Table Of Contents
Establishing Safety and Security for the Cisco Unified MeetingPlace System
Safety Instructions and Requirements
Best Practices for Security
Worksheet 4-1 Security Parameters
Establishing Safety and Security for the Cisco Unified MeetingPlace System
As with your other enterprise-wide resources (such as network, e-mail, and voice mail), security is an important issue when installing and configuring Cisco Unified MeetingPlace. Potential threats are posed by outside parties, former employees, and even current employees. As you plan for the security of your system, also consider its overall ease of use.
This chapter describes the following topics:
•
Safety Instructions and Requirements
•Best Practices for Security
•Worksheet 4-1 Security Parameters
Safety Instructions and Requirements
Areas of security to consider include:
•Unauthorized entrance to legitimate meetings
•Scheduling and participation in unauthorized meetings
•Outdialing abuse and toll fraud
•Unauthorized access to system configuration and parameters through the system manager profile
In addition to the security parameters in the Cisco Unified MeetingPlace system, your organization can adopt several "best practices" (described in the "Best Practices for Security" section) to greatly enhance security. A Cisco NCE will describe Cisco Unified MeetingPlace security with you and help you configure the system and develop best practices to ensure a secure conferencing environment.
Best Practices for Security
Use the following guidelines as you establish and maintain security for your system.
•Write and implement a policy regarding user and group profiles, including the security parameter settings from the table in Worksheet 4-1 Security Parameters.
•Keep the number of user profiles with system manager permissions to a minimum. Use longer IDs and passwords for these accounts and change them more frequently.
•If possible, automate the process of adding and deleting user profiles by installing Cisco Unified MeetingPlace Directory Services or manually scripting these actions from your organization's human resources database. Either action ensures that terminated employees' profiles are deleted or deactivated. Your Cisco Unified MeetingPlace support organization can provide further information on both these options.
•If you cannot automate the profile process, write and strictly follow a program of regular, frequent additions and deletions based on information from your organization's human resources group. It is particularly important that user profiles for terminated employees be quickly deactivated or deleted.
•Determine a system of profile numbers that are not easy to guess, but also not difficult for your users to remember. For example, because telephone extensions can often be easily guessed, add a prefix. Employee IDs can also be used as long as they are not vulnerable to a random attack. For security purposes, we recommend selecting profile numbers that include at least seven digits.
•Make sure the default profile password cannot be easily guessed, and be sure that users change it quickly. Run regular periodic reports to determine which profile passwords have not been changed from the default and respond by either contacting the user, changing the password, or deactivating or deleting the profile.
•Write and communicate a policy regarding profile passwords so that users do not select trivial passwords. For example, have users refrain from creating passwords that contain repeated or consecutive digits.
•Provide tips to the end-user community regarding how to secure their meetings. Meeting security features include unique meeting IDs, non-trivial meeting IDs, announced entry, meeting passwords, attendance restrictions, locking meetings, deleting unwanted participants, and roll call.
•Write and implement a policy of regular system monitoring for undesired access. Reports and alarms are the primary instruments for such monitoring.
•Plan your responses to different types of unauthorized access. In particular, determine any changes you will make to Cisco Unified MeetingPlace Audio Server security parameters, other system access (such as changing phone numbers), and procedural changes you might make in your organization.
•Keep Cisco Unified MeetingPlace Audio Server behind a firewall in a protected part of the network. There is no need to access the system directly from outside.
•Make sure the TCP port used by MeetingTime (port 5001) is blocked at the firewall. Cisco does not recommend allowing Internet access using MeetingTime.
•Consider installing SSH on the Cisco Unified MeetingPlace 8106 or 8112 and disabling the use of Telnet. Note that SSH is installed separately from the base software release to comply with export regulations.
•Consider disabling SNMP queries on Cisco Unified MeetingPlace Audio Server. Note that SNMP traps, indicating alarm conditions, can still be generated even if queries are disabled.
•Make sure the technician ("tech") command line password has been changed from the factory default (username = admin; password = cisco).
•Consider upgrading the various integration application products to use GWSIM 5.0 or higher, particularly those that are placed outside the protected part of the network. GWSIM 5.0 uses an encrypted data stream to communicate with Cisco Unified MeetingPlace Audio Server. It can also communicate with the server using a data stream originating from the server, thus requiring fewer holes in the firewall.
Worksheet 4-1 Security Parameters
The following worksheet shows the security parameters that are available to help you secure your system. For more information on planning for security.
Unless "via phone" or a specific tab is mentioned, all parameters are located in the Configure tab in MeetingTime.
Parameter
|
Description
|
Location
|
Options
|
Default
|
System Access
|
Min profile pwd length
|
Minimum length for a profile password
|
Usage parameters
|
0-11
|
6
|
Change profile pwd (days)
|
Frequency at which a profile password must be changed
|
Usage parameters
|
0-3650
|
90
|
Min user pwd length
|
Minimum length for a user password
|
Usage parameters
|
0-11
|
5
|
Change user pwd
|
Frequency at which a user password must be changed
|
Usage parameters
|
0-3650
|
90
|
Max profile login attempts
|
Number of attempts to log into a profile before the profile is locked
|
Usage parameters
|
0-32767
|
3
|
Meeting Scheduling and Setup
|
Allow vanity mtg IDs?
|
Whether users are allowed to assign customer meeting IDs to the meetings they schedule
|
System parameters
|
Yes/No
|
Yes
|
Minimum mtg ID length
|
Minimum length for meeting IDs
|
Scheduling parameters
|
1-9
|
4
|
Min meeting pwd length
|
Minimum length for meeting passwords
|
Usage parameters
|
0-11
|
0
|
Password required?
|
Requires user to establish a password when scheduling
|
User Profiles and
User Groups
|
Yes/No
|
No
|
Display mtg to everyone?
|
Restricts who can see meetings scheduled by this user
(Yes lets anyone see meetings scheduled by this user from Browse Meetings link in Cisco Unified MeetingPlace Web or on MeetingTime reception board. Value can be changed by meeting when users schedule meetings.)
|
User Profiles and
User Groups
|
Yes/No
|
No
|
Allow guest outdial?
|
Whether guests are given outdial privileges
(Yes allows the system to outdial guest users when they click Join Voice Conference button from the Web. Meeting schedulers can change value by meeting only if Can Schedule Guest Outdial Mtgs parameter is Yes in their profile.)
|
User Profiles and
User Groups
|
Yes/No
|
No
|
Scheduling restrictions
|
Whether users can schedule meetings
("Near Term Mtg Limit" value determines how many meetings users can schedule in six hours.)
|
User Profiles and
User Groups
|
Unrestricted/Cannot Schedule/
Near Term Mtg Limit
|
Unrestricted
|
Meeting Access
|
Can schedule guest outdial mtgs?
|
Whether users can schedule meetings that allow guests to join the voice conference over the Web.
(Yes lets users change the Allow Guest Outdial in Mtgs parameter per meeting.)
|
User Profiles and
User Groups
|
Yes/No
|
Yes
|
Entry announcement
|
Announces meeting participants as they enter meeting
(Beep+Name requires all guests to record their name before entering meetings. Guests who enter without identifying themselves should be asked for identification by other participants.)
|
User Profiles and
User Groups
|
Beep only/
Beep+Name/None
|
Beep+
Name
|
Allow Internet access?
|
When the Cisco Unified MeetingPlace system is configured with a web-conferencing server in the DMZ and another behind the DMZ. When Yes, the Web portion of the meeting is held on the server in the DMZ and can be accessed by anyone. When No, the Web portion of the meeting is held on the server behind the DMZ and can be accessed only by users on the company's intranet.
|
User Profiles and
User Groups
|
Yes/No
|
No
|
Feedback