Installation Planning Guide for Cisco Unified MeetingPlace Release 6.x
Establishing Safety and Security for the Cisco Unified MeetingPlace System
Downloads: This chapterpdf (PDF - 353.0KB) The complete bookPDF (PDF - 4.56MB) | Feedback

Establishing Safety and Security for the Cisco Unified MeetingPlace System

Table Of Contents

Establishing Safety and Security for the Cisco Unified MeetingPlace System

Safety Instructions and Requirements

Best Practices for Security

Worksheet 4-1: Security Parameters


Establishing Safety and Security for the Cisco Unified MeetingPlace System


As with your other enterprisewide resources (such as network, e-mail, and voice mail), security is an important issue when installing and configuring Cisco Unified MeetingPlace. Potential threats are posed by outside parties, former employees, and even current employees. As you plan for the security of your system, also consider its overall ease of use.

This chapter contains the following sections:

Safety Instructions and Requirements

Best Practices for Security

Worksheet 4-1: Security Parameters

Safety Instructions and Requirements

Areas of security to consider include:

Unauthorized entrance to legitimate meetings.

Scheduling and participation in unauthorized meetings.

Outdialing abuse and toll fraud.

Unauthorized access to system configuration and parameters through the system manager profile.

In addition to the security parameters in the Cisco Unified MeetingPlace system, your organization can adopt several best practices (described in the next section, "Best Practices for Security") to greatly enhance security. Your certified installation partner or Cisco Advanced Services representative will describe Cisco Unified MeetingPlace security to you and help you configure the system and develop best practices to ensure a secure conferencing environment.

Best Practices for Security

Use the following guidelines as you establish and maintain security for the system:

Write and implement a policy regarding user and group profiles, including the security parameter settings from the table in Worksheet 4-1: Security Parameters.

Keep the number of user profiles with system manager permissions to a minimum. Use longer IDs and passwords for these accounts and change them more frequently.

If possible, automate the process of adding and deleting user profiles by installing Cisco Unified MeetingPlace Directory Services or manually scripting these actions from your organization's human resources database. Either action ensures that terminated employees' profiles are deleted or deactivated. Your Cisco Unified MeetingPlace support organization can provide further information on both these options.

If you cannot automate the profile process, write and strictly follow a program of regular, frequent additions and deletions based on information from your organization's human resources group. It is particularly important that user profiles for terminated employees be quickly deactivated or deleted.

Determine a system of profile numbers that are not easy to guess, but also not difficult for your users to remember. For example, because phone extensions can often be easily guessed, add a prefix. Employee IDs can also be used as long as they are not vulnerable to a random attack. For security purposes, we recommend selecting profile numbers that include at least seven digits.

Make sure the default profile password cannot be easily guessed, and be sure that users change it quickly. Run regular periodic reports to determine which profile passwords have not been changed from the default and respond by either contacting the user, changing the password, or deactivating or deleting the profile.

Write and communicate a policy regarding profile passwords so that users do not select trivial passwords. For example, have users refrain from creating passwords that contain repeated or consecutive digits.

Provide tips to the end-user community regarding how to secure their meetings. Meeting security features include unique meeting IDs, non-trivial meeting IDs, announced entry, meeting passwords, attendance restrictions, locking meetings, deleting unwanted participants, and roll call.

Write and implement a policy of regular system monitoring for undesired access. Reports and alarms are the primary instruments for such monitoring.

Plan your responses to different types of unauthorized access. In particular, determine any changes you will make to Cisco Unified MeetingPlace Audio Server security parameters, other system access (such as changing phone numbers), and procedural changes you might make in your organization.

Keep Cisco Unified MeetingPlace Audio Server behind a firewall in a protected part of the network. There is no need to access the system directly from outside.

Make sure the TCP port used by MeetingTime (port 5001) is blocked at the firewall. Cisco does not recommend allowing Internet access using MeetingTime.

Consider installing SSH on the Cisco Unified MeetingPlace 8106 or 8112 and disabling the use of Telnet. Note that SSH is installed separately from the base software release to comply with export regulations.

Consider disabling SNMP queries on Cisco Unified MeetingPlace Audio Server. Note that SNMP traps, indicating alarm conditions, can still be generated even if queries are disabled.

Make sure the technician ("tech") command line password has been changed from the factory default (username = admin; password = cisco).

Consider upgrading the various integration application products to use GWSIM 5.0 or higher, particularly those that are placed outside the protected part of the network. GWSIM 5.0 uses an encrypted data stream to communicate with Cisco Unified MeetingPlace Audio Server. It can also communicate with the server using a data stream originating from the server, thus requiring fewer holes in the firewall.

Worksheet 4-1: Security Parameters

This worksheet shows the security parameters that are available to help you secure the system.

Unless "via phone" or a specific tab is mentioned, all parameters are located in the Configure tab in MeetingTime.

Parameter
Description
Location
Options
Default
System Access

Min profile pwd length

Minimum length for a profile password

Usage parameters

0-11

6

Change profile pwd (days)

Frequency at which a profile password must be changed

Usage parameters

0-3650

90

Min user pwd length

Minimum length for a user password

Usage parameters

0-11

5

Change user pwd

Frequency at which a user password must be changed

Usage parameters

0-3650

90

Max profile login attempts

Number of attempts to log into a profile before the profile is locked

Usage parameters

0-32767

3

Meeting Scheduling and Setup

Allow vanity mtg IDs?

Whether users are allowed to assign customer meeting IDs to the meetings they schedule

System parameters

Yes/No

Yes

Minimum mtg ID length

Minimum length for meeting IDs

Scheduling parameters

1-9

4

Min meeting pwd length

Minimum length for meeting passwords

Usage parameters

0-11

0

Password required?

Requires user to establish a password when scheduling

User Profiles and
User Groups

Yes/No

No

Display mtg to everyone?

Restricts who can see meetings scheduled by this user

(Yes lets anyone see meetings scheduled by this user from Browse Meetings link in Cisco Unified MeetingPlace Web Conferencing or on MeetingTime reception board. Value can be changed by meeting when users schedule meetings.)

User Profiles and
User Groups

Yes/No

No

Allow guest outdial?

Whether guests are given outdial privileges

(Yes allows the system to outdial guest users when they click Join Voice Conference button from the web. Meeting schedulers can change value by meeting only if Can Schedule Guest Outdial Mtgs parameter is Yes in their profile.)

User Profiles and
User Groups

Yes/No

No

Scheduling restrictions

Whether users can schedule meetings

("Near Term Mtg Limit" value determines how many meetings users can schedule in six hours.)

User Profiles and
User Groups

Unrestricted/Cannot Schedule/
Near Term Mtg Limit

Unrestricted

Meeting Access

Can schedule guest outdial mtgs?

Whether users can schedule meetings that allow guests to join the voice conference over the Web.

(Yes lets users change the Allow Guest Outdial in Mtgs parameter per meeting.)

User Profiles and
User Groups

Yes/No

Yes

Entry announcement

Announces meeting participants as they enter meeting

(Beep+Name requires all guests to record their name before entering meetings. Guests who enter without identifying themselves should be asked for identification by other participants.)

User Profiles and
User Groups

Beep only/
Beep+Name/None

Beep+
Name

Allow Internet access?

When the Cisco Unified MeetingPlace system is configured with a Web Conferencing server in the DMZ and another behind the DMZ. When Yes, the web portion of the meeting is held on the server in the DMZ and can be accessed by anyone. When No, the web portion of the meeting is held on the server behind the DMZ and can be accessed only by users on the company's intranet.

User Profiles and
User Groups

Yes/No

No