastructure (not voice ready)

Inadequate knowledge and trainingData personnel handling voice threatsProtocols, solutions, perceived complexity

Multiple voice-capable endpoint types

IM + voice + video – media streams, presence info.


Secure Unified Communications

Secure TelephonySecure NetworkSecure Unified Communication


Network as the Platform

Building A Secure UC System

InfrastructureSecure connectivity and transport

EndpointsAuthenticated IP phones, soft clients and other devices

ApplicationsAuto-attendant, Messaging, and Customer Care

Call ControlSecure Protocols for Call Management Features

Unified Communications


Determining Security Policy

Don’t make security an end to itself—determine the security level needed

Rank voice with all data on the network by your business requirements

Evaluate whether your existing data security policy is sufficient for voice

Low

Trading

Billing

Web Traffic

Directory

Oracle

E-Mail

POS

Voice, Video

Banking

High


Security Levels and Dimensions

Infrastructure Call Processing Endpoints Applications

Advanced

Intermediate

Base

Firewall with advanced application inspection and encrypted VoIP

Encrypted phone configuration files

TLS/SRTP

Firewall with stateful inspection

Intrusion Protection (IPS)

DHCP snooping/rate limiting

Phone web access

Basic L3 ACLs

VPNs: GET-VPN, DMVPN

Separate voice/data VLANs

Toll fraud prevention

$$$

Complexity

Manpower

Voice/Data integration


Cisco Integrated Services Router (ISR) Portfolio for Unified Communications

Secure Validated Designs

Lowest TCO

Con

curr

ent S

ervi

ces

and

Perf

orm

ance

Medium to Large BranchSmall Branch Small Office

Multiple Services

Extended Modular Connectivity (EVM, NM, AIM, WIC/VIC)

36 Phones

48 Phones

96 Phones

336/168 Phones

720/240 Phones

24 Phones

28112821

2851

38253845

2801

High-Density ServicesModularity with Performance Optimized for “All-in-one” Solution (HSDM, NM, EVM, AIM, WIC/VIC)

Cisco Unity ExpressLocal Auto Attendant and Voice Mail System with 12-100 Mailboxes, 4–8 Sessions, 100 Hours of Storage

© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11

Securing UC in the Branch or Small Office


Integrating Voice Security into a Network

Access Lists (ACLs)

Network access protection

Device authentication

Firewall

VPN

URL Filtering

Intrusion Protection

Expanded Access Lists (ACLs)

Network access for voice devices

Firewall VoIP ALG

Toll fraud protection

Secure phone downloads

Controlled phone web access

Digest Authentication

Secure SRST, CME, voice gateways

Branch Office Corporate

OfficeBranch Office Corporate

Office

Data Only Unified Communications


Securing the Infrastructure

Network Access Expand ACLs for voice

VoIP firewall ALG

Transport Secure LAN transport (VLAN)

Secure WAN transport

VPN, V3PN, DMVPN, GET VPN

Devices Authenticate voice devices

Secure phone downloads

Campus

Branch Office

A

InternetWANPSTN

Infrastructure


Campus

Branch Office

InternetWANPSTN

Securing Call Processing

PSTN Toll fraud prevention

AA, COR, transfer-patterns, CFW max-length, after-hours exempt…

Restrict outbound notifications

Features Feature access restrictions

Digest authenticationRegister and Invite

Encryption Secure SRST

Secure CME

Secure voice gateways

A

Call Processing


Campus

Branch Office

A

InternetWANPSTN

Securing the Endpoints

Downloads Signed phone firmware images

Signed configuration files

Encryption Phone configuration files

TLS/SRTP

Authentication No CME auto-registration

Digest authentication

Register

Phone Applications Restrict phone web access

Disable Settings button

Endpoints


Campus

Branch Office

A

InternetWANPSTN

Securing the Applications

IP Access Close ports not used by application

ACLs—access only from legitimate source IP addresses

Operational SFTP for CUE install/upgrade/backup

Administration Secure CME CLI/GUI

Secure CUE CLI/GUI

Application Access Secure VXML (HTTPS)

Phone authentication with application

Applications


Secure UC capabilities on the Cisco IntegratedServices Router


Toll Fraud Prevention

After-hour exempt blocks all after-hours PSTN calls except where exempt (optional override withPIN per IP phone)

Call-forward max-length restricts maximum number of digits allowed for call forward destinations onIP Phones

Transfer-pattern restricts valid transfer destinations to internal extensions

Restricting access to PSTN from Auto Attendant (AA) and message notification features prevents incoming PSTN calls to transferto other PSTN destinations AA

Incoming DID Call

Numbers Startingwith 91 or 91900 STOP

Forward to19103335555 STOP

Transfer to901191225551234

STOP

Valid Ext

PSTN

GO

PSTN

STOP

Call Processing


Signaling and MediaEncryption

Signaling authentication and encryption via TLS or IPSecprotect voice gateways, endpoints and applications

Media encryption using Secure RTP (SRTP)

SCCP, MGCP, H.323 and SIP support

Voice gateways, CUCM, SRST and Cisco Unity voice mail support

HQA

Branch

BranchBranch

GK

WANPSTN

PSTN

PSTN PSTN

Call ProcessingEndpoints


Secure SRST

IP phone calls in SRST mode remain secure Calls are authenticated and encrypted Secure lock icon on IP phone gives visual confirmation SRST 3.3: Cisco IOS 12.4 with CUCM 4.1(2) or later

HQA

Branch

Branch

GK

WANPSTN

PSTN

PSTNBranch: SRSTPSTN

TLS and SRTP



PSTN Internet

Wireless AP

Encrypted

Secure CMECall Processing Toll fraud prevention Feature access

restrictions Phone authentication

and registration

Authentication and Encryption Phone authentication Signaling and media encryption

(TLS/SRTP) X.509 V3 certificates

Secure Wireless Devices Phone authentication Signaling and media

encryption (TLS/SRTP)

Secure Administration SSH, HTTPS SFTP Secure phone

downloads

Secure Internet Access Firewall Intrusion Protection Secure teleworker access

via VPN



Invite

401 Unauthorized

Invite [Username, Password]

Register (SIP)

401 w/Challenge

Register [Username, Password]

SIP Digest Authentication SIP line side Digest Authentication SIP Digest authentication between UA and SIP server CME 4.0 no auto-reg-ephone option rejects registration attempts by

IP phones with unknown MAC addresses

AAAA.BBBB.CCCC

BBBB.AAAA.DDDD STOP

GO



Secure Web AccessDownloads Firmware and configurations

use TFTP to phones

Signed firmware images

Signed configuration files

Encrypted configuration files

“Services” Button Disable general web access to

phones allowing only authenticated applications

Phone authenticates with server

Application authenticates with server

Rogue TFTP Server

CME TFTP Server

Authentication Server

InfrastructureEndpoints


Securing Administrative AccessCME and CUE Leverage AAA/RADIUS for

router CLI login

Secure CLI transport access with SSH

Secure GUI transport access with HTTPS (CUE 3.0)

CUE User accounts password/PIN history checking

CUE Account Lockout—prevents DOS attacks

SFTP for CUE install/upgradeand backup/restore

TACACS/RADIUS Server

Authenticate IOSusername/password

Telnet/SSH

HTTPS

FTP Server

CME CUE

Secure FTP

Applications


Adds Voice DSPAdds VPN AIM

Adds Advanced IP Services,

VPN AIMAdds Advanced

IP Services

Adds Voice DSP, Advanced IP

Services

Cisco ISR Secure Voice Bundles

V3PN Bundle

VSEC Bundle

Voice Bundle SEC Bundle

Base Router

HSEC Bundle

Adds Voice DSP, Cisco IOS SP Services

Adds Advanced Security


Balance Risk Avoidance, Cost and Performance

Build a Layered, Tolerant Security Model; The Cisco Secure UC With the Cisco ISR Offers Multi-layered Protection

Align Voice and Data Security Policies; SecureUC Requires Incremental Voice-specific Features

Summary


Resources

Cisco.com/go/ipc

Cisco.com/go/ipcsecurity

Cisco.com/go/cube

Cisco.com/go/isr

Cisco.com/go/netpro


Q&A

The Empowered Branch Webinar Deploying Secure Unified Communications in Branch Networks

Documents

Transcript of The Empowered Branch Webinar Deploying Secure Unified Communications in Branch Networks