security for the enterprise collaboration preferred...

71

Upload: vuonghanh

Post on 11-Aug-2018

247 views

Category:

Documents


0 download

TRANSCRIPT

Security for the Enterprise Collaboration Preferred Architecture

Laurent Pham, Technical Marketing Engineer

BRKCOL-2425

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Investors.com

“Gartner estimates that IT security spending will soar

from $75 billion-plus in 2015 to $101 billion in 2018.

Research firm Markets and Markets sees the

cybersecurity market hitting $170 billion by 2020.”

BRKCOL-2425 3

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco SparkAsk Question, Get Answers

Use Cisco Spark to communicate with the speaker after the event!

What if I have a question after visiting Cisco Live? ... Cisco Spark

1. Go to the Cisco Live Mobile app

2. Find this session

3. Click the join link in the session description

4. Navigate to the room, room name = Session ID

5. Enter messages in the room

How

Spark rooms will be available until July 29, 2016

www.ciscospark.com

BRKCOL-2425 4

• Security in Layers

• Encryption

• Certificate Management

Agenda

What is a “Preferred Architecture”?

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Collaboration Preferred Architecture (CPA)

• Preferred Architecture provides prescriptive design guidance that simplifies and drives design consistency for Cisco Collaboration deployments

• Preferred Architecture can be used as a design base for any customer using a modular and scalable approach

• Preferred Architecture team provides feedback on solution level gaps to product teams

• Preferred Architecture will help you scale!

What products to use to enable users for Collaboration and

Unified Communications for simple deployments.

Prescriptive

recommendations

Concise

Documents

Tested best

practices

BRKCOL-2425 7

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Post-Sales

process

Pre-Sales

Process

Collaboration Preferred Architectures & CVDs

PA OverviewPA CVD

Cisco Validated Design

• Design Overview Document

• Targeted to Presales

• What (w/ Some Why)!

• Detailed Design and Deployment

Guidance

• Post Sales Design and

Deployment

• What, Why, and How!

• Process Driven Guide

www.cisco.com/go/cvd/collaboration !

Cisco Validated Design

Applications

• Detailed, Deployment Guidance

• Post Sales Design and

Deployment

• What, Why, and How!

• Process Driven Guide

• Plugs into the PA CVD

Post-Sales

Process

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Collaboration Edge

Headquarters

WebExCisco

Conferencing

Collaboration Management Services

Internet

MPLS WAN

Remote Site

Mobile/Teleworker

TelePresenceServer

Expressway-C

PSTN /

ISDN

Integrated/Aggregated Services Router

Integrated Services Router

DMZ

TelePresence Management Suite

Prime Collaboration

Call Control

IM and Presence

Unified Communications

Manager

Expressway-E

Third-Party Solution

Voice Messaging

Unity Connection

Deployment ProvisioningLicense Manager

Assurance/ Analytics

Conductor

Endpoints

Collaboration Preferred

Architecture for the Enterprise

BRKCOL-2425 9

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Preferred Architecture for Collaboration Enterprise Cisco Validated Design (CVD)

• Functions: Dial Plan (Dialing Habits, Endpoints/ILS/GDPR), Trunking, SRST, CTI, DNS, EM

Call ControlUCM, IM&P, ISR, CUBE

• Functions: Instant, Permanent, Scheduled, CMR, CMR Hybrid, Personal Multiparty

ConferencingUCM, Conductor, TS, TMS

• Functions: Mobile Remote Access (MRA), B2B, IM&P Federation, PSTN Access, ISDN Video

EdgeUCM, Expressway, CUBE, ISR

• Functions: Applications and Tools: VM Deployment, Licensing, Voice Messaging

ApplicationsUcx, PCD*, PLM *

• Functions: QoS and Admission ControlBandwidth Management

• Functions: Sizing numbers for products built on a set of calculated assumptionsSizing

Architecture:

Component

Role, HA,

Security,

Scalability

Deployment:

Process and

Configuration

Sizing

BRKCOL-2425 10

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Upcoming Chapters in CVD

• Collaboration Management Services

• PCD, PLM, PCP, PCA

• Security

• Security in Layers (including Toll Fraud), Encryption, Certificate Management

Work in ProgressCVD to be available later this year

BRKCOL-2425 11

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Examples of IP Communications Threats

• Denial of Service (DoS)

Affecting call quality or ability to place calls

• SPAM

SPIM, SPIT, and more SPAM

• Toll fraud

Unauthorized or unbillable resource utilization

• Learning private information

Caller ID, DTMF, password/accounts, calling patterns, Presence Information

• EavesdroppingListening to another’s call or Theft of

intellectual property

• Media tampering

• Data Modification

• Impersonating others

Identity Theft

• Learning private information

Caller ID, DTMF, passwords/accounts,calling patterns, Presence information

• Session replay

Replay a session, such as a bank transaction

BRKCOL-2425 12

Security In Layers

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Secure Physical Access

• First line of defense

• Once a user or attacker has physical access to one of the devices in a network, all kinds of problems could occur…

• Action:

• Secure access to the building

• Secure access to the Data Center / servers (DoS, easier access to management, password recovery)

• Secure endpoints

BRKCOL-2425 14

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Secure the Infrastructure and the NetworkSegregation

• Virtual LANs (VLANs) separates voice and data traffic

• VLAN Access Control Lists (VACLs) limits traffic between devices on the voice VLAN

• QoS Packet Marking ensures UC traffic receives appropriate priority over other traffic

Layer 2

• DHCP Snooping creates binding table

• Dynamic ARP Inspection (DAI) examines ARP & GARP for violations

• Port Security limits the number of MAC addresses allowed per port

• 802.1x limits network access to authentic devices on assigned VLANs

•Multi-Domain Authentication (MDA) binds two devices to assigned VLANs

•MAC Authentication Bypass (MAB) provides a measure of control over devices which don’t support 802.1x

Layer 3• IP Source Guard examines physical port, VLAN, IP, & MAC for inconsistencies

Firewalls/IPS/AMP

• ASA with FirePOWER Services

BRKCOL-2425 15

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Prevent Unauthorized Access - Platforms

Hardened Platform

• Host Based Intrusion Protection (SELinux)

• host based firewall (iptables)

• 3rd party software installation not allowed

• OS and applications are installed with a single package

• Root account disabled

• Software signed

• Secure Management (HTTPS, SSH, SFTP)

• Audit logging

Also Configure

• If applicable, change default passwords (e.g. Expressway, TelePresence)

• Complex password policy

• Disable unnecessary protocols

BRKCOL-2425 16

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Prevent Unauthorized Access - Edge

Expressway

• Host-based Firewall, Firewall Rules

• Host Based Intrusion Protection (not enabled by default)

CUBE and Voice Gateways

• IP TRUST LIST: Don’t respond to any SIP INVITEs if not originated from an IP address specified in this trust list

• CALL THRESHOLD: Protect against CPU, Memory & Total Call spike

• CALL SPIKE PROTECTION: Protect against spike of INVITE messages within a sliding window

• BANDWIDTH BASED CAC: Protect against excessive media

• MEDIA POLICING: Protect against negotiated Bandwidth overruns and RTP Floods

• USE NBAR POLICIES: Protect against overall SIP, RTP flood attacks from otherwise “trusted” sources

• DEFINE VOICE POLICIES: identify patterns of valid phone calls that might suggest potential abuse.

BRKCOL-2425 17

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Prevent Unauthorized Access - Endpoints

• Security features by default

• Signed firmware (.sbn extension)

• Signed configuration files (<devicename>.cnf.xml.sgn)Note: With Jabber, Unified CM needs to be in Mixed-Mode for those features (CTL File)

• This authenticates the firmware/configuration and protects against tampering

• Also add

• Physically secure the phones

• Disable Gratuitous ARP

• Configure 802.1X

• Disable web access / SSH access. Or configure ACL

• Disable PC port if not needed

• Optionally TFTP configuration file encryption

BRKCOL-2425 18

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Prevent Toll Fraud

Toll Fraud can be external and also internal attacks

• Unified CM

• Unity Connection

• Edge (CUBE, Voice GW, Expressway)

BRKCOL-2425 19

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Unified CM Security – Eliminate Toll Fraud (1)

• Deny unauthorized calls

• Partitions and Calling search spaces provide dial plan segmentation and access control

• Example: Avoid Unified CM sending back to the PSTN a call coming from the PSTN

• Don’t include in Trunk CSS the partition for route patterns to PSTN

PSTN

Unified CM Voice or Video GW

1

2

3

4signaling

media

DN partition

Multiparty meeting partition

Inbound CSSPSTN access partition

BRKCOL-2425 20

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Unified CM Security – Eliminate Toll Fraud (2)

• “Block offnet to offnet transfer” (CallManager service parameter)

PSTN

Unified CM Voice or Video GW

2

3

46

1 5

BRKCOL-2425 21

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Unified CM Security – Eliminate Toll Fraud (3)

• Device Pool “Calling Search Space for Auto-registration” to limit access to dial plan

• Employ Time of day routing to deactivate segments of the dial plan after hours

• Require Forced Authentication Codes on route patterns to restrict access on long distance or international calls.

• “Drop Ad hoc Conferences” (CallManager Service Parameter)

• Monitor Call Detail Records

• Employ Multilevel Administration

BRKCOL-2425 22

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Toll Fraud Prevention – Unity Connection• Unity Connection could be used to transfer a call

• Recommendations• Use restriction tables to allow or block call patterns• Change the Rerouting CSS on the trunk in the

Unified CM side

• Reference

• CUC Security Guide: http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/11x/security/b_11xcucsecx.html

• “Troubleshoot Toll Fraud via Unity Connection” TAC tech note: http://www.cisco.com/c/en/us/support/docs/unified-communications/unity-connection/119337-technote-cuc-00.html

• System Administration guide:http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/11x/administration/guide/b_cucsag/b_cucsag_chapter_0101.html

BRKCOL-2425 23

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Toll Fraud Prevention - Edge

CUBE

• Call Source Authentication (IOS 15.1(2)T feature) enabled by default. Do not disable via “no ip address trusted authenticate”

• Only calls from “trusted” source IP addresses will be accepted

Expressway

• Call Policy Rules (CPL)

voice service voipip address trusted listipv4 10.10.1.10ipv4 66.66.66.66

BRKCOL-2425 24

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Monitor CDR and logs

• Unified CM Monitor CDR, audit logs, and other logs

Authentication Failure16:10:32.908 |LogMessage UserID : administrator ClientAddress : 10.10.10.100 Severity : 4 EventType : UserLogging ResourceAccessed: Cisco CallManager Administration EventStatus : Failure CompulsoryEvent : No AuditCategory : AdministrativeEvent ComponentID : Cisco CCM Application AuditDetails : Failed to Log into Cisco CCM Webpages App ID: Cisco Tomcat Cluster ID: Node ID: cucm-pub

Phone Added16:13:48.823 |LogMessage UserID : administrator ClientAddress : 10.10.10.100 Severity : 5 EventType : DeviceUpdate ResourceAccessed: CUCMAdmin EventStatus : Success CompulsoryEvent : No AuditCategory : AdministrativeEvent ComponentID : Cisco CUCM Administration AuditDetails : New Phone added with MAC address=AAAABBBBCCCC , CAL mode=< None > and CAL value=< None > App ID: Cisco Tomcat Cluster ID: Node ID: cucm-pub

BRKCOL-2425 25

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Monitor CDR and logs

• Expressway: Monitor CDR, Search History, and logs

BRKCOL-2425 26

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Enable Encryption

• Protect against eavesdropping, data modification, session replay, impersonation

• Provides privacy, integrity, and authentication

• Authentication provided through certificates

• Can be one-way authentication or Mutual authentication (MTLS)

BRKCOL-2425 27

Encryption

1010 1000101010101000111

011 01011011101001 00010

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Links to Encrypt

• Administrative and user interfaces

• SIP trunks

• Endpoint Encryption

• Within Data Center

• Multiple clusters

BRKCOL-2425 29

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Links to Encrypt

• Administrative and user interfaces

• SIP trunks

• Phone Encryption

• Within Data Center

• Multiple clusters• Most of them should be encrypted by

default

• Ensure passwords are not sent in clear

• If integrated with LDAP, configure LDAP over SSL (import LDAP certificate into Tomcat-trust store)

BRKCOL-2425 30

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Links to Encrypt

• Administrative and user interfaces

• SIP trunks

• Phone Encryption (requires Unified CM in mixed-mode)

• Within Data Center

• Multiple clusters: ILS and LBM

• Typically:

• Authentication: Certificates

• Authorization: X.509 Subject Name in SIP Trunk Security Profile

• Does not require Unified CM in mixed-mode

• SIP trunk encryption is recommended

ConductorTelePresence Server

Unity Connection

Expressway

CUBE / VG

BRKCOL-2425 31

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Links to Encrypt

• Administrative and user interfaces

• SIP trunks

• Endpoint Encryption

• Within Data Center

• Multiple clusters

• Encryption for the phone media and signaling requires Unified CM to be in “Mixed-Mode”

• Requires Export Restricted version of Unified CM

• IM messages are encrypted by default and do not required mixed-mode

• Secure call has a lock icon shown on the endpoint display

SRTP

Mixed-Mode

BRKCOL-2425 32

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Unified CM: Non-Secure vs. Mixed-Mode Feature Non Secure Cluster Mixed Mode Cluster

Auto-registration * |

Signed & Encrypted Phone Configs

Signed Phone Firmware

Secure Phone Services (HTTPS)

CAPF + LSC

IP VPN Phone

SIP Trunk encryption

Secure Endpoints (TLS & SRTP)

New

in 11.5

BRKCOL-2425 33

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Mixed-Mode for Unified CM

Hardware Security Token

(USB Security Tokens)

Tokenless CTL

(10.0+)

Enable Mixed-Mode

Migration

See Unified CM Security Guide and TAC note

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118893-technote-cucm-00.html

BRKCOL-2425 34

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

USB Security Tokens vs. Tokenless

Hardware Security Token

(USB Security Tokens)

Tokenless

(10.0+)

Pros:

• Less situations where endpoints loose trust relationship with Unified CM and easier to recover from this scenario

• Can be used across multiple Unified CM clusters and facilitates migration between clusters

Cons:

• Have to purchase 2+ USB Security tokens

• Not manufactured in the US

• Require CTL Client installation on a desktop

Pros:

• Easier to manage: No need to purchase USB security tokens, no need to install CTL client, easier to update CTL file

Cons:

• More situations where endpoints loose trust relationship with Unified CM and more complex to recover from this scenario

• Requires more steps when migrating clusters

BRKCOL-2425 35

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Encrypted Endpoint – Basic Configuration

• With Unified CM in mixed-mode, not all endpoints need to be configured with encryption, but all the endpoints get a CTL (Certificate Trust List) file

• Notes:

There is also a Phone security profile which is independent from the phone type: Universal Device Template. Useful when deploying MRA

Encryption using the Locally Significant Certificate (LSC) instead of Manufacturing Installed Certificate (MIC) requires additional step

BRKCOL-2425 36

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

MRA – Voice/Video Encryption

• Voice/Video streams always SRTP encrypted between Exp-C and MRA client

• SIP TLS always enforced between MRA clients & Exp-E, Exp-C & Exp-E

• * Unified CM mixed mode required to achieve SRTP on internal network and SIP TLS between Exp-C and Unified CM

DMZ

Firewall

Expressway-C Expressway-E External

Firewall

SIP TLSSIP TLS

SRTP

SIP TLS*

SIP TCP

Media and Signaling always encrypted

BRKCOL-2425 37

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Links to Encrypt

• Administrative and user interfaces

• SIP trunks

• Phone Encryption

• Within Data Center

• Multiple clusters

• Some communications have sensitive information or are easy to encrypt. Recommendation: Encrypt. Example: LDAP over SSL and SIP trunks

• Some communications are more difficult to encrypt requiring for example IPsec. Lower priority to encrypt, especially if servers locked down in Data Center and is trusted. Example: Communication between Unified CM nodes in the same cluster.If IPsec must be used, recommendation is to configure it on the infrastructure.

BRKCOL-2425 38

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Links to Encrypt

• Administrative and user interfaces

• SIP trunks

• Phone Encryption

• Within Data Center

• Multiple clusters

ILS (Intercluster Lookup Service)

• Certificates for authentication, Passwords for authorization (new in 11.5)

LBM (Location Bandwidth Manager)

• Encrypt Intercluster LBM links

ILS and LBM are using Tomcat certificates

In addition to SIP Trunk Encryption, encrypt ILS and LBM

BRKCOL-2425 39

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cipher Suites – Unified CM SIP TLS

ECDHE_RSA with AES256_GCM_SHA384

Key Exchange – Authenticated/Signed-with:ECDHE – RSA

(Elliptic Curve Diffie-Hellman Ephemeral – RSA)

Encryption Algorithm – Authenticated with:AES256_GCM – SHA384

(Advanced Encryption Standard at 256 bits,

with Galois Counter Mode – Secure Hash Algorithm at 384 bits)

Unified CM Options:RSA (only option prior to 10.5.2)

ECDHE – RSA (10.5.2+)

ECDHE – ECDSA (11+)

Unified CM Options:AES128_SHA1 (only option prior to 10.5.2)

AES128_GCM_SHA256 (10.5.2+)

AES256_GCM_SHA384 (10.5.2+)

BRKCOL-2425 40

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cipher Suites – Unified CM SIP TLS

All Ciphers ECDSA preferred

ECDHE_ECDSA with AES256_GCM_SHA384

ECDHE_RSA with AES256_GCM_SHA384

ECDHE_ECDSA with AES128_GCM_SHA256

ECDHE_RSA with AES128_GCM_SHA256

RSA with AES_128_CBC-SHA1

All Ciphers RSA preferred (default)

ECDHE_RSA with AES256_GCM_SHA384

ECDHE_ECDSA with AES256_GCM_SHA384

ECDHE_RSA with AES128_GCM_SHA256

ECDHE_ECDSA with AES128_GCM_SHA256

RSA with AES_128_CBC-SHA1

General Recommendation: Use default setting

Medium – AES-256 AES-128 only: RSA preferred

ECDHE_RSA with AES256_GCM_SHA384

ECDHE_ECDSA with AES256_GCM_SHA384

ECDHE_RSA with AES128_GCM_SHA256

ECDHE_ECDSA with AES128_GCM_SHA256

Strongest – AES 256-SHA-384 only: ECDSA preferred

ECDHE_ECDSA with AES256_GCM_SHA384

ECDHE_RSA with AES256_GCM_SHA384

Strongest – AES-256 SHA-384 only: RSA preferred

ECDHE_RSA with AES256_GCM_SHA384

ECDHE_ECDSA with AES256_GCM_SHA384

Medium – AES-256 AES-128 only: RSA preferred

ECDHE_ECDSA with AES256_GCM_SHA384

ECDHE_RSA with AES256_GCM_SHA384

ECDHE_ECDSA with AES128_GCM_SHA256

ECDHE_RSA with AES128_GCM_SHA256

BRKCOL-2425 41

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cipher Suites – Unified CM SRTP

• Prior to Unified CM 10.5.2, SIP trunks and SIP Lines only supported SHA1 based media encryption ciphers

AES_CM_128-SHA1

• Version 10.5.2 introduces support for new GCM (Galois/Counter Mode) ciphers providing AEAD (Authentication Encryption with Associated Data)

AEAD_AES_256_GCM

AEAD_AES_128_GCM

• New ciphers are available by default on upgrade to Unified CM 10.5.2

• Highest strength cipher will be offered or negotiated by default

• SHA1 based SRTP cipher compatibility remains for non-SIP devices

BRKCOL-2425 42

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cipher Suites – Unified CM SRTP

All supported Ciphers (default)

AEAD AES-256 GCM

AEAD AES-128 GCM

AES_CM_128-SHA1 ciphers

Strongest- AEAD AES-256 GCM cipher only

AEAD AES-256 GCM-based cipher

Medium- AEAD AES-256 GCM AES-128 GCM ciphers only

AEAD AES-256 GCM

AEAD AES-128 GCM

General Recommendation: Use default setting

BRKCOL-2425 43

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Verify Supported Cipher Suites on Endpoints

BRKCOL-2425 44

Certificate Management

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Why Do We Need Certificates?

• What is a Digital Certificate?

• Includes public key and name of the certificate holder, signature

• Goal

• Authentication and encryption

• Two types of authentication

• One-way authenticationWith Web browsers or with Jabber login (UDS, XMPP, Unity Connection visual voice mail)

• Two-way authenticationEndpoints in encrypted mode, MTLS trunks (e.g. Unified CM SIP trunk to Expressway)

BRKCOL-2425 46

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Endpoint Certificates

• Required for Media/Signaling encryption and TFTP config file encryption

• Also can be used for phone VPN and 802.1x

• When both LSC and MIC are installed on a device, LSC takes preference

MIC

Manufacturer Installed Certificate

LSC

Locally Significant Certificate

Certificate Type

BRKCOL-2425 47

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Endpoint Certificates - MIC

Manufacturer Installed Certificate (MIC)» Cisco IP Phones ship from the factory with a unique MIC pre-installed» MIC is valid for 10 years » No certificate revocation support

Notes:

• New Manufacturing SHA2 CA: signs Cisco’s newest IP Phones (88xx) Unified CM 10.5(1)+ includes and trusts the new SHA2 certificatesFor older Unified CM release, download the SHA2 CA certificates at http://www.cisco.com/security/pki/certs/cmca2.cer

• No MIC on Jabber

MIC

Manufacturer Installed Certificate

88xx

Cisco CA

BRKCOL-2425 48

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Endpoint Certificates - LSC

Locally Significant Certificates (LSC) » LSC signed by Certificate Authority Proxy Function (CAPF) Service running on Unified CM Publisher (or signed by

external CA)

» Preferred certificate for endpoint identity

» Endpoint support includes IP Phones, TelePresence, Jabber clients

» LSC can be installed, re-issued, deleted in bulk with Unified CM Bulk Admin Tool

Enhancements in Unified CM 11.5» LSC signed by CAPF valid for up to 5 years (validity configurable in 11.5, used to be fixed at 5 years)

» Can track certificate expiration (new in 11.5, used to require paper process)

» SHA2 support

» RSA key length up to 4096 (used to be up to 2048). Use Cisco Unified Reporting to verify phone support

Only LSC are available with Jabber. LSCs required for configuration file signature and signaling/media encryption (except for Jabber over MRA)

LSC

Locally Significant Certificate

CAPF Service

New in

11.5

BRKCOL-2425 49

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Endpoint Certificates - MIC vs. LSC

• MIC: Out of box certificate. Goal is to prove the phone is a genuine Cisco phone

• But…

• MIC is not specific to your own Unified CM cluster

It doesn’t prove the phone is part of your Unified CM cluster

• MIC cannot be customized/updated/deleted

Recommendation:

Use MIC certificates to authenticate with CAPF for LSC certificate installation

Use LSC for everything else (SIP TLS, VPN, 802.1x)

BRKCOL-2425 50

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

MRA with End-to-End Encryption

• For MRA end-to-end encryption, encryption inside the enterprise requires Unified CM in mixed mode and encrypted phone security profile, as usual

• But Expressway-C certificate is used (not the endpoint certificate)

• With Jabber 11.0+ using MRA, CAPF enrollment not required (LSC not required)

• Notes:

• Also works for DX and TC series endpoints

• TFTP encrypted config still not supported for any MRA clients

DMZ

Firewall

Expressway-

C

Expressway-E External

Firewall

SIP TLSSIP TLS

SRTP

SIP TLS

Media and Signaling always encrypted

BRKCOL-2425 51

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

MRA with End-to-End Encryption

• Expressway-C certificate is used (not the endpoint certificate)

• Phone security profiles of the MRA endpoints (in FDQN format) must be added as Subject Alternate Name (SAN) in the Expressway-C certificate

• With several phone types, each phone security profile must be added as SAN in the Expressway-C certificate

• To reduce the number of SANs in the Expressway-C certificate, a special type of Phone Security Profile can be used independently of the phone type: “Universal Device Template”.

BRKCOL-2425 52

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Unified CM Certificates

• Unified CM includes the certificate types:

» Tomcat RSA and ECDSA (new in 11.5): web services

» CallManager RSA and ECDSA (new in 11.0): SIP/SCCP TLS, TFTP config signing, etc.)

» CAPF (CA cert used to sign LSC, only employed on the publisher)

» IPSEC (ipsec tunnels to non-SIP gateways or other Unified CM)

» TVS (Trust Verification Service, security by default)

» ITLRecovery (used as trust anchor to recover trust with endpoints)

• Notes:• Default to self-signed certificates, valid for 5 years (except ITLRecovery valid for 20 years)

• Option to have signed by 3rd party CA

• Key length:• RSA certificates: key length up to 4096 (up to 2048 prior to 11.5), SHA1 or SHA256• ECDSA certificates: key length up to 521 and hash up to SHA512

BRKCOL-2425 53

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

CA-signed Certificates

• In order to establish trust:Need to import remote certificate in the local trust storeOtherwise, warning message or communications not established

• With certificates signed by an external Certification Authority (CA), only the CA certificate needs to be imported into the trust store.This simplifies management

• Note: Not all certificates need to be signed by a CA. Example: Unified CM TVS, CAPF, ITLRecovery

Recommendation:

Use CA-signed certificates for:

Tomcat (Unified CM, IM&P, Unity Connection)

CallManager, XMPP, XMPP-S2S certificates, Expressway, Conductor, and TelePresence Server

BRKCOL-2425 54

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Multi-Server Certificate Support

• To simplify certificate management in clustered environments

• One single CA signed certificate and private key across all nodes in a cluster

• Each cluster node’s FQDN included as Subject Alternative Name (SAN) in a single certificate,

custom SANs can also be included

Recommendation:

Use Multi-Server certificates wherever available:

Tomcat/Tomcat-ECDSA for Unified CM/IM&P and CUC, CallManager, CUP-XMPP, CUP-

XMPP-S2S

Unified CM Cluster

Unified CM nodes IM&P

nodes

One CA-signed Multi-Server certificate for the entire Unified CM cluster

BRKCOL-2425 55

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Public vs. Private CASSL Certificates for Cisco Collaboration Infrastructure can be signed by public CAs (GeoTrust, Verisign/Symantec, GoDaddy, etc.) or by an organization’s private CA* (Microsoft CA, DogTag, openssl, etc.)

The tradeoff between the two options typically comes down to cost

Public CAs have a higher cost per certificate, but are broadly trusted in browsers and beyond

Your organization’s private CA typically has a minimal cost per cert (if not $0) but are not broadly trusted, so the cost involves maintaining the private CA and distributing the trusted CA certificate to end users and devices via MDM, MS Group Policy, etc.

Recommendation:

- Public CA for Expressway-E certificates

Public CA signed certificate - contained in firmware and most mobile devices

- Your choice for the other certificates

BRKCOL-2425 56

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

How Do Endpoints Trust Servers?

• CTL and ITL are signed files that contains a list of Unified CM certificates that the endpoint can trust

• Which file is present in Unified CM cluster?

• With Unified CM non-secure mode: ITL file only

• With Unified CM in mixed-mode: CTL + ITL files

• When an endpoint boots/resets, it requests:

• Certificate Trust List (CTL) file first (if Unified CM is in mixed-mode), then

• Initial Trust List (ITL) file

• Endpoints verify the signature of the CTL/ITL

• With MRA: Endpoints verify Expressway-E certificate using the root CA certificates embedded in their firmware

Signature

CTL/ITL

BRKCOL-2425 57

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

CMR CertificatesRecommended Best Practice

entrust_ev_ca

digicert_global_root_ca

verisign_style_2_public_primary_ca_-_g3

godaddy_style_2_ca_root_certificate

Go Daddy Root Certification Authority - G2

verisign_style_3_public_primary_ca_-_g5

verisign_style_3_public_primary_ca_-_g3

dst_root_ca_x3

verisign_style_3_public_primary_ca_-_g2

equifax_secure_ca

entrust_2048_ca*

verisign_style_1_public_primary_ca_-_g3

ca_cert_signing_authority

geotrust_global_ca

globalsign_root_ca

thawte_primary_root_ca

geotrust_primary_ca

addtrust_external_ca_root

QuoVadis Root CA 2

Public CA

Vid

eo

CM

R

Verisign Class 3 Public Primary Certification Authority

http://www.symantec.com/page.jsp?id=roots

‘VeriSign Class 3 Primary CA - G5’

http://www.symantec.com/page.jsp?id=roots

‘VeriSign Class 3 Public Primary CA - G3’

http://www.symantec.com/page.jsp?id=roots

‘QuoVadis Root CA 2’

https://www.quovadisglobal.com/QVRepository/DownloadRootsAndCRL.aspx

Public CA

Root

Signed Expressway-E Cert

We

bE

x S

up

po

rte

d C

As

Current WebEx Certificate

Verisign Class 3 Public Primary Certification Authority

Reference https://kb.webex.com/WBX83490 Reference https://kb.webex.com/WBX87312

BRKCOL-2425 58

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Monitor Certificate Expiration

• Monitor the server certificate expiration (OS Administration page)

• Monitor LSC certificate expiration (new in 11.5)

BRKCOL-2425 59

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Receive Certificate Expiration Notifications

New

in 11.5

• Receive email notifications when certificates are about to expire

• For server certificates and for LSC certificates (since 11.5)

BRKCOL-2425 60

Conclusion

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Conclusion• Security in Layer

• Physical security, network security, host access security, encryption• Protection against toll-fraud• Monitor CDR, logs, search history

• Encryption• Encrypt admin interfaces, SIP trunks, LDAP• Enable Unified CM mixed-mode and encrypt media and signaling for the endpoints• For multi-cluster deployment, encrypt ILS and LBM-LBM communications

• Certificates• Endpoints: Use LSCs for SIP TLS, 802.1x, VPN. Only use MIC to get a LSC• Get some certificates signed by a CA: Tomcat, CallManager, XMPP, Expressway,

TelePresence• Expressway-E certificates to be signed by a public CA• Use multi-server certificates wherever possible

BRKCOL-2425 62

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Conclusion

• Your journey to secure your deployment does not stop here

• Establish a good security policy

• Stay up-to-date on the latest security news and upgrade / install security updates when applicable

• Cisco Security Center https://tools.cisco.com/security/center/home.x• Latest threat information

• Product Security Incident Response Team (PSIRT)

• Security advisories and responses

• Get Notifications

BRKCOL-2425 63

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Preferred Architectures Links• Contact us via email: [email protected]

• Mid-Market and Enterprise PA Documents:

http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-collaboration/index.html

• Cisco Preferred Architecture for Enterprise Collaboration 11.x, Design Overview - June 2016

http://www.cisco.com/c/dam/en/us/td/docs/solutions/PA/enterprise/11x/clbpa11x.pdf

• Cisco Preferred Architecture for Enterprise Collaboration 11.x, CVD – Nov 2015

http://www.cisco.com/c/en/us/td/docs/solutions/CVD/Collaboration/enterprise/11x/collbcvd.html

• DCloud: Cisco Preferred Architecture for Enterprise Collaboration 10.6 v1

http://dcloud.cisco.com/ Collaboration Cisco Preferred Architecture for Enterprise Collaboration Design Overview 11.0

BRKCOL-2425 64

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Related Sessions

• BRKUCC-1612: A solution Architect‘s Guide to Collaboration SecurityMonday, 8am

• BRKCOL-2614: Technical Overview of Preferred Architecture for Enterprise Collaboration, Tuesday, 1:30pm

• BRKUCC-2224: Deploying and Troubleshooting Secure UC SolutionTuesday, 8am

• BRKUCC-2501: Cisco UC Manager securityWednesday, 8am

• BRKUCC-2801: Cisco Expressway at the Collaboration Edge design sessionTuesday, 1:30pm

BRKCOL-2425 65

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.

• Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us.

BRKCOL-2425 66

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Lunch & Learn

• Meet the Engineer 1:1 meetings

• Related sessions

BRKCOL-2425 67

Please join us for the Service Provider Innovation Talk featuring:

Yvette Kanouff | Senior Vice President and General Manager, SP Business

Joe Cozzolino | Senior Vice President, Cisco Services

Thursday, July 14th, 2016

11:30 am - 12:30pm, In the Oceanside A room

What to expect from this innovation talk

• Insights on market trends and forecasts

• Preview of key technologies and capabilities

• Innovative demonstrations of the latest and greatest products

• Better understanding of how Cisco can help you succeed

Register to attend the session live now or

watch the broadcast on cisco.com

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Join the Customer Connection Program19,000+

Members

Strong

• Influence product direction

• Access to early adopter & beta trials

• Monthly technical & roadmap briefings

• Connect in private online community

• Exclusive perks at Cisco Live

• Collaboration NDA Roadmap Sessions Mon & Tues

• Q&A Open Forum with Collaboration Product Management Tues 4:00 – 5:30

• Reserved seats at Collaboration Innovation Talk Thurs 8:00am – 9:00am

• 2 new CCP tracks launching at Cisco Live: Security & Enterprise Networks

Join in World of Solutions

Collaboration zone

Join at the Customer Connection stand

New member thank-you gift *

CCP ribbon for access to NDA sessions

Join Online

www.cisco.com/go/ccp

Come to Collaboration zone to get your

ribbon and new member gift

* While supplies last

BRKCOL-2425 69

Thank you