WIXLIB

Secure UnifiedCommunicationsDaniel Tiradodatirado@cisco.comRamón Romerorromeror@cisco.com 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential1

True UC Security Requires aSecure Network AND Secure TelephonySecure UnifiedSecure NetworkCommunicationsSecure Telephony“Organizations must focus on creating efficiencies across all aspects of UCCownership. Including: Hygiene, Compliance, Integration, Security & Identityand Management.”- Key Issues for Unified Communications & Collaboration; Gartner, 3/07 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential2

All Your Constituencies Have A Role InBuilding A Secure UC SystemSecure ticipation of a cross-section of relevant IT personnel in theplanning process is crucial to a comprehensive and actionableUCC strategic plan.” Gartner, March 2007 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential3

Secure UC: Today 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential4

Security built as an integrated systemSecurity as an Option Very complex environment Higher integration cost Slower service / feature roll-out Larger management overhead Lowest common feature support Security risks not mitigated Lower reliability 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSecurity as INTEGRAL to System Reduced complexity Tighter integration betweennetwork and applications Easier deployment andmanagement Lower TCO5

Secure UC BestPractices 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential6

Secure Unified Communications RisksBest practice – Threats to Risk mappingThreats There is no standard best practices forsecuring UC systems Provide a contextual framework to evaluateyour security needs.Identify what needs to be protectedHow far you need to go to achieve yourorganizational goalsMaps risks to the right solutionsBusiness RiskSecurity Policy Threats and Risks provide the context forwhat countermeasures to employ Security Policy embodies the goals of theorganization and the guidelines forachieving a secure system Countermeasures should be based arounda defense in depth architecture thatleverages security functions inCountermeasures 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialCall ControlEndpointsApplicationsNetwork7

Secure UC Threats and Risks Examples Eavesdropping – Greatest perceived riskListening/Recording to audio or video conversationsRisk: Loss of Privacy (Regulatory Issues, Reputation) Denial of Service (Internal)Loss of serviceRisk: Loss of Productivity, Safety and Security impact(E911) Compromised System IntegrityHacker control of applications or call control infrastructureRisk: Financial (Toll Fraud), Data Theft, RegulatoryIssues (Loss of Privacy) Compromised UC Clients (e.g. Softphones)Hacker control of platforms that are UC ClientsRisk: Financial (Toll Fraud), Data Theft (CustomerInformation - IPCC Agent Desktop) 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential8

Building A Secure UC SystemProtecting all elements of the UC systemInfrastructureEndpointsSecure connectivityand transportAuthenticated IP phones,soft clients and other devicesUnifiedCommunicationsCall ControlApplicationsSecure Protocols for CallManagement FeaturesAuto-attendant, Messaging,and Customer CareNetwork as the Platform 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential9

Balancing RiskCost - Complexity - Resources – Performance - Manpower - OverheadLowMediumHighEasy or DefaultModerate and ReasonableHard or Not IntegratedSeparate Voice & Data VLANsUC-Aware FirewallsUC Aware FW w/TLS ProxySTP, BPDU Guard, SmartPortsEncrypted Configuration FilesRate LimitingBasic Layer 3 ACL’s (Stateless)Remote Access VPNTLS & SRTP for PhonesStandard OS HardeningSecurity Event Management802.1X & NACUnmanaged CSAOptional OS Hardening/PatchingNetwork Anomaly DetectionAnti-Virus (Windows Only)Managed CSA (Windows only)IPSec & SRTP for GatewaysHTTPSDHCP SnoopingDirectory Integration (SLDAP)Signed Firmware & ConfigurationDynamic ARP InspectionScavenger Class QOSPhone Security SettingsDynamic Port Security/SourceGuardIntrusion Prevention Solution 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential10

Secure UC Campus 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential11

Network Infrastructure SecurityBaseline – Intermediate - AdvancedBasic Spanning Tree Protection BPDU Guard Root Guard Basic Access Control Lists (ACLs) No static 802.1q trunks Separate Voice and Data VLANs Cisco Smart Ports (Auto QoS)Intermediate User-Based Rate Limiting Dynamic Port Security DHCP Snooping Dynamic ARP Inspection IP Source Guard ASA/FWSM Firewalling & NACAdvanced Advanced QoS (Scavenger Class, etc) 802.1x 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential12

Why do we need QoS for SecurityCisco Smart PortsAdvIntermediateBase Why do we need QoS for Security - AvailabilityGuarantee service under emergency situation (E911)Prevent unauthorized applications gaining priority (P2P etc) What is Cisco Smart PortsA set of pre-configured macros based on Cisco recommended baselines(Desktop, Switch, Router, Wireless, Phone)Makes implementing basic QoS and security easier with CiscoinfrastructureAvailable on all currently shipping access switchesDefault policy for voice vlan restricts bandwidth to 128k with rate limitingDefault policy for voice ports includes Port Security What the Benefit?Smart Ports simplify secure deployment of access ports 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential13

Secure UC - CiscoSecurity AppliancesSolving UC SecurityChallenges 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential14

Cisco ASA and Secure UC DeploymentTopologiesWorm/Virus Spyware ExploitCiscoASA 5500Data Center or IP PBX/CUCM SecurityRemote AccessVPN UserUnwantedApplicationASA 5500Remote Access SecuritySP SIPNetworkSIP trunkIllegalAccess CiscoCiscoASA 5500TrustedNetworkUntrustedNetworkCiscoASA 5500SIP Trunk Security Cisco Confidential 2008 Cisco Systems, Inc. All rights reserved.Trust Boundary Security15

Cisco ASA Features To Protect Cisco UnifiedCommunications ManagerCisco ASAwith FW, IPSand VPNCisco ASAwith SSLVPNWANInternetCisco ASAwith VPN 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential Dynamic port opening for voiceand applications Ensure SIP, SCCP, H.323,MGCP requests conform tostandards Prevent inappropriate SIPMethods from being sent toCommunication Manager Network Rate Limit SIP Requests Policy enforcement of calls(whitelist, blacklist, caller/calledparty, SIP URI) Enable only “registered phones”to make calls Enable inspection of encryptedphone calls Use IPS functionality withvoice/video signatures to targetlatest UC vulnerabilities16

Large Enterprise Customer ChallengeSolving the Firewall & Encryption Integration ProblemCustomer Security policy mandates All Servers, including CUCM, must be firewalled for their protection Key end users must have all phone calls encryptedFirewalls need to inspect the signaling traffic to Open Media pinholes Apply Protocol Conformance Apply Application Inspection and Control (AIC)Encrypted calls must encrypt the signaling (TLS) because phones havethe media encryption keys sent to them by CUCM via the signalingProblemCustomer OptionsTwo key securityfunctions cannot coexist or integrateChoose Encryptionor Firewalling,but not Both 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialCisco SolutionThe ASA TLS Proxy(ASA 8.0)17

Encrypted Voice Security SolutionSecurity – UC – Network IntegrationTLSsignalingSRTP mediaEncryptedEndpointEncryptedEndpointCUCM encrypted calls with SRTP/TLS can now be inspected by Cisco ASA5500 Adaptive Security Appliances: Maintains integrity and confidentiality of call while enforcing security policythrough advanced SIP/SCCP firewall services TLS signaling is terminated and inspected, then re-encrypted for connection todestination (HW Based encryption) Dynamic port is opened for SRTP encrypted media stream, and automaticallyclosed when call ends 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential18

Secure UC RemoteAccess/MobilityCisco ASA 8.0.4Release 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential19

Secure Remote AccessTechnical Challenges – Data to UC enabled remote accessDemands on Secure Connectivity Today Seamless user experienceAccess to a variety of applications including UC and collaboration toolsConsistent access from a number of diverse clients (IP Phones, Mobile, Laptop)User ExpectationsIncreased Mobility-Digital nomads, full-timeremote employees,teleworkersDevice Proliferation-iPhone, Windows Mobile,Android-Thin Client/ EmbeddedPlatform Diversification-Windows, MacOS, LinuxDevice Proliferation 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential20

Cisco ASA 5500 Series UC Proxy FeaturesUnification of Data and UC Remote Access ServicesSimplified and Secure Deployment of Remote phones, Mobile clients, andPresence architecturesCisco ASA – strategicremote access platformIPSec VPNClientless SSLVPN 2008 Cisco Systems, Inc. All rights reserved.SSL VPNPhone ProxyNewCisco ConfidentialMobility Proxy PresenceNewFederationProxy New21

Cisco ASA Phone ProxyRemote Access and Voice/Data SegmentationTrusted ed (TLS/SRTP)InternetCisco IPphone(remote)Cisco IPPhoneSecure Remote Access: Leverage native Cisco IP Phone encryption (TLS/SRTP) to enablesecure calls from IP Phones on untrusted, remote networks Seamless deployment and operation with minimal impact on existingUC infrastructure Simplified user experience – Plug and play A Remote Access UC Solution for UC devices 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential22

Cisco ASA Mobility ProxyIntegration with Cisco Unified Mobility SolutionsVoicemailMobile DataNetworkGPRS erpriseServerPresenceCollaborationPSTNCall ControlSecure Mobility: ASA protection for Cisco Mobility Solution Core component of mobility architectureConverges Mobility onto a common remote access platformProtection for Cisco Mobility Protocol (MMP)Protection for the CUMA Enterprise Server (TLS Proxy) 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential23

Cisco ASA and PresenceIntegration with Cisco and 3rd party Presence SolutionsCisco UnifiedPresence ServerCisco UnifiedPresence ServerUKHKTLSRoutingProxyInternetASAMicrosoft Presence ServerMAMACisco Unified MobilityAdvantage ServerTLSUSSecure Presence Enterprises with Cisco Presence Servers can now collaborate securelywith enterprises with Microsoft Presence Servers Presence information can be shared between two organizations All Cisco ASA UC security capabilities apply to Presence traffic Cisco ASA: Strategic Platform for converged remote access and mobilityfor UC Applications and Services 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential24

NAC & IPS 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential25

Cisco NAC Profiler3NAC Appliance ManagerNAC Profiler ServerNAC APISPAN1Windows ADAAA ServerMac4NAC Appliance Serverwith NAC Profiler Collector Application21. NAC Profiler Collector (a software agent running on Cisco NAC Server) discovers and profilesdevices and consolidates the information to send to the NAC Profiler Server2. NAC Profiler Server aggregates all of the information from the Collectors and maintains a database ofall network-attached endpoints (e.g. phones, printers, badge readers, modalities, etc.)3. NAC Profiler Server continuously maintains the Filters List via the NAC API and provisions theappropriate access decisions (allow, deny, check, “role”, or ignore)4. NAC Profiler Collector continuously monitors behavior of profiled devices (to prevent spoofing) andupdates Profiler Server 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential26