Cisco Unified Communications Manager SCCP Integration Guide for Cisco Unity Connection Release 10.x
Cisco Unified Communications Manager Authentication and Encryption of Cisco Unity Connection Voice Messaging Ports
Downloads: This chapterpdf (PDF - 176.0KB) The complete bookPDF (PDF - 1.31MB) | Feedback

Table of Contents

Cisco Unified Communications Manager Authentication and Encryption of Cisco Unity Connection Voice Messaging Ports

Cisco Unified Unified CM Security Features

Cisco Unified Communications Manager Authentication and Encryption of Cisco Unity Connection Voice Messaging Ports

A potential point of vulnerability for a Cisco Unity Connection system is the Unity Connection between Cisco Unity Connection and Cisco Unified Communications Manager. Possible threats include:

  • Man-in-the-middle attacks (a process in which an attacker observes and modifies the information flow between Cisco Unified CM and the Cisco Unity Connection voice messaging ports)
  • Network traffic sniffing (a process in which an attacker uses software to capture phone conversations and signaling information that flow between Cisco Unified CM, the Cisco Unity Connection voice messaging ports, and IP phones that are managed by Cisco Unified CM)
  • Modification of call signaling between the Cisco Unity Connection voice messaging ports and Cisco Unified CM
  • Modification of the media stream between the Cisco Unity Connection voice messaging ports and the endpoint (for example, a phone or gateway)
  • Identity theft of the Cisco Unity Connection voice messaging port (a process in which a non-Cisco Unity Connection device presents itself to Cisco Unified CM as a Cisco Unity Connection voice messaging port)
  • Identity theft of the Cisco Unified CM server (a process in which a non-Cisco Unified CM server presents itself to Cisco Unity Connection voice messaging ports as a Cisco Unified CM server)

Cisco Unified CM Security Features

Cisco Unified CM can secure the Unity Connection with Cisco Unity Connection against these threats. The Cisco Unified CM security features that Cisco Unity Connection can take advantage of are described in Table 12-1 .

Table 12-1 Cisco Unified CM Security Features That Are Used by Cisco Unity Connection (continued)

Security Feature
Description

Signaling authentication

The process that uses the Transport Layer Security (TLS) protocol to validate that no tampering has occurred to signaling packets during transmission. Signaling authentication relies on the creation of the Cisco Certificate Trust List (CTL) file.

Impact on Threats: This feature protects against:

  • Man-in-the-middle attacks that modify the information flow between Cisco Unified CM and the Cisco Unity Connection voice messaging ports.
  • Modification of the call signalling.
  • Identity theft of the Cisco Unity Connection voice messaging port.
  • Identity theft of the Cisco Unified CM server.

Device authentication

The process that validates the identity of the device and ensures that the entity is what it claims to be. This process occurs between Cisco Unified CM and Cisco Unity Connection voice messaging ports when each device accepts the certificate of the other device. When the certificates are accepted, a secure Unity Connection between the devices is established. Device authentication relies on the creation of the Cisco Certificate Trust List (CTL) file.

Impact on Threats: This feature protects against:

  • Man-in-the-middle attacks that modify the information flow between Cisco Unified CM and the Cisco Unity Connection voice messaging ports.
  • Modification of the media stream.
  • Identity theft of the Cisco Unity Connection voice messaging port.
  • Identity theft of the Cisco Unified CM server.

Signaling encryption

The process that uses cryptographic methods to protect (through encryption) the confidentiality of all SCCP signaling messages that are sent between the Cisco Unity Connection voice messaging ports and Cisco Unified CM. Signaling encryption ensures that the information that pertains to the parties, DTMF digits that are entered by the parties, call status, media encryption keys, and so on are protected against unintended or unauthorized access.

Impact on Threats: This feature protects against:

  • Man-in-the-middle attacks that observe the information flow between Cisco Unified CM and the Cisco Unity Connection voice messaging ports.
  • Network traffic sniffing that observes the signaling information flow between Cisco Unified CM and the Cisco Unity Connection voice messaging ports.

Media encryption

The process whereby the confidentiality of the media occurs through the use of cryptographic procedures. This process uses Secure Real Time Protocol (SRTP) as defined in IETF RFC 3711, and ensures that only the intended recipient can interpret the media streams between Cisco Unity Connection voice messaging ports and the endpoint (for example, a phone or gateway). Support includes audio streams only. Media encryption includes creating a media master key pair for the devices, delivering the keys to Cisco Unity Connection and the endpoint, and securing the delivery of the keys while the keys are in transport. Cisco Unity Connection and the endpoint use the keys to encrypt and decrypt the media stream.

Impact on Threats: This feature protects against:

  • Man-in-the-middle attacks that listen to the media stream between Cisco Unified CM and the Cisco Unity Connection voice messaging ports.
  • Network traffic sniffing that eavesdrops on phone conversations that flow between Cisco Unified CM, the Cisco Unity Connection voice messaging ports, and IP phones that are managed by Cisco Unified CM.