Call manager

However, since no application that has network access can be started on the CUCM from a shell, file system or console, virus and worm attacks are significantly more difficult. There is a dedicated mechanism that enables the Cisco TAC to create a privileged remote access account for troubleshooting work. For this purpose, the user executes a CLI command that creates a server-specific account that is limited in time and can then be used by the Cisco TAC.

Previously accessible services such as DHCP , DNS , PING , log file access etc. are now only accessible via the GUI via https or the CLI via SSH . The images for the Unified Call Manager are digitally signed. This ensures that only images from Cisco that have not been changed can be installed on the Unified Callmanager during updates. The CCM5 / 6 uses a dynamic firewall that limits intra-cluster traffic to known devices only. Therefore, during an installation (in contrast to the CCM4), the publisher must first run completely before further servers can be added to the cluster. With a few exceptions, the interfaces of the CCM5 / 6 are secured by encryption (HTTPS, SLDAP, SSH, SFTP, SNMPv3). Web applications are specially secured (30 min auto log-off in the event of inactivity, ...) The security-relevant log files (Security / Event / CSA Agent) are only accessible by the "Real-Time Monitoring Tool" (RTMT), which is only available via SSH communicates with the CCM5 / 6, retrievable. SFTP is an alternative to this.

The Cisco Security Agent (CSA)

In the pre-CCM5 / 6 era it was possible to install the CSA as a managed CSA. Since the client is compiled by the management console for this, the CCM5 / 6 no longer support this variant. This is done so that the policy and the public key of the management console can be inserted into the client image. The newer CallManagers only accept signed images, which means that only the COP files directly provided by Cisco are available for updates and policies of the CSA. At the same time, specially optimized policies are designed by Cisco, the application of which avoids incorrect configurations by the administrators and simplifies their work.

IPSec philosophy

The newer Cisco Unified CallManagers only support authenticated or authenticated and simultaneously encrypted IPSec connections to remote devices (pre-shared keys or certificates). This applies to gateways (MGCP and H.323) as well as to inter cluster trunks. Corresponding commands are available both on the CLI and in the GUI. With their help, certificates can be managed, "own certificates" created or "third-party certificates" entered and external Certificate Authority (CA) created. The "Simple Certificate Enrollment Protocol" (SCEP) still used in the Unified Call Manager 4 has been supplemented by the CSR (Certificate Signature Request) protocol, with which a request from the CA, e.g. B. to generate a certificate, can be signed.

Extensions to SRTP and TLS

Cisco uses a bidirectional exchange of the X.509v3 certificates as the basis of the mutual trust relationship. A CTL file ( Certificate Trust List ) is generated and transmitted to the telephones, in which the certificates and a list of trusted devices is contained. For example, the TFTP service is included, as is the CAPF server. However, the telephones must also know the certificates of the eTokens that bring the certificates with which the CTL file is signed by the administrator. Correspondingly, however, the Unified CallManager, TFTP server and various services must also be able to trust the telephones. So-called LSCs (Locally Significant Certificates), which are generated by the CAPF (Certificate Authority Proxy Function) (or are routed to the CA), and MSCs (Manufacturer Signed Certificates) form the basis for this. They are transmitted to the Unified Call Manager via a secure TLS connection. IPSEC is used for security in gateways. Once authenticated and authorized, a “preshared master secret” is generated from which the various SALT and HMAC values ​​are derived. From then on, a relationship of trust is established for all devices. Different modes for the certificate exchange can be selected, as well as different combinations for authentication. It is thus possible to configure a mixed operation authenticated / encrypted optional / mandatory in the network. This means that mixed constellations can also be implemented, depending on the technology used. The "Cisco Callmanager Capacity Tool" is able to carry out capacity calculations for TLS-operated telephones. In general, phones use 36 kB more memory and 3–5% more CPU on the CCM than phones without TLS. With the Unified CallManager 5.1, however, there was also a mechanism that outsourced the TLS memory allocation and thus made the entire process even more scalable.

Firewall / NAT traversal

If the voice (better: the signaling traffic for voice) is encrypted, a firewall can no longer monitor the signaling traffic and dynamically open / close or convert ports. The same applies to session border controllers. With the CCM 5.1 and Cisco's firewall family (PIX / ASA since version 8.0) there is a special function to “listen” to the traffic by writing a certificate from the firewall to the CTL file. This means that the firewall is seen as trustworthy and can terminate the TLS session between the telephones and the CCM5.1 + as “man in the middle”. At the same time, you can take the load off the CCM in large networks because it no longer has to terminate the sessions itself. The corresponding feature is called "TLS proxy".

The trouble shooting of such techniques can be very complex. Cisco has built various aids into the CCM5 + specifically for this, as well as interfaces to access session keys via secure CTI interfaces in "Packet Capture Mode". This is also used in connection with lawful interception ("voice recording") to provide authorized servers with the ability to record encrypted conversations.

Unified Call Manager 5- / 6-LDAP security

Unified CallManager versions prior to 4.0 had a built-in LDAP directory. With version 5.0 a method was added to query LDAP directories and to save the users in the internal database of the Unified CallManager (not an internal LDAP, for example). This made it possible to integrate into external LDAP directories using two separate processes: 1. Synchronization, 2. Authentication. Unique search strings and multiple search instances allow the dedicated extraction of only the really required user names in the external directory. An authentication process (called "Identity Management System", IMS) determines whether authentication requests are either answered by the internal database or forwarded to the external directory via SLDAP. The Unified Callmanager 5+ knows two types of users: "End user" and "Application user". The difference is that application users are always authenticated against the internal directory database, whereas end users are also parsed against external LDAP directories. Precautions have been taken for the simplified integration in directories such as Microsoft's AD, Netscape, iPlanet, SUN ONE, which benefits an extremely simplified configuration for these directories for synchronization, moves adds and changes and data security for migration tasks and network problems. Many applications such as Unity, Meeting Place and IPCC are also integrated here, which is equivalent to authentication against the same credentials and therefore simplifies administration.

Configuration tools

• Web browser for administration and user websites (Internet Explorer / Firefox / Chrome / Safari)
• Command line (VMWare console or SSH)

swell

1. ↑ Archive link ( Memento of the original from October 7, 2008 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice.  @1@ 2Template: Webachiv / IABot / www.cisco.com
2. ↑ RFC 3711
3. ↑ RFC 2246

Web links

• Cisco Unified Communications Manager (English)
• Virtualization of the Cisco Unified Communication Manager (English)
• Release Notes Cisco Unified Communications Manager 11 (English)