Cisco CallManager Security Guide, Release 4.1(3)
Configuring a Secure MGCP Gateway
Downloads: This chapterpdf (PDF - 223.0KB) The complete bookPDF (PDF - 1.94MB) | Feedback

Configuring a Secure MGCP Gateway

Table Of Contents

Configuring a Secure MGCP Gateway

Overview for Securing the Cisco IOS MGCP Signaling

Secure MGCP Gateway Configuration Checklist

IPSec Considerations and Recommendations


Configuring a Secure MGCP Gateway


This chapter contains information on the following topics:

Overview for Securing the Cisco IOS MGCP Signaling

Secure MGCP Gateway Configuration Checklist

IPSec Considerations and Recommendations

Overview for Securing the Cisco IOS MGCP Signaling

Cisco CallManager supports gateways that use the MGCP SRTP package, which the gateway uses to encrypt and decrypt packets over a secure RTP connection. The information that gets exchanged during call setup determines whether the gateway uses SRTP for a call. If the devices support SRTP, the system uses a SRTP connection. If at least one device does not support SRTP, the system uses a RTP connection. SRTP-to-RTP fallback (and vice versa) may occur for transfers from a secure device to a non-secure device, conferencing, transcoding, music on hold, and so on.

When the system sets up an encrypted SRTP call between two devices, Cisco CallManager generates a master encryption key and salt for secure calls and sends them to the gateway for the SRTP stream only. Cisco CallManager does not send the key and salt for SRTCP streams, which the gateway also supports. These keys get sent to the gateway over the MGCP signaling path, which you should secure by using IPSec. Although Cisco CallManager does not know whether an IPSec connection exists, the system sends the session keys to the gateway in the clear if IPSec is not configured. Confirm that the IPSec connection exists, so the session keys get sent through a secure connection.

Depending on the location and placement of the gateway and the security policy of your organization, you may consider IPSec as optional; for example, if you trust the path or address space from the Cisco CallManager to the gateway, you may deem IPSec configuration as optional. If you choose to use IPSec, Cisco recommends that you provision it in the infrastructure rather than in the Cisco CallManager itself. For other IPSec considerations and recommendations, see the "IPSec Considerations and Recommendations" section.


Tip To determine whether your Cisco IOS MGCP gateway supports the voice security features described in the Cisco CallManager Security Guide, refer to Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways.


Related Topics

Secure MGCP Gateway Configuration Checklist

IPSec Considerations and Recommendations

Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways

Secure MGCP Gateway Configuration Checklist

Use Table 8-1 in conjunction with the document, Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways, which provides information on how to configure your Cisco IOS MGCP gateways for security. You can obtain this document at the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_11/gtsecure.htm

Table 8-1 Configuration Checklist for Securing the MGCP Gateway

Configuration Steps
Related Procedures and Topics

Step 1 

Verify that you installed and configured the Cisco CTL Client for mixed mode.

Configuring the Cisco CTL Client

Step 2 

Verify that you configured the phones for encryption.

Configuring the Phones for Security, page 5-1

Step 3 

Configure IPSec in your infrastructure.

IPSec Considerations and Recommendations

Step 4 

Perform security-related configuration tasks on the gateway.

Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways

Step 5 

Verify that you configured the gateways for security.

Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways

IPSec Considerations and Recommendations

This document does not describe how to configure IPSec. Instead, it provides considerations and recommendations for configuring IPSec in your network infrastructure.

Review the following information before you configure IPSec:

Cisco recommends that you provision IPSec in the infrastructure rather than in the Cisco CallManager itself.

Before you configure IPSec, consider existing IPSec or VPN connections, platform CPU impact, bandwidth implications, jitter or latency, and other performance metrics.

Review the Voice and Video Enabled IPSec Virtual Private Networks Solution Reference Network Design Guide, which you can obtain at the following URL:

http://www.cisco.com/go/srnd

Review the Cisco IOS Security Configuration Guide, Release 12.2 (or later), which you can obtain at the following URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_book09186a0080087df1.html

Terminate the remote end of the IPSec connection in the secure Cisco IOS MGCP gateway.

Terminate the host end in a network device within the trusted sphere of the network where the telephony servers exist; for example, behind a firewall, access control list (ACL), or other layer three device.

The equipment that you use to terminate the host-end IPSec connections depends on the number of gateways and the anticipated call volume to those gateways; for example, you could use Cisco VPN 3000 Series Concentrators, Catalyst 6500 IPSec VPN Services Module, or Cisco Integrated Services Routers.

Perform the steps in the order that is specified in the "Secure MGCP Gateway Configuration Checklist" section.


Caution Not configuring the IPSEC connections and verifying that the connections are active may compromise privacy of the media streams.

Related Topics

Secure MGCP Gateway Configuration Checklist

Overview for Securing the Cisco IOS MGCP Signaling

Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways