Protecting Voice Media and Signaling Traffic

There is two types of security that you can enable with Call Manager

  • Mixed mode : In this mode, depending the security configured on each phone, you can have secure calls when both devices are security-enabled and when one of the phones is missing security, your call will be nonsecure.
  • Nonsecure mode : As all phones are not set up with security (default configuration), all calls are nonsecure.

When you device to put security on phones , they can support the three following levels:

  • Nonsecure mode : secure calls are not supported
  • Authenticated mode : the phone will be able to authenticate calls
  • Encrypted mode : the phone will be able to support encrypted calls

If you enable the authentication and the encrytion on your network , you are then able to secure the media traffic as well the voice signaling.

If you want to have security on the media flow, it is then mandatory to secure also the signaling as the keys which are used to secure the media traffic are exchanged during the signaling phase.

SCCP messages sent by IP Phones and Call Manager can be secured using TLS, it is the signaling part. Then for the protection of the media traffic so the RTP packets , you will use the Secure RTP which is providing a framework for encryption and authentications of your stream.

SRTP will be also use between your MGCP gateway and your IP Phone but you need to know that your SRTP keys are exchanged in cleartext session between the MGCP gateway and the Call Manager.

Managing Certificates in an IPT network

Typically , in a PKI, there is a singme Certificate Authority (CA) or hierarchy of CA to issue certificates. However, several other elements can play this role too:

  • Self-signed certificates : These are certificates self-signed by the Call Manager,TFTP and the Certificate Authority Proxy Function (CAPF)
  • Certificates signed by the CAPF or external CA : These are issued as Locally Significant Certificates (LSC) to IP phones
  • Certificates signed by the Cisco CA : Some IP phones models are shipped with manufacturing installed certificates (MIC)

All these certificates types are necessary to carry out functions such as authentication and encryption of voice signaling and media traffic, authentication of images and authentication of configurations files.

To facilitate the distribution of the certificates to IP Phones, you can create a Cisco Trust List (CTL) which is created by a plugin that you install on a Windows server or a desktop. This CTL client will collapse all informations of trusted certificates entities to be issue in a file.This file will be signed by the Cisco Site Administrator Security Token (SAST). Then once the phone will initiate their boot-up sequence , they will be able to use this CTL list from the TFTP to validate server certificates and security tokens. This will also enabled secure communications and file authentications. Here are what you can find as elements in your CTL file:

  • Call Manager or TFTP
  • Co-resident Call Manager and TFTP
  • CAPF
  • Alternate TFTP server
  • SAST

So the informations that you will find for these entries will be

  • PKI
  • Server function
  • IP Address

As we have already mentioned it , don’t forget that new IP Phones models come with an existing certificates , it is installed at the factory , this is called MIC. So even if these certificates are good, it is recommended to replace them by LSC so that you ensure a global solution for all your phones and not a mixed solution. LSC can be issued by the CAPF or an external CA with a transiting CAPF as it will act as a proxy when phones enroll.

IPT Authentication and Encryption

All IPT devices as Call Manager, IP phones and voice gatewats can be configured to authenticate and encrypt voice signaling and media traffic.

Phones can also be configured to authenticate phone images and configuration files. All these functions rely on a Public Key Infrastructure (PKI) and the obtention of a certificate

MCS OS Hardening

Call Manager 4.X runs on a Windows 2000 platform and this is important to ensure that the MCS OS is properly hardened so that it can’t be attacked and compromised. One of the first things to ensure is that Cisco patches and updates are installed to protect against security threats.

It is also important to ensure that Call Manager servers are not used for any other services other than those provided by Call Manager (so no file and print server, no ftp, no application server and so on).It is also important to have a minimum amount of account configured on the server and the password must be strong.

It you can have an anti-virus solution combined with CSA then it is perfect.

DHCP Snooping

IP Phones as PC can use the DHCP to retrieve an IP configuration(IP Address, netmask, default gateway, DNS, TFTP, …). therefore, if an attacker is able to interfere with DHCP, he might be able to conduct a Denial-of-Service (DoS) attack and prevent IP Phones from operating correclty.

DHCP snooping works to prevent an intruder from interfering with DHCP operations by filtering malicious DHCP messages and by creating a DHCP snooping binding table. The table contains information such as mac-address, IP addresses, DHCP lease time and VLAN port information for clients on untrusted ports.

Voice Extensible Markup Language – VXML

VXML is a W3C standard that allows voice-based interaction between human-users and computers applications. VXML can be used for applications and systems such as Auto-Attendant, voicemail or IVR, with VXML scripts performing functions such as playing prompts, collecting user input (DTMF and speech) and routing calls. VXML scripts can perform IVR functions similar to TCL scripts, the major difference is that whereas TCL scripts are usually device memory resident or downloadable from a TFTP Server. VXML scripts are usually interpreted by a voice browser after they are downloaded from a web server using http request (client/server model)

CRS is supporting VXML 2.0 applications

Page 12 of 41« First...891011121314151617...3040...Last »