300 likes | 316 Views
Join experts to learn best practices for deploying secure unified communications in branch networks using Cisco technology. Discover strategies for securing UC systems and endpoints while optimizing performance.
E N D
The Empowered Branch WebinarDeploying Secure Unified Communications in Branch Networks Christina Hattingh, Technical Marketing Engineer Shashi Kiran, Manager, Network Systems Marketing
Agenda Changing Traffic Patterns and models The Secure UC Framework Securing UC in the Branch or Small Office Security Capabilities on the Cisco Integrated Services Router • Cisco Unified Communications Voice Gateways • Cisco Survivable Remote Site Telephony (SRST) • Cisco Unified Communications Manager Express (CME) Summary
1011011 001011 110110 10100 01011 IP Convergence 2. Changing Traffic Patterns a a b b c c Peer-to-Peer Traffic Voice Over Wi-Fi 40–60%Savings VoIP Calls Adoption Traditional Phone Calls t Is Traditional Data Security Good Enough for Voice? Dynamics of Converged Networks 1. Changing Traffic Types “Data” Voice Data Video VoIP growth
Threats are similar – attack types vary Threat Perceptions
= + Data Only Voice Network Converged Voice Network Secure Voice deployment challenges • Disparate security infrastructure (not voice ready) • Inadequate knowledge and training • Data personnel handling voice threats • Protocols, solutions, perceived complexity • Multiple voice-capable endpoint types • IM + voice + video – media streams, presence info.
Secure Telephony Secure Unified Communication Secure Network Secure Unified Communications
Unified Communications Building A Secure UC System Infrastructure Secure connectivity and transport Endpoints Authenticated IP phones, soft clients and other devices Call Control Secure Protocols for Call Management Features Applications Auto-attendant, Messaging, and Customer Care Network as the Platform
Determining Security Policy High Banking • Don’t make security an end to itself—determine the security level needed • Rank voice with all data on the network by your business requirements • Evaluate whether your existing data security policy is sufficient for voice Oracle Trading Billing POS Voice, Video Web Traffic E-Mail Directory Low
Security Levels and Dimensions • $$$ • Complexity • Manpower • Voice/Data integration • Firewall with advanced application inspection and encrypted VoIP • Encrypted phone configuration files • TLS/SRTP Advanced • Firewall with stateful inspection • Intrusion Protection (IPS) • DHCP snooping/rate limiting • Phone web access Intermediate • Basic L3 ACLs • VPNs: GET-VPN, DMVPN • Separate voice/data VLANs • Toll fraud prevention Base Infrastructure Call Processing Endpoints Applications
High-Density Services Modularity with Performance Optimized for “All-in-one” Solution (HSDM, NM, EVM, AIM, WIC/VIC) Multiple Services Extended Modular Connectivity (EVM, NM, AIM, WIC/VIC) Cisco Unity Express Local Auto Attendant and Voice Mail System with 12-100 Mailboxes, 4–8 Sessions, 100 Hours of Storage Cisco Integrated Services Router (ISR) Portfolio for Unified Communications Secure Validated Designs Lowest TCO 720/240 Phones 336/168 Phones Concurrent Services and Performance 3845 3825 96 Phones 48 Phones 2851 36 Phones 2821 2811 24 Phones 2801 Small Office Small Branch Medium to Large Branch
Access Lists (ACLs) Network access protection Device authentication Firewall VPN URL Filtering Intrusion Protection Expanded Access Lists (ACLs) Network access for voice devices Firewall VoIP ALG Toll fraud protection Secure phone downloads Controlled phone web access Digest Authentication Secure SRST, CME, voice gateways Integrating Voice Security into a Network Branch Office Branch Office Corporate Office Corporate Office Data Only Unified Communications
Infrastructure A Securing the Infrastructure Campus Network Access • Expand ACLs for voice • VoIP firewall ALG Transport • Secure LAN transport (VLAN) • Secure WAN transport • VPN, V3PN, DMVPN, GET VPN PSTN Internet WAN Devices • Authenticate voice devices • Secure phone downloads Branch Office
Call Processing A Securing Call Processing Campus PSTN • Toll fraud prevention • AA, COR, transfer-patterns, CFW max-length, after-hours exempt… • Restrict outbound notifications Features • Feature access restrictions • Digest authentication • Register and Invite PSTN Internet WAN Encryption • Secure SRST • Secure CME • Secure voice gateways Branch Office
Endpoints A Securing the Endpoints Campus Downloads • Signed phone firmware images • Signed configuration files Authentication • No CME auto-registration • Digest authentication Register PSTN Internet WAN Phone Applications • Restrict phone web access • Disable Settings button Encryption • Phone configuration files • TLS/SRTP Branch Office
Applications A PSTN Securing the Applications Campus IP Access • Close ports not used by application • ACLs—access only from legitimate source IP addresses Administration • Secure CME CLI/GUI • Secure CUE CLI/GUI Internet WAN Application Access • Secure VXML (HTTPS) • Phone authentication with application Branch Office Operational • SFTP for CUE install/upgrade/backup
Secure UC capabilities on the Cisco IntegratedServices Router
Call Processing STOP STOP STOP GO STOP Toll Fraud Prevention • After-hour exempt blocks all after-hours PSTN calls except where exempt (optional override withPIN per IP phone) • Call-forward max-length restricts maximum number of digits allowed for call forward destinations onIP Phones • Transfer-pattern restricts valid transfer destinations to internal extensions • Restricting access to PSTN from Auto Attendant (AA) and message notification features prevents incoming PSTN calls to transferto other PSTN destinations Numbers Startingwith 91 or 91900 Forward to19103335555 Transfer to901191225551234 AA Valid Ext Incoming DID Call PSTN PSTN
Call Processing Endpoints HQ Branch GK A Branch Branch WAN PSTN PSTN PSTN PSTN Signaling and MediaEncryption • Signaling authentication and encryption via TLS or IPSecprotect voice gateways, endpoints and applications • Media encryption using Secure RTP (SRTP) • SCCP, MGCP, H.323 and SIP support • Voice gateways, CUCM, SRST and Cisco Unity voice mail support
Call Processing Endpoints GK A WAN PSTN PSTN PSTN PSTN Secure SRST HQ Branch Branch Branch: SRST TLS and SRTP • IP phone calls in SRST mode remain secure • Calls are authenticated and encrypted • Secure lock icon on IP phone gives visual confirmation • SRST 3.3: Cisco IOS 12.4 with CUCM 4.1(2) or later
Call Processing Endpoints Internet PSTN Secure CME Call Processing • Toll fraud prevention • Feature access restrictions • Phone authenticationand registration Secure Internet Access • Firewall • Intrusion Protection • Secure teleworker access via VPN Secure Administration • SSH, HTTPS • SFTP • Secure phone downloads Encrypted Wireless AP Authentication and Encryption • Phone authentication • Signaling and media encryption (TLS/SRTP) • X.509 V3 certificates Secure Wireless Devices • Phone authentication • Signaling and media encryption (TLS/SRTP)
Call Processing Endpoints GO STOP SIP Digest Authentication • SIP line side Digest Authentication • SIP Digest authentication between UA and SIP server • CME 4.0 no auto-reg-ephone option rejects registration attempts by IP phones with unknown MAC addresses Register (SIP) 401 w/Challenge Invite Register [Username, Password] 401 Unauthorized Invite [Username, Password] BBBB.AAAA.DDDD AAAA.BBBB.CCCC
Downloads Firmware and configurationsuse TFTP to phones Signed firmware images Signed configuration files Encrypted configuration files “Services” Button Disable general web access tophones allowing only authenticated applications Phone authenticates with server Application authenticates with server Infrastructure Endpoints Secure Web Access CME TFTP Server Authentication Server Rogue TFTP Server
Leverage AAA/RADIUS for router CLI login Secure CLI transport access with SSH Secure GUI transport access with HTTPS (CUE 3.0) CUE User accounts password/PIN history checking CUE Account Lockout—prevents DOS attacks SFTP for CUE install/upgradeand backup/restore Applications Securing Administrative AccessCME and CUE Authenticate IOS username/password TACACS/RADIUS Server Secure FTP FTP Server HTTPS Telnet/SSH CME CUE
Cisco ISR Secure Voice Bundles V3PN Bundle Adds VPN AIM Adds Voice DSP VSEC Bundle HSEC Bundle Adds Voice DSP, Advanced IP Services Adds Advanced IP Services, VPN AIM Adds Advanced IP Services Voice Bundle SEC Bundle Adds Advanced Security Adds Voice DSP, Cisco IOS SP Services Base Router
Summary Align Voice and Data Security Policies; Secure UC Requires Incremental Voice-specific Features Build a Layered, Tolerant Security Model; The Cisco Secure UC With the Cisco ISR Offers Multi-layered Protection Balance Risk Avoidance, Cost and Performance
Resources Cisco.com/go/ipc Cisco.com/go/isr Cisco.com/go/ipcsecurity Cisco.com/go/cube Cisco.com/go/netpro