This chapter describes the importance of securing the IPCC solution and points to the various security resources available. It includes the following sections:
•Introduction to Security
•Security Best Practices
•Cisco Security Agent
•Firewalls and IPSec
•Security Features in Cisco CallManager Release 4.0
Introduction to Security
Achieving IPCC system security requires an effective security policy that accurately defines access, connection requirements, and systems management within your contact center. Once you have a good security policy, you can use many state-of-the-art Cisco technologies and products to protect your data center resources from internal and external threats and to ensure data privacy, integrity, and system availability.
Cisco has developed a set of documents with detailed design and implementation guidance for various Cisco networking solutions in order to assist enterprise customers in building an efficient, secure, reliable, and scalable network. These Solution Reference Network Design (SRND) guides, which can be found at http://www.cisco.com/go/srnd, provide proven best practices to build out a network infrastructure based on the Cisco Architecture for Voice, Video, and Integrated Data (AVVID). Among them are the following relevant documents relating to Security and IP Telephony that should be used in order to successfully deploy an IPCC network. Updates and additions are posted periodically, so frequent site visits are recommended.
•IP Telephony SRND for Cisco CallManager 3.3
•IP Telephony SRND for Cisco CallManager 4.0
•Data Center Networking: Securing Server Farms SRND
•Data Center Networking: Integrating Security, Load Balancing, and SSL Services
An adequately secure IPCC configuration requires a multi-layered approach to protecting systems from targeted attacks and the propagation of viruses. A first approach is to ensure that the servers hosting the Cisco contact center applications are physically secure. They must be located in data centers to which only authorized personnel have access. The next level of protection is to ensure the servers are running antivirus applications with the latest virus definition files and are kept up-to-date with Microsoft and other third-party security patches. The servers may be hardened according to the guidelines provided in the security best-practices guides applicable to your release of the application.
Another level of security is the network segmentation of the servers. None of the IPCC servers are meant to be deployed as internet-facing systems or bastion hosts (with the only exception of the Web Collaboration option, if deployed). While desktop-based applications such as the CTI OS, Cisco Agent Desktop, or Cisco Supervisor Desktop tend to be deployed in open corporate VLANs, servers making up the IPCC solution should be placed in the data center behind a secure network. In cases where the servers are geographically distributed, proper care should be taken to ensure the network links are secure.
Security Best Practices
Default (Standard) Windows 2000 Server Operating System Installation
The IPCC solution consists of a number of server applications which are managed differently. The security best practices for the following servers vary slightly from the other applications in the IPCC solution:
•ICM Peripheral Gateways
•ICM Administrative Workstations (Historical Data Server and WebView)
•CTI-based servers (CTI, CTI OS, and Cisco Agent Desktop servers)
The security best practices for these servers are consolidated in a document that describes security hardening configuration guidelines for the Microsoft Windows 2000 Server environment. This document, the Security Best Practices for Cisco Intelligent Contact Management Software, is available at
The recommendations contained in the Security Best Practices guide are based in part on hardening guidelines published by Microsoft, such as those found in the Windows 2000 Security Hardening Guide, as well as other third-party vendors' hardening recommendations. The purpose of the Security Best Practices guide is to further interpret and customize those guidelines as they specifically apply to the contact center server products. Where exceptions or specific recommendations are made, the Security Best Practices guide strives to present the underlying rationale for the deviation.
The Security Best Practices guide assumes that the reader is an experienced network administrator familiar with securing Windows 2000 Server. It further assumes that the reader is fully familiar with the applications that compose the ICM and IPCC solutions, as well as with the installation and administration of those systems. It is the additional intent of these best practices to provide a consolidated view of securing the various third-party applications and operating system upon which the Cisco IP Contact Center applications depend.
Cisco-Provided Windows 2000 Server Installation (CIPT OS)
The IP IVR, Internet Service Node (ISN), and Cisco CallManager servers all support a hardened operating system called the Cisco IP Telephony Operating System. The hardening specifications for this operating system can be found in the Cisco IP Telephony Solution Reference Network Design (SRND) guide, available at
Default (Standard) Windows 2000 Server Operating System Installation
The security updates qualification process for Contact Center products is documented at
Upon the release of a Critical or Important security update from Microsoft, Cisco assesses the impact on the ICM-based applications and releases a field notice with this assessment, typically within 24 hours. For the security updates categorized as Impacting, Cisco continues to test its products to further determine if there are any potential conflicts after the initial field notice. A field notice update is released when those tests are completed.
Customers can set up a profile to be alerted of field notices announcing security updates by going to the following link:
Customers should follow Microsoft's guidelines regarding when and how they should apply these updates.
Cisco recommends that Contact Center customers separately assess all security patches released by Microsoft and install those deemed appropriate for their environments. Cisco will continue to provide a service of separately assessing and, where necessary, validating higher severity security patches that may be relevant to the Contact Center software products.
Automated Patch Management
ICM-based servers support integration with Microsoft's Software Update Services (SUS), whereby customers control which and when patches can be deployed to those servers. The servers can be configured for Automatic Windows Updates, but Cisco recommends that they point to local Software Update Services (SUS) or Windows Update Services (WUS) servers.
Cisco-Provided Windows 2000 Server Installation (CIPT OS)
The Cisco CallManager Security Patch Process is available at
A document providing information for tracking Cisco-supported operating system files, SQL Server, and security files is available at
This document also provides Cisco recommendations for applying software updates (Cisco CallManager, IP IVR, and ISN only).
The Security Patch and Hotfix Policy for Cisco CallManager specifies that any applicable patch deemed Severity 1 or Critical must be tested and posted to http://www.cisco.com within 24 hours as Hotfixes. All applicable patches are consolidated and posted once per month as incremental Service Releases
A notification tool (email service) for providing automatic notification of new fixes, OS updates, and patches for Cisco CallManager and associated products is available at
Automated Patch Management
The Cisco IP Telephony Operating System configuration and patch process does not currently allow for an automated patch management process.
A number of third-party antivirus applications are supported for the IPCC system. For a list of applications and versions supported on your particular release of the IPCC software, refer to the ICM platform hardware specifications and related software compatibility data listed in the Cisco Intelligent Contact Management (ICM) Bill of Materials and the Cisco CallManager product documentation (available at http://www.cisco.com).
Note Deploy only the supported applications for your environment, otherwise a software conflict might arise, especially when an application such as the Cisco Security Agent is installed on the IPCC systems. (See Cisco Security Agent.)
Antivirus applications have numerous configuration options that allow very granular control of what and how data should be scanned on a server.
With any antivirus product, configuration is a balance of scanning versus the performance of the server. The more you choose to scan, the greater the potential performance overhead. The role of the system administrator is to determine what the optimal configuration requirements will be for installing an antivirus application within a particular environment. Refer to the security best-practices guide and your particular antivirus product documentation for more detailed configuration information on an ICM environment.
The following list highlights some general best practices:
•Upgrade to the latest supported version of the third-party antivirus application. Newer versions improve scanning speed over previous versions, resulting in lower overhead on servers.
•Avoid scanning of any files accessed from remote drives (such as network mappings or UNC connections). Where possible, each of these remote machines should have its own antivirus software installed, thus keeping all scanning local. With a multi-tiered antivirus strategy, scanning across the network and adding to the network load should not be required.
•Due to the higher scanning overhead of heuristics scanning over traditional antivirus scanning, use this advanced scanning option only at key points of data entry from untrusted networks (such as email and Internet gateways).
•Real-time or on-access scanning can be enabled, but only on incoming files (when writing to disk). This is the default setting for most antivirus applications. Implementing on-access scanning on file reads will yield a higher impact on system resources than necessary in a high-performance application environment.
•While on-demand and real-time scanning of all files gives optimum protection, this configuration does have the overhead of scanning those files that cannot support malicious code (for example, ASCII text files). Cisco recommends excluding files or directories of files, in all scanning modes, that are known to present no risk to the system. Also, follow the recommendations for which specific ICM files to exclude in an ICM or IPCC implementation, as provided in the Security Best Practices for Cisco Intelligent Contact Management Software available at
•Schedule regular disk scans only during low usage times and at times when application activity is lowest. To determine when application purge activity is scheduled, refer to the Security Best Practices guides listed in the previous item.
Guidelines for configuring antivirus applications for Cisco CallManager are available at the following locations:
Cisco Security Agent
Cisco Security Agent provides threat protection for servers, also known as endpoints. It identifies and prevents malicious behavior, thereby eliminating known and unknown ("day zero") security risks and helping to reduce operational costs. The Cisco Security Agent aggregates and extends multiple endpoint security functions by providing host intrusion prevention, distributed firewall capabilities, malicious mobile code protection, operating system integrity assurance, and audit log consolidation, all within a single product.
Unlike antivirus applications, Cisco Security Agent analyzes behavior rather than relying on signature matching, but both remain critical components to a multi-layered approach to host security. Cisco Security Agent should not be considered a substitute for antivirus applications.
Deploying Cisco Security Agent agents on IPCC components involves obtaining a number of application-compatible agents and implementing them according to the desired mode.
Support for Standalone Agents and Managed Agents
The Cisco Security Agent can be deployed in two modes.
•Standalone mode — A standalone agent can be obtained directly from the Cisco Software Center for each voice application and can be implemented without communication capability to a central Cisco Security Agent Management Center (MC).
•Managed mode — An XML export file specific to the agent and compatible with each voice application in the deployed solution, can be downloaded from the same location and imported into an existing CiscoWorks Management Center for Cisco Security Agents, part of the CiscoWorks VPN/Security Management Solution (VMS) bundle.
The advanced CiscoWorks Management Center for Cisco Security Agents incorporates all management functions for agents in core management software that provides a centralized means of defining and distributing policies, providing software updates, and maintaining communications to the agents. Its role-based, web browser "manage from anywhere" access makes it easy for administrators to control thousands of agents per MC. Features include:
•Cisco ICM, IPCC Enterprise, and Internet Service Node (ISN) Agents, available at
•Other agents, available at
Third-Party Applications Dependencies
Cisco Security Agent can reside on the same server with only those supported applications listed in the Cisco Intelligent Contact Management (ICM) Bill of Materials or the installation guides for the Cisco Security Agent you are installing.
For more details on the installation of Cisco ICM agents, refer to Installing Cisco Security Agent for Cisco Intelligent Contact Management Software, available at
Firewalls and IPSec
Deploying the application in an environment where firewalls are in place requires the network administrator to be knowledgeable of which TCP/UDP IP ports are used. For an inventory of all the ports used across the contact center suite of applications for the most widely deployed versions of Cisco products, refer to the Cisco Contact Center Product Port Utilization Guides available at
Note Outbound Option Dialers and Cisco CallManager servers must not be segmented through a PIX firewall. For details, refer to the Release Notes for the Cisco Secure PIX Firewall, available at http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_notes_list.html.
IPSec and NAT
Support for IP Security (IPSec) in Tunnel Mode
Due to increased security concerns in the deployment of data and voice networks alike, ICM and IPCC Enterprise deployments now add support for IPSec between Central Controller sites and remote Peripheral Gateway (PG) sites as well as between call control servers and agent desktops. This secure network implementation implies a distributed model with the WAN connection secured via IPSec tunnels. The testing undertaken in this release was limited to configuration of Cisco IOS™ IPSec in Tunnel Mode, which means that only the Cisco IP Routers (IPSec peers) between the two sites were part of the secure channel establishment. All data traffic is encrypted across the WAN link but unencrypted on the local area networks. In tunnel mode, traffic flow confidentiality is ensured between IPSec peers which, in this case, are the IOS Routers connecting a central site to a remote site.
The qualified specifications for the IPSec configuration are as follow:
•HMAC-SHA1 Authentication (ESP-SHA-HMAC)
•3DES Encryption (ESP-3DES)
Cisco recommends that you use hardware encryption to avoid a significant increase in IP Router CPU overhead and throughput impact. There are also some latency implications, so it is important to size the network infrastructure (network hardware and physical links) accordingly. There are also considerations that must be taken into account for QoS networks. The common recommendation is to classify and apply QoS features based on packet header information before traffic is tunnel encapsulated and/or encrypted.
More detailed information on Cisco IOS IPSec functionality is available at
Support for Network Address Translation (NAT)
IPCC Release 6.0(0) officially adds support for deployment of Agent Desktops and IP Phones (IPCC) across NAT. Cisco has also tested locating remote Peripheral Gateway (PG) servers on a NAT network remote from the Central Controller servers (Routers and Loggers). The qualification of NAT support for Agent Desktops and PG servers was limited to a network infrastructure implementing Cisco IP Routers with NAT functionality.
Cisco IOS™ Network Address Translation (NAT) is a mechanism for conserving registered IP addresses in large networks and simplifying IP address management tasks. As its name implies, Cisco IOS NAT translates IP addresses within private "internal" networks to "legal" IP addresses for transport over public "external" networks (such as the Internet). Incoming traffic is translated back for delivery within the inside network.
More detailed resources on how to configure NAT are available at
More details on how to deploy IP Phones across NAT for IPCC deployments are available at
Note The IPSec NAT Transparency feature introduces support for IP Security (IPSec) traffic to travel through Network Address Translation (NAT) or Port Address Translation (PAT) points in the network by addressing many known incompatibilities between NAT and IPSec. NAT Traversal is a feature that is auto-detected by VPN devices. There are no configuration steps for a router running Cisco IOS Software Release 12.2(13)T and above. If both VPN devices are NAT-T capable, NAT Traversal is auto-detected and auto-negotiated.
Security Features in Cisco CallManager Release 4.0
When designing an IPCC solution based on Cisco CallManager Release 4.0, it is important to note that IPCC does not support device authentication for the Cisco 7940 and 7960 IP Phones. Due to the performance impact on Cisco CallManager, at this time Cisco recommends that you do not enable this feature unless you have conducted thorough performance testing based on the target environment.
Media encryption is currently supported only on the Cisco 7970 IP Phones, which are not supported in an IPCC environment. If Cisco 7970 IP Phones are deployed as part of your IPCC solution with Cisco's permission, features such as silent monitoring and recording will not be available for any agents who are equipped with this model of IP Phone.
The Cisco IP Phone device configuration in Cisco CallManager provides the ability to disable the phone's PC port as well as restricting access of a PC to the voice VLAN. Changing these default settings to disable PC access will also disable the monitoring feature of the IPCC solution. The settings are defined as follows:
–Indicates whether the PC port on the phone is enabled or disabled. The port labeled "10/100 PC" on the back of the phone connects a PC or workstation to the phone so that they can share a single network connection.
–This is a required field.
•PC Voice VLAN Access
–Indicates whether the phone will allow a device attached to the PC port to access the Voice VLAN. Disabling Voice VLAN Access will prevent the attached PC from sending and receiving data on the Voice VLAN. It will also prevent the PC from receiving data sent and received by the phone. Set this setting to Enabled if an application is being run on the PC that requires monitoring of the phone's traffic. This could include monitoring and recording applications and use of network monitoring software for analysis purposes.
–This is a required field.