Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0 - Encryption support [Cisco Unified Contact Center Enterprise]

Contents
Encryption support
User and agent passwords
Call variables and extended call variables
Internet Script Editor and Agent Re-skilling
CTI OS C++/COM toolkit
Cisco Contact Center SNMP management service
Additional encryption
Encryption support

This chapter describes the types of encryption used in the Unified ICM system. The concepts help you to understand how encryption is used in the Unified ICM/Unified CCE environment.

User and agent passwords
Call variables and extended call variables
Internet Script Editor and Agent Re-skilling
CTI OS C++/COM toolkit
Cisco Contact Center SNMP management service
Additional encryption

User and agent passwords

Unified ICM/Unified CCE systems are highly distributed applications composed of many node and server applications. Application user and contact center agent passwords are stored in the Logger databases as well as the Distributor databases as an RSA Data Security, Inc. MD5 Message-Digest Algorithm hash. When passed from one server node to another, such as from a Peripheral Gateway to a Router, or from a Distributor to a Router or a Logger, the passwords are passed as MD5 hashes as opposed to clear text.

Call variables and extended call variables

To protect data sent in call variables or expanded call context (ECC) variables, Unified ICM relies on IPsec and the deployment of IPsec policies between servers running Windows Server 2008 R2. In a Unified CCE environment, the establishment of an IPsec channel between the Cisco Unified Communications Manager (Unified CM) and the Peripheral Gateway is also supported. The recommended integrity algorithm is SHA-1 and the encryption algorithm is 3DES. The recommended Internet Key Exchange (IKE) security algorithm is a minimum of Diffie-Hellman Group 2 for a 1024-bit key or 2048-bit key if processing power allows it.

Related Information

IPsec and NAT support

Internet Script Editor and Agent Re-skilling

Unified ICM supports, as a default on Windows Server 2008 R2, the encryption of traffic for users accessing the Unified ICM Internet Script Editor, Web Setup, and Agent Re-skilling applications so that all user logins and optionally session traffic done from a remote machine are protected from snooping. The applications that implement the Transport Layer Security (TLS) v1.0 protocol using the Open SSL libraries are HTTP based.

The Agent Re-skilling and Internet Script Editor web applications will also be deployed and enabled for 128-bit SSL encryption in IIS 6.0 as a default so that all supervisor logins, user logins, and data exchanged is protected across the network.

For more information about enabling certain Cipher Suites in IIS, see the article KB 245030.

Related Information

Cisco SSL Encryption utility

CTI OS C++/COM toolkit

The CTI OS (C++/COM toolkit) and CAD agent desktops implement TLS v1.0 protocol using the OpenSSL libraries to protect data exchanged between the agent desktop to the CTI Object Server. A Cipher suite is used for authentication, key exchange, and stream encryption. The Cipher suite is as follows:

Key exchange: Diffie-Hellman

Authentication: RSA

Encryption: AES (128)

Message digest algorithm: SHA1

Refer to the CTI OS System Manager's Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted and Cisco CAD Installation Guide for more configuration details.

Cisco Contact Center SNMP management service

Unified ICM/Unified CCE includes a Simple Network Management Protocol (SNMP v3) agent to support authentication and encryption (privacy) provided by SNMP Research International. The Cisco implementation exposes the configuration of the communication with a management station to be authenticated using the SHA-1 digest algorithms and for all SNMP messages to be encrypted using one of the following three protocols:

3DES

AES-192

AES-256

For more information, see the SNMP Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted.

Related References

SNMP hardening

Additional encryption

In addition to the various areas of application-level encryption provided in the Unified ICM suite of applications, Cisco supports the deployment of the solution across sites running Cisco IOS IPsec in Tunnel Mode with HMAC-SHA1 Authentication (ESP-SHA-HMAC) and 3DES Encryption (ESP-3DES).

Related Information

IPsec and NAT support

	Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0
	Encryption support
Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0 Preface Encryption support IPsec and NAT support IPsec with Network Isolation Utility Windows Server 2008 R2 firewall configuration Cisco Unified Contact Center Security Wizard Microsoft Windows SQL Server Hardening Cisco SSL Encryption utility Network Access Protection Microsoft Baseline Security Analyzer Auditing General antivirus guidelines and recommendations Remote administration Additional security best practices Index	Download this chapter Encryption support Download the complete book Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0 (PDF - 4 MB) Feedback Contents Encryption support User and agent passwords Call variables and extended call variables Internet Script Editor and Agent Re-skilling CTI OS C++/COM toolkit Cisco Contact Center SNMP management service Additional encryption Encryption support This chapter describes the types of encryption used in the Unified ICM system. The concepts help you to understand how encryption is used in the Unified ICM/Unified CCE environment. User and agent passwords Call variables and extended call variables Internet Script Editor and Agent Re-skilling CTI OS C++/COM toolkit Cisco Contact Center SNMP management service Additional encryption User and agent passwords Unified ICM/Unified CCE systems are highly distributed applications composed of many node and server applications. Application user and contact center agent passwords are stored in the Logger databases as well as the Distributor databases as an RSA Data Security, Inc. MD5 Message-Digest Algorithm hash. When passed from one server node to another, such as from a Peripheral Gateway to a Router, or from a Distributor to a Router or a Logger, the passwords are passed as MD5 hashes as opposed to clear text. Call variables and extended call variables To protect data sent in call variables or expanded call context (ECC) variables, Unified ICM relies on IPsec and the deployment of IPsec policies between servers running Windows Server 2008 R2. In a Unified CCE environment, the establishment of an IPsec channel between the Cisco Unified Communications Manager (Unified CM) and the Peripheral Gateway is also supported. The recommended integrity algorithm is SHA-1 and the encryption algorithm is 3DES. The recommended Internet Key Exchange (IKE) security algorithm is a minimum of Diffie-Hellman Group 2 for a 1024-bit key or 2048-bit key if processing power allows it. Related Information IPsec and NAT support Internet Script Editor and Agent Re-skilling Unified ICM supports, as a default on Windows Server 2008 R2, the encryption of traffic for users accessing the Unified ICM Internet Script Editor, Web Setup, and Agent Re-skilling applications so that all user logins and optionally session traffic done from a remote machine are protected from snooping. The applications that implement the Transport Layer Security (TLS) v1.0 protocol using the Open SSL libraries are HTTP based. The Agent Re-skilling and Internet Script Editor web applications will also be deployed and enabled for 128-bit SSL encryption in IIS 6.0 as a default so that all supervisor logins, user logins, and data exchanged is protected across the network. For more information about enabling certain Cipher Suites in IIS, see the article KB 245030. Related Information Cisco SSL Encryption utility CTI OS C++/COM toolkit The CTI OS (C++/COM toolkit) and CAD agent desktops implement TLS v1.0 protocol using the OpenSSL libraries to protect data exchanged between the agent desktop to the CTI Object Server. A Cipher suite is used for authentication, key exchange, and stream encryption. The Cipher suite is as follows: Key exchange: Diffie-Hellman Authentication: RSA Encryption: AES (128) Message digest algorithm: SHA1 Refer to the CTI OS System Manager's Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted and Cisco CAD Installation Guide for more configuration details. Cisco Contact Center SNMP management service Unified ICM/Unified CCE includes a Simple Network Management Protocol (SNMP v3) agent to support authentication and encryption (privacy) provided by SNMP Research International. The Cisco implementation exposes the configuration of the communication with a management station to be authenticated using the SHA-1 digest algorithms and for all SNMP messages to be encrypted using one of the following three protocols: 3DES AES-192 AES-256 For more information, see the SNMP Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted. Related References SNMP hardening Additional encryption In addition to the various areas of application-level encryption provided in the Unified ICM suite of applications, Cisco supports the deployment of the solution across sites running Cisco IOS IPsec in Tunnel Mode with HMAC-SHA1 Authentication (ESP-SHA-HMAC) and 3DES Encryption (ESP-3DES). Related Information IPsec and NAT support
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks