The Empowered Branch Webinar Deploying Secure Unified Communications in Branch Networks
description
Transcript of The Empowered Branch Webinar Deploying Secure Unified Communications in Branch Networks
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
The Empowered Branch Webinar Deploying Secure Unified Communications in Branch Networks
Christina Hattingh, Technical Marketing EngineerShashi Kiran, Manager, Network Systems Marketing
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
Agenda
Changing Traffic Patterns and models
The Secure UC Framework
Securing UC in the Branch or Small Office
Security Capabilities on the Cisco Integrated Services Router Cisco Unified Communications Voice
Gateways
Cisco Survivable Remote Site Telephony (SRST)
Cisco Unified Communications Manager Express (CME)
Summary
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
2. Changing Traffic Patterns
Is Traditional Data Security Good Enough for Voice?
Dynamics of Converged Networks1. Changing Traffic Types
01011
110110
1011011
001011
10100
IP Convergence
a b cVoIP Calls
Traditional Phone Calls
t
Ado
ptio
n
a40–60%Savings
bPeer-to-Peer Traffic
cVoice Over Wi-FiVoIP growth
Voice Video Data “Data”
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
Threat Perceptions
Traditional Voice Converged “Data”Toll Fraud Yes Yes
Eavesdropping (Loss of Privacy) Yes -Wiretapping Yes – Complex, $$
Denial of Service Low threat Yes - Worms, Virus
Caller ID spoofing Yes Yes – Easier to spoof Caller ID
SPAM Yes SPIT
Multi-media Threats No IM, Video, Voice, Presence
Service Thefts Yes Yes
Security Enforcement Not end-user controlled End-user/ Branch I.T
Threats are similar – attack types vary
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
=+
Secure Voice deployment challenges
Data Only Voice Network Converged Voice Network
Disparate security infrastructure (not voice ready)
Inadequate knowledge and trainingData personnel handling voice threatsProtocols, solutions, perceived complexity
Multiple voice-capable endpoint types
IM + voice + video – media streams, presence info.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
Secure Unified Communications
Secure TelephonySecure NetworkSecure Unified Communication
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
Network as the Platform
Building A Secure UC System
InfrastructureSecure connectivity and transport
EndpointsAuthenticated IP phones, soft clients and other devices
ApplicationsAuto-attendant, Messaging, and Customer Care
Call ControlSecure Protocols for Call Management Features
Unified Communications
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
Determining Security Policy
Don’t make security an end to itself—determine the security level needed
Rank voice with all data on the network by your business requirements
Evaluate whether your existing data security policy is sufficient for voice
Low
Trading
Billing
Web Traffic
Directory
Oracle
POS
Voice, Video
Banking
High
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
Security Levels and Dimensions
Infrastructure Call Processing Endpoints Applications
Advanced
Intermediate
Base
Firewall with advanced application inspection and encrypted VoIP
Encrypted phone configuration files
TLS/SRTP
Firewall with stateful inspection
Intrusion Protection (IPS)
DHCP snooping/rate limiting
Phone web access
Basic L3 ACLs
VPNs: GET-VPN, DMVPN
Separate voice/data VLANs
Toll fraud prevention
$$$
Complexity
Manpower
Voice/Data integration
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
Cisco Integrated Services Router (ISR) Portfolio for Unified Communications
Secure Validated Designs
Lowest TCO
Con
curr
ent S
ervi
ces
and
Perf
orm
ance
Medium to Large BranchSmall Branch Small Office
Multiple Services
Extended Modular Connectivity (EVM, NM, AIM, WIC/VIC)
36 Phones
48 Phones
96 Phones
336/168 Phones
720/240 Phones
24 Phones
28112821
2851
38253845
2801
High-Density ServicesModularity with Performance Optimized for “All-in-one” Solution (HSDM, NM, EVM, AIM, WIC/VIC)
Cisco Unity ExpressLocal Auto Attendant and Voice Mail System with 12-100 Mailboxes, 4–8 Sessions, 100 Hours of Storage
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11
Securing UC in the Branch or Small Office
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
Integrating Voice Security into a Network
Access Lists (ACLs)
Network access protection
Device authentication
Firewall
VPN
URL Filtering
Intrusion Protection
Expanded Access Lists (ACLs)
Network access for voice devices
Firewall VoIP ALG
Toll fraud protection
Secure phone downloads
Controlled phone web access
Digest Authentication
Secure SRST, CME, voice gateways
Branch Office Corporate
OfficeBranch Office Corporate
Office
Data Only Unified Communications
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
Securing the Infrastructure
Network Access Expand ACLs for voice
VoIP firewall ALG
Transport Secure LAN transport (VLAN)
Secure WAN transport
VPN, V3PN, DMVPN, GET VPN
Devices Authenticate voice devices
Secure phone downloads
Campus
Branch Office
A
InternetWANPSTN
Infrastructure
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
Campus
Branch Office
InternetWANPSTN
Securing Call Processing
PSTN Toll fraud prevention
AA, COR, transfer-patterns, CFW max-length, after-hours exempt…
Restrict outbound notifications
Features Feature access restrictions
Digest authenticationRegister and Invite
Encryption Secure SRST
Secure CME
Secure voice gateways
A
Call Processing
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
Campus
Branch Office
A
InternetWANPSTN
Securing the Endpoints
Downloads Signed phone firmware images
Signed configuration files
Encryption Phone configuration files
TLS/SRTP
Authentication No CME auto-registration
Digest authentication
Register
Phone Applications Restrict phone web access
Disable Settings button
Endpoints
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16
Campus
Branch Office
A
InternetWANPSTN
Securing the Applications
IP Access Close ports not used by application
ACLs—access only from legitimate source IP addresses
Operational SFTP for CUE install/upgrade/backup
Administration Secure CME CLI/GUI
Secure CUE CLI/GUI
Application Access Secure VXML (HTTPS)
Phone authentication with application
Applications
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
Secure UC capabilities on the Cisco IntegratedServices Router
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18
Toll Fraud Prevention
After-hour exempt blocks all after-hours PSTN calls except where exempt (optional override withPIN per IP phone)
Call-forward max-length restricts maximum number of digits allowed for call forward destinations onIP Phones
Transfer-pattern restricts valid transfer destinations to internal extensions
Restricting access to PSTN from Auto Attendant (AA) and message notification features prevents incoming PSTN calls to transferto other PSTN destinations AA
Incoming DID Call
Numbers Startingwith 91 or 91900 STOP
Forward to19103335555 STOP
Transfer to901191225551234
STOP
Valid Ext
PSTN
GO
PSTN
STOP
Call Processing
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19
Signaling and MediaEncryption
Signaling authentication and encryption via TLS or IPSecprotect voice gateways, endpoints and applications
Media encryption using Secure RTP (SRTP)
SCCP, MGCP, H.323 and SIP support
Voice gateways, CUCM, SRST and Cisco Unity voice mail support
HQA
Branch
BranchBranch
GK
WANPSTN
PSTN
PSTN PSTN
Call ProcessingEndpoints
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20
Secure SRST
IP phone calls in SRST mode remain secure Calls are authenticated and encrypted Secure lock icon on IP phone gives visual confirmation SRST 3.3: Cisco IOS 12.4 with CUCM 4.1(2) or later
HQA
Branch
Branch
GK
WANPSTN
PSTN
PSTNBranch: SRSTPSTN
TLS and SRTP
Call ProcessingEndpoints
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21
PSTN Internet
Wireless AP
Encrypted
Secure CMECall Processing Toll fraud prevention Feature access
restrictions Phone authentication
and registration
Authentication and Encryption Phone authentication Signaling and media encryption
(TLS/SRTP) X.509 V3 certificates
Secure Wireless Devices Phone authentication Signaling and media
encryption (TLS/SRTP)
Secure Administration SSH, HTTPS SFTP Secure phone
downloads
Secure Internet Access Firewall Intrusion Protection Secure teleworker access
via VPN
Call ProcessingEndpoints
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22
Invite
401 Unauthorized
Invite [Username, Password]
Register (SIP)
401 w/Challenge
Register [Username, Password]
SIP Digest Authentication SIP line side Digest Authentication SIP Digest authentication between UA and SIP server CME 4.0 no auto-reg-ephone option rejects registration attempts by
IP phones with unknown MAC addresses
AAAA.BBBB.CCCC
BBBB.AAAA.DDDD STOP
GO
Call ProcessingEndpoints
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23
Secure Web AccessDownloads Firmware and configurations
use TFTP to phones
Signed firmware images
Signed configuration files
Encrypted configuration files
“Services” Button Disable general web access to
phones allowing only authenticated applications
Phone authenticates with server
Application authenticates with server
Rogue TFTP Server
CME TFTP Server
Authentication Server
InfrastructureEndpoints
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24
Securing Administrative AccessCME and CUE Leverage AAA/RADIUS for
router CLI login
Secure CLI transport access with SSH
Secure GUI transport access with HTTPS (CUE 3.0)
CUE User accounts password/PIN history checking
CUE Account Lockout—prevents DOS attacks
SFTP for CUE install/upgradeand backup/restore
TACACS/RADIUS Server
Authenticate IOSusername/password
Telnet/SSH
HTTPS
FTP Server
CME CUE
Secure FTP
Applications
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25
Adds Voice DSPAdds VPN AIM
Adds Advanced IP Services,
VPN AIMAdds Advanced
IP Services
Adds Voice DSP, Advanced IP
Services
Cisco ISR Secure Voice Bundles
V3PN Bundle
VSEC Bundle
Voice Bundle SEC Bundle
Base Router
HSEC Bundle
Adds Voice DSP, Cisco IOS SP Services
Adds Advanced Security
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26
Balance Risk Avoidance, Cost and Performance
Build a Layered, Tolerant Security Model; The Cisco Secure UC With the Cisco ISR Offers Multi-layered Protection
Align Voice and Data Security Policies; SecureUC Requires Incremental Voice-specific Features
Summary
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27
Resources
Cisco.com/go/ipc
Cisco.com/go/ipcsecurity
Cisco.com/go/cube
Cisco.com/go/isr
Cisco.com/go/netpro
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 28
Q&A
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29