Guest

Secure Unified Communications

IP Telephony Security Operations Guide to Best Practices

Table Of Contents

Best Practices Guide

Introduction

Security Maintenance

Operating System and Third-Party Service Pack Updates

Network Systems

Security Monitor

Intrusion Detection Systems


Best Practices Guide


Cisco Systems Advanced Services
IP Telephony Security Operations

Introduction

Once all your security measures are in place, you need to maintain the systems. The goal of security operations is to maintain a high level of security and to monitor the systems for attacks. Security attacks continue to evolve and the attackers find more sophisticated ways of attacking systems. This threat requires that your systems continue to be updated to address new vulnerabilities. The best way to combat these changing attacks is to deploy system and application patches. The information on newly discovered security vulnerabilities can spread quickly. It is critical to join patch notification aliases/tools, so that the appropriate measures can be quickly implemented. Your patch management process should follow or be a subset of your change-management process.

Monitoring your systems through operating-system and applications logs can provide notification of an attack. Monitoring requires that the logs be baselined or normalized according to your traffic and checked regularly. Logs can be created by the switches, routers, firewalls, operating system, and application. The more frequently you check and better understand normal log entries, the more likely you are to catch an attack on the system.

Security Maintenance

IP telephony maintenance primarily involves the following tasks:

Keeping up-to-date with operating system and third-party service packs to eliminate well-known security holes

Implementing critical support patches on servers and Cisco® devices when appropriate

Subscribing to mailing lists that publicize urgent vulnerabilities and critical patches

Updating anti-virus definitions to protect against well-known worms and viruses

Performing daily backups of servers with periodic data recovery tests

Operating System and Third-Party Service Pack Updates

Unfortunately, viruses, worms, and denial-of-service attacks are a part of computer daily life. We hear of, and experience, the proliferation of Smurf, Code Red, Nimbda, SQL Slammer, Blaster, Nachi, Sobig, or the virus-de-jour far too often. Anti-virus and intrusion detection systems go a long way to protect us against the atrocities of these attacks. But the best way to mitigate these attacks is to keep the operating system up to date.

Cisco CallManager and Voice Application Operating System and Third-Party Service Pack Updates

Cisco CallManager, Customer Response Services, Cisco IP Interactive Voice Response (IVR), Cisco IP Contact Center (IPCC) Express, Cisco Personal Assistant, Cisco Emergency Responder, Cisco Conference Connection, and Internet Service Node require operating system, SQL, and third-party service packs that have been certified by Cisco Systems®. Installation of non-certified service packs can cause system problems.

Cisco wraps Important, Moderate, and Low-Security patches, as classified by Microsoft or a third-party vendor patches into an operating system support patch, along with any Critical patches that were posted individually. Cisco tests then posts the support patch on the third Tuesday of each month. Any support patches that are obsolete due to a more current patch on Cisco.com will be removed. The support patches and associated README files can be found on Cisco.com at:

http://www.cisco.com/pcgi-bin/tablebuild.pl/cmva-3des

The "Cisco IP Telephony Operating System, SQL Server, Security Updates" document should be reviewed prior to installing any patches. The document lists the latest support patch, the order in which they are applied, and the supported products. This document can be found on Cisco.com at:

http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/osbios.htm

The voice application servers should have cumulative service releases applied on a regular basis. Because each server release requires a reboot of the voice application server, Cisco recommends that the security patches be applied during maintenance windows and should follow your standard change control process.

Critical Support Patches and Notification

Cisco monitors a variety of security alert services. Any new security vulnerability deemed critical or Severity 1 is fixed, tested, and posted to www.cisco.com within 24 hours. All other identified vulnerabilities that could impact Cisco CallManager are combined into a monthly operating system patch.


Note: Microsoft posts many patches that do not apply to Cisco CallManager, such as those for Windows 95/98 or Office suite products. Those patches are not incorporated into operating system builds. More information about the Security Patch and Hotfix Policy can be found at:


http://www.cisco.com/application/pdf/en/us/guest/products/ps556/c1167/ccmigration_09186a0080157c73.pdf

Cisco Unity Operating System and Third-Party Service Packs

Microsoft frequently provides updates for Windows 2000, Exchange, SQL Server 2000/MSDE 2000, Internet Explorer, and Microsoft Internet Information Server (IIS). These updates (referred to by a variety of names, including security updates, critical updates, patches, and hot fixes) are limited to changes that fix specific problems. They do not include general defect fixes or new functionality. The Cisco technical assistance center (TAC) provides support for a Cisco Unity™ software system on which these updates have been installed.

Microsoft also occasionally releases service packs, which contain fixes generated since the general product release, including most fixes that were released as updates. Because the service pack scope is broad, each service pack must be thoroughly tested to ensure that changes do not adversely affect Cisco Unity. Cisco TAC does not support new service packs until they have been qualified for use with Cisco Unity. The "Cisco Unity Compatibility Matrix: Required and Recommended Third-Party Service Packs" can be found on Cisco.com at:

http://www.cisco.com/en/US/partner/products/sw/voicesw/ps2237/prod_pre_installation_guide09186a00801245c3.html#37553

Do not install a service pack that has not been qualified. Cisco TAC will not help you resolve problems until you uninstall it.


Note: Before installing any qualified service pack or update on the Cisco Unity server or on the Cisco Unity Bridge server, confirm that the manufacturer of any optional third-party software or hardware that you plan to install on the server—or that is already installed—also supports the service pack for use with its product. Cisco expects that customers (or their systems integration partners) will have tested the interoperability of such products with Cisco Unity before the products are deployed, to mitigate the risk of problems being discovered within the production environment between Cisco Unity and the third-party products loaded on the server.


For information on which service packs have been qualified for use with Cisco Unity, refer to "Cisco Unity System Requirements, and Supported Hardware and Software," available on Cisco.com at

http://www.cisco.com/univercd/cc/td/doc/product/voice/c_unity/sysreq/index.htm

Support Policy for Windows Automatic Update

Windows Automatic Update (WAU) is supported on Cisco Unity software version 4.0(x) and later server and on a Cisco Unity Bridge 2.1(x) and later server when the option "Notify Me Before Downloading Any Updates and Notify Me Again Before Installing Them on My Computer" is selected. (Note that if Cisco Unity Platform Configuration discs Revision 12 or later are used to configure the platform for the Cisco Unity or Cisco Unity Bridge server, then WAU is disabled.)

Caution: Configure WAU only to check for updates, not to install updates. Most Microsoft updates can be installed on the Cisco Unity or Cisco Unity Bridge server as soon as they become available. However, Microsoft service packs must be qualified for use with Cisco Unity and the Cisco Unity Bridge, and WAU does not let you distinguish between service packs and other updates.

Most of the benefit of WAU is related to patching security vulnerabilities in Windows 2000 Server. In the Voice Messaging configuration, Cisco strongly discourages you from connecting the Cisco Unity server to the Internet only to use WAU.

It is recommended to subscribe to Microsoft's Security Notification Service. This service provides information on issues, affected products, protection measures, plans for issue resolution, and links to other sources of information. The notifications cover all Microsoft products, which include products used by Cisco Unity. Details on how to subscribe to the service can be found at:

http://www.microsoft.com/technet/security/bulletin/notify.asp

Cisco IPCC Express Edition Third-Party Service Pack Updates and Security Updates

Cisco IPCC Express Edition meets the needs of departmental, enterprise branch, or small to medium-sized companies planning to deploy an entry-level or mid-market contact center solution. Designed for formal and informal contact centers, Cisco IPCC Express delivers sophisticated call routing, contact management, and administration features. Cisco IPCC Express offers ease of installation, configuration, and application hosting.

Cisco IPCC Express Edition is designed to enhance the efficiency of any contact center organization by simplifying business application integration, easing agent administration, increasing agent flexibility, and providing efficiency gains in network hosting. These features reduce business costs and improve customer response for your contact center. This single-server, integrated contact-center-in-a-box gives you independence in agent location, improves agent scalability, and provides powerful automatic call distributor (ACD) features, such as conditional routing, call-in-queue and expected-wait-time messages, enterprise data displays, real-time data, and historical reporting together with integrated Interactive Voice Response (IVR) services. IPCC Express provides true integration of ACD and IVR functions and offers a single, integrated service creation environment.

The Cisco IPCC Express Edition product is based on the Cisco Customer Response Applications (CRA) platform and is comprised of the following components: CRA application server, Cisco CRA Editor, Cisco CRA Administration web interface, Cisco Agent Desktops (CAD) and Cisco Supervisor Desktops (CSD), Nuance Automatic Speech Recognition (ASR) server and Text-to-Speech (TTS) server, Call Statistics, Recording, and Monitoring server, Call Monitoring servers, and the Historical Reports Database server.

Installation of non-recommended Microsoft Service Packs can cause system problems. Using a different Microsoft Service Pack may impact how these products function and may have an impact with regard to Cisco's support for these products.

The hardware and software requirements for every release is available on Cisco.com at

http://www.cisco.com/en/US/partner/products/sw/custcosw/ps1846/index.html

Post initial deployment maintenance primarily involves the following tasks:

Apply Critical and Important Microsoft Security Updates for the operating system, IIS, and MS SQL when they are released

Maintain your anti-virus application by updating both the scan engine and virus definition files as recommended by the anti-virus vendor

Microsoft Security Updates

Microsoft issues Critical and Important Security Updates. Since customers license these products from third parties and not from Cisco, customers are responsible to monitor the availability of these updates. Cisco recommends that customers review any Critical and Important Security Updates issued for these products and assess their exposure to the vulnerability. Customers should follow Microsoft's guidelines to apply these updates to the relevant contact center systems as soon as possible.

Cisco will qualify relevant Microsoft Critical and Important Security Updates as they become available. In the unlikely event that problems are found with a particular update, customers should be prepared to back-out the updates. Cisco qualifies Critical and Important Security Updates notices are posted to Cisco.com through field notices and/or PSIRT alerts. Due to the critical nature of these updates, Cisco recommends that customers follow the guidelines provided by Microsoft. The update may be applied in parallel with Cisco qualification efforts. Be sure that the Security Update applies to the Service Pack installed on your systems.

Customers can set up a profile to be alerted of field notice postings by going to the following link
http://www.cisco.com/pcgi-bin/Support/FieldNoticeTool/field-notice
. Once an alert is sent, users will need to go to Cisco.com and look at the details of the field notice. A profile may be set up to select all Call Center products (preferred) or just select individual products.


Note: This method does not push the field notice to them, but does send an "Announcement" of the field notice to the subscriber.


This policy only applies to Critical and Important Security Updates. It does not apply to Microsoft Service Packs. Service Packs contain very broad ranges of fixes and updates and will need to be verified extensively by Cisco before they can be applied. For every release Cisco explicitly specifies what Service Packs are required and supported for that release.

Anti-virus Software

Cisco understands that customers require protection and monitoring of their Cisco IPCC Express system through the installation of third-party anti-virus software applications. Anti-virus software can be very taxing on system resources and, depending on how the anti-virus software is configured, can affect Cisco software products normal operation.

Cisco tests its software products with McAfee NetShield. In order to help customers use this anti-virus software in a way that minimizes impact on system operations, detailed guidelines and recommendations are available for all products. When these guidelines and recommendations are followed, Cisco will continue to provide TAC support, but only as it relates to the customer contact business unit software components.

Cisco IPCC Express Edition

A document with anti-virus software guidelines and recommendations can be found here: http://www.cisco.com/warp/public/788/AVVID/netshield_cm_12445.pdf. Note that this document is specifically written for Cisco CallManager, but applies directly to Cisco IPCC Express Edition which uses the same hardware and operating system.

Patch Management, Software Update Services, and Tools

Microsoft provides a number of tools and resources to help manage the complex task of patch management and deployment such as SMS, SUS, and Windows Update. Cisco does not particularly test any of these tools. Automatic updates will require automatic system reboots which can interrupt operations that are available 24 hours a day, seven days a week. Users should determine procedure(s) appropriate to their specific environment for system updates and maintenance.

It's important to keep in mind that the majority of the contact center systems and applications do not or should not access or be accessible from the Internet. Therefore, if any of these tools are used, it's critical that they are properly set up and positioned in the infrastructure with appropriate scheduling that is not to impact the operation of the software. More recommendations on scheduling automated system updates can be found in the Cisco IPCC Express Edition anti-virus recommendations document previously mentioned.

Cisco IP IVR Third-Party Service Pack Updates and Security Updates

Cisco IP IVR is designed to enhance the efficiency of any organization by simplifying business integration, increasing flexibility, and providing efficiency gains in network hosting. These features reduce business costs and can dramatically improve customer satisfaction. Enabled by Cisco AVVID (Architecture for Voice, Video and Integrated Data), and tightly integrated with Cisco CallManager, the Cisco IP IVR offers ease of installation, configuration and application hosting because it is constructed specifically to exploit the power of IP-based communications.

The Cisco IP IVR is written entirely in Java and designed and constructed by Cisco to facilitate concurrent multimedia communication processing. The Cisco IP IVR architecture is open and extensible, and it allows customers to incorporate custom-developed Java classes, which enables independent developers to extend the Cisco IP IVR solution to meet unique customer business needs.

The IP IVR product is based on the Cisco Customer Response Applications (CRA) platform and is comprised of the following components: CRA application server, Cisco CRA Editor, Cisco CRA Administration web interface, Nuance Automatic Speech Recognition (ASR) server and Text-to-Speech (TTS) server, and the Historical Reports Database server.

Installation of non-recommended Microsoft Service Packs can cause system problems. Using a different Microsoft Service Pack may impact how these products function and may have an impact with regard to Cisco's support for these products.

The hardware and software requirements for every release is available on Cisco.com at

http://www.cisco.com/en/US/products/sw/custcosw/ps3651/index.html

Post initial deployment maintenance primarily involves the following tasks:

Apply Critical and Important Microsoft Security Updates for the operating system, IIS, and MS SQL when they are released

Maintain your Anti-virus application by updating both the scan engine and virus definition files as recommended by the anti-virus vendor

Microsoft Security Updates

Microsoft issues Critical and Important Security Updates. Since customers license these products from third parties and not from Cisco, customers are responsible to monitor the availability of these updates. Cisco recommends that customers review any Critical and Important Security Updates issued for these products and assess their exposure to the vulnerability. Customers should follow Microsoft's guidelines to apply these updates to the relevant contact center systems as soon as possible.

Cisco will qualify relevant Microsoft Critical and Important Security Updates as they become available. In the unlikely event that problems are found with a particular update, customers should be prepared to back-out the updates. Cisco qualifies Critical and Important Security Updates notices are posted to Cisco.com through field notices and/or PSIRT alerts. Due to the critical nature of these updates, Cisco recommends that customers follow the guidelines provided by Microsoft. The update may be applied in parallel with Cisco qualification efforts. Be sure that the Security Update applies to the Service Pack installed on your systems.

Customers can set up a profile to be alerted of field notice postings by going to the following link
http://www.cisco.com/pcgi-bin/Support/FieldNoticeTool/field-notice. Once an alert is sent, users will need to go to Cisco.com and look at the details of the field notice. A profile may be set up to select all Call Center products (preferred) or just select individual products.


Note: This method does not push the field notice to them, but does send an "Announcement" of the field notice to the subscriber.


This policy only applies to Critical and Important Security Updates. It does not apply to Microsoft Service Packs. Service Packs contain very broad ranges of fixes and updates and will need to be verified extensively by Cisco before they can be applied. For every release Cisco explicitly specifies what Service Packs are required and supported for that release.

Anti-virus Software

Cisco understands that customers require protection and monitoring of their IP IVR system through the installation of third-party anti-virus software applications. Anti-virus software can be very taxing on system resources and, depending on how the anti-virus software is configured, can affect Cisco software products normal operation.

Cisco tests its software products with McAfee NetShield. In order to help customers use this anti-virus software in a way that minimizes impact on system operations, detailed guidelines and recommendations are available for all products. When these guidelines and recommendations are followed, Cisco will continue to provide TAC support, but only as it relates to the customer contact business unit software components.

Cisco IP IVR

A document with anti-virus software guidelines and recommendations can be found here: http://www.cisco.com/warp/public/788/AVVID/netshield_cm_12445.pdf. Note that this document is specifically written for Cisco CallManager, but applies directly to IP IVR which uses the same hardware and operating system.

Patch Management, Software Update Services and Tools

Microsoft provides a number of tools and resources to help manage the complex task of patch management and deployment such as SMS, SUS, and Windows Update. Cisco does not particularly test any of these tools. Automatic updates will require automatic system reboots which can interrupt operations that are available 24 hours a day, seven days a week. Users should determine procedure(s) appropriate to their specific environment for system updates and maintenance.

It's important to keep in mind that the majority of the contact center systems and applications do not or should not access or be accessible from the Internet. Therefore, if any of these tools are used, it's critical that they are properly set up and positioned in the infrastructure with appropriate scheduling that is not to impact the operation of the software. More recommendations on scheduling automated system updates can be found in the Cisco IP IVR anti-virus recommendations document previously mentioned.

Cisco IPCC Enterprise and Cisco ICM, Third-Party Service Pack Updates and Security Updates

The Cisco Intelligent Contact Management (ICM) and IP Contact Center (IPCC) systems are highly sophisticated applications catering to mission-critical environments. These products are tested with specific Windows 2000 (older versions: Windows NT), IIS and MS SQL Server, and third-party service packs. These include:

Cisco ICM Enterprise Edition

Cisco ICM Hosted Edition

Cisco IPCC Enterprise Edition

Cisco IPCC Hosted Edition

These products are composed of the following components: ICM Router, Logger, Peripheral Gateways, Administrative workstations, Internet Script Editor, WebView Servers and Clients, CTI Server, CTI Operating System Server, CAD Server components, CTI Toolkit Desktop components and CAD Desktop, Remote Monitoring Suite Server (RMS), AlarmTracker, SS7 Gateway, Gateway, Collaboration Server, eMail Manager, Media Blender, Trailhead, and Support Tools.

Installation of non-recommended Microsoft Service Packs can cause system problems. Using a different Microsoft Service Pack may affect how these products function and may have an impact with regard to Cisco's support for these products.

The hardware and software requirements for every release are available on Cisco.com at

http://www.cisco.com/univercd/cc/td/doc/product/icm/

Post-initial-deployment maintenance primarily involves the following tasks:

Apply Critical and Important Microsoft Security Updates for the operating system, IIS, and MS SQL when they are released

Maintain your Anti-virus application by updating both the scan engine and virus definition files as recommended by the anti-virus vendor.

Microsoft Security Updates

Microsoft issues Critical and Important Security Updates. Since customers license these products from third parties and not from Cisco, customers are responsible to monitor the availability of these updates. Cisco recommends that customers review any Critical and Important Security Updates issued for these products and assess their exposure to the vulnerability. Customers should follow Microsoft's guidelines to apply these updates to the relevant contact center systems as soon as possible.

Cisco will qualify relevant Microsoft Critical and Important Security Updates as they become available. In the unlikely event that problems are found with a particular update, customers should be prepared to back-out the updates. Cisco-qualified Critical and Important Security Updates notices are posted to Cisco.com through field notices and/or PSIRT alerts. Due to the critical nature of these updates, Cisco recommends that customers follow the guidelines provided by Microsoft. The update may be applied in parallel with Cisco qualification efforts. Be sure that the Security Update applies to the Service Pack installed on your systems.

Customers can set up a profile to be alerted of field notice postings by going to the following link:

http://www.cisco.com/pcgi-bin/Support/FieldNoticeTool/field-notice.

Once an alert is sent, users need to go to Cisco.com and look at the details of the field notice. A profile may be set up to select all Call Center products (preferred) or just select individual products.


Note: This method does not push the field notice to users, but does send an "Announcement" of the field notice to the subscriber.


This policy only applies to Critical and Important Security Updates. It does not apply to Microsoft Service Packs. Service Packs contain very broad ranges of fixes and updates and need to be verified extensively by Cisco before they can be applied. For every release, Cisco explicitly specifies what Service Packs are required and supported for that release.

Anti-virus Software

Cisco understands that customers require protection and monitoring of their ICM, IPCC, and IVR systems through the installation of third-party anti-virus software applications. Anti-virus software can be very taxing on system resources and, depending on how the anti-virus software is configured, can affect normal operation of Cisco software products.

Cisco tests its software products with McAfee NetShield. In order to help customers use this anti-virus software in a way that minimizes impact on system operations, detailed guidelines and recommendations are available for all products. When these guidelines and recommendations are followed, Cisco will continue to provide TAC support, but only as it relates to the customer contact business unit software components.

Cisco ICM Enterprise/Hosted and Cisco IPCC Enterprise/Hosted Edition

The anti-virus software guidelines and recommendations for Cisco ICM-based products are available at:

http://www.cisco.com/univercd/cc/td/doc/product/icm/antivrus.pdf

Patch Management, Software Update Services and Tools

Microsoft provides a number of tools and resources to help manage the complex task of patch management and deployment, such as SMS, SUS, and Windows Update. Cisco does not particularly test any of these tools. Automatic updates require automatic system reboots that can affect operations that are available 24 hours a day, seven days a week. Users should determine procedures appropriate to their specific environment for system updates and maintenance.

It is important to keep in mind that the majority of the contact center systems and applications do not or should not access or be accessible from the Internet. Therefore, if any of these tools are used, it is critical that they are properly set up and positioned in the infrastructure with appropriate scheduling that is not to affect the operation of the software. More recommendations on scheduling automated system updates can be found in the Cisco ICM/IPCC anti-virus recommendations document previously mentioned.

Cisco ISN Third-Party Service Pack Updates and Security Updates

The Cisco Internet Service Node (ISN) provides Web-based, interactive voice response (IVR), queuing, and IP switching services for both IP and traditional telephony networks. Through integration with Cisco ICM Enterprise Edition, Cisco ICM Hosted Edition and Cisco IPCC Enterprise Edition, the Cisco ISN delivers these services as part of a comprehensive customer contact strategy for service providers and large enterprises.

The Cisco ISN is comprised of the following components: the Voice Browser and the Application Server. The Cisco ISN Voice Browser operates under the control of the Application Server. It plays media files (announcements, prompts, etc.) to the caller, and collects information from the caller in return. The Cisco ISN Application Server is a Web server that controls the Voice Browser using Extensible Markup Language (XML) pages, which describe the required actions the Voice Browser is to perform. The Application Server operates under the scripting control of Cisco ICM Hosted Edition or Cisco ICM Enterprise Edition.

Installation of non-recommended Microsoft Service Packs can cause system problems. Using a different Microsoft Service Pack may impact how these products function and may have an impact with regard to Cisco's support for these products.

The hardware and software requirements for every release is available on Cisco.com at

http://www.cisco.com/en/US/partner/products/sw/custcosw/ps1006/index.html

Post initial deployment maintenance primarily involves the following tasks:

Apply Critical and Important Microsoft Security Updates for the operating system, IIS, and MS SQL when they are released

Maintain your anti-virus application by updating both the scan engine and virus definition files as recommended by the anti-virus vendor

Microsoft Security Updates

Microsoft issues Critical and Important Security Updates. Since customers license these products from third parties and not from Cisco, customers are responsible to monitor the availability of these updates. Cisco recommends that customers review any Critical and Important Security Updates issued for these products and assess their exposure to the vulnerability. Customers should follow Microsoft's guidelines to apply these updates to the relevant contact center systems as soon as possible.

Cisco will qualify relevant Microsoft Critical and Important Security Updates as they become available. In the unlikely event that problems are found with a particular update, customers should be prepared to back-out the updates. Cisco qualifies Critical and Important Security Updates notices are posted to Cisco.com through field notices and/or PSIRT alerts. Due to the critical nature of these updates, Cisco recommends that customers follow the guidelines provided by Microsoft. The update may be applied in parallel with Cisco qualification efforts. Be sure that the Security Update applies to the Service Pack installed on your systems.

Customers can set up a profile to be alerted of field notice postings by going to the following link
http://www.cisco.com/pcgi-bin/Support/FieldNoticeTool/field-notice. Once an alert is sent, users will need to go to Cisco.com and look at the details of the field notice. A profile may be set up to select all Call Center products (preferred) or just select individual products.


Note: This method does not push the field notice to them, but does send an "Announcement" of the field notice to the subscriber.


This policy only applies to Critical and Important Security Updates. It does not apply to Microsoft Service Packs. Service Packs contain very broad ranges of fixes and updates and will need to be verified extensively by Cisco before they can be applied. For every release Cisco explicitly specifies what Service Packs are required and supported for that release.

Anti-virus Software

Cisco understands that customers require protection and monitoring of their Cisco ISN system through the installation of third-party anti-virus software applications. Anti-virus software can be very taxing on system resources and, depending on how the anti-virus software is configured, can affect Cisco software products normal operation.

Cisco tests its software products with McAfee NetShield. In order to help customers use this anti-virus software in a way that minimizes impact on system operations, detailed guidelines and recommendations are available for all products. When these guidelines and recommendations are followed, Cisco will continue to provide TAC support, but only as it relates to the customer contact business unit software components.

Cisco Internet Service Node (ISN)

A document with anti-virus software guidelines and recommendations for ISN can be found in the ISN Configuration and Administration Guide on pages 7-18 and 7-19. The guide can be found here: http://www.cisco.com/univercd/cc/td/doc/product/icm/isn/isn20/isn_conf.pdf

Patch Management, Software Update Services and Tools

Microsoft provides a number of tools and resources to help manage the complex task of patch management and deployment such as SMS, SUS, and Windows Update. Cisco does not particularly test any of these tools. Automatic updates will require automatic system reboots which can interrupt operations that are available 24 hours a day, seven days a week. Users should determine procedure(s) appropriate to their specific environment for system updates and maintenance.

It's important to keep in mind that the majority of the contact center systems and applications do not or should not access or be accessible from the Internet. Therefore, if any of these tools are used, it's critical that they are properly set up and positioned in the infrastructure with appropriate scheduling that is not to impact the operation of the software. More recommendations on scheduling automated system updates can be found in the Cisco ISN anti-virus recommendations document previously mentioned.

Network Systems

The easiest and most effective way to ensure that network systems (i.e., routers, switches, firewalls, gateways, and gatekeepers) are kept up to date in terms of security fixes is to utilize the Cisco Product Security Incident Response Team (PSIRT). This can be done by regularly checking their web site (posted below) and by subscribing to their security announcement e-mail alias (subscription procedures also listed below).

The PSIRT is a team that handles security holes in Cisco products and incidents where people are trying to crack security in Cisco customer networks. The PSIRT is responsible for generating security advisories, driving the resolution of security-related bugs, interfacing with external response teams like Computer Emergency Response Team (CERT) and other Forum of Incident Response and Security Teams (FIRST) teams, and assisting customers in incident response.

The following link provides a listing of current and past Cisco Product Security Advisories and Notices:

http://www.cisco.com/warp/public/707/advisory.html

Distribution of Security Information about Cisco Products

Technical security information about Cisco products is distributed through several channels:

Information about Cisco products, including security-specific information and general information relevant to security, is available on the Cisco corporate Website at http://www.cisco.com. This information includes full product documentation, as well as many technical papers, hints, tips, and questions and answers. Not all information is available to customers without service contracts.

Cisco distributes information about security vulnerabilities in its products through its field notice process. Field notices are issued for security-related vulnerabilities that are important to many customers. In most cases, Cisco will not issue a field notice until Cisco has identified a practical workaround for the particular security vulnerability. However, there may be instances when Cisco may issue a field notice in the absence of a practical workaround when the vulnerability has become widely known to the "cracker" community.

Field notices are posted on the Web at the Field Notices page.

As each security vulnerability case is different, Cisco may take alternative actions in connection with issuing security field notices. Cisco may determine to accelerate or delay the release of a notice, or not issue a notice at all. Cisco does not guarantee that field notices will be issued for any or all security issues that customers may consider significant or that field notices will be issued on any specific timetable.

Security-related field notices, as well as some other security information of interest to customers, are sent by e-mail to cust-security-announce@cisco.com. Any interested person may subscribe to this e-mail list using the procedures described under "Subscribing to cust-security-announce@cisco.com" in this document.


Note: You cannot subscribe by sending an e-mail to the list itself.


Security-related information may also be sent to public newsgroups or electronic mailing lists. This is done on an ad-hoc basis, depending on how Cisco perceives the relevance of each notice to each particular forum. Most major notices involving security vulnerabilities are sent to mbugtraq@securityfocus.com.

Cisco works with the formal incident response community to distribute information. Most Cisco security notices are distributed by CERT/CC at the same time that they are sent through Cisco channels. The Cisco PSIRT is a member of FIRST and cooperates with other FIRST members to disseminate security-related information. However, FIRST members are not ordinarily given advance information about Cisco security announcements.

Cisco maintains one customer security announcement list, as described above. All customers, current, past, and future are permitted to subscribe. Cisco notifies all customers on that list of widespread security issues at the same time, prior to other public notifications. Pre-disclosure lists do not exist at Cisco. In cases where there is a perceived threat to a Critical Infrastructure (such as the Internet), Cisco may attempt to first notify those customers and entities identified as critical to the infrastructure, as determined by real time data from public resources. All aspects of this process are subject to change without notice as well as to case-by-case exceptions. No particular level of response is guaranteed for any specific issue or class of issues.

Subscribing to cust-security-announce@cisco.com

To subscribe to cust-security-announce@cisco.com, send an e-mail message to majordomo@cisco.com with the single line "subscribe cust-security-announce" as the entire content of the body of the message. You will receive confirmation instructions and a list policy statement.


Note: The request must go to "majordomo@cisco.com," not to the cust-security-announce list itself.


You must send the message from the account that will be subscribed to the list. Subscriptions for one account that are sent from a second account are not accepted. You must place the "subscribe cust-security-announce" command in the body of the message, not on the subject line.

There is a separate discussion list, called "cust-security-discuss@cisco.com," that permits security-related discussions between Cisco customers. You can subscribe to "cust-security-discuss@cisco.com" in the same way that you would subscribe to "cust-security-announce@cisco.com." Only subscribers are permitted to send messages to "cust-security-discuss@cisco.com."

"If you're going to log it, read it." So simple a proposition, that almost everyone familiar with network security has said it at least once. Yet logging and reading information from hundreds of devices can prove to be a challenging proposition. Which logs are most important? How do I separate important messages from mere notifications? How do I ensure that logs are not tampered with in transit? How do I ensure my time-stamps match each other when multiple devices report the same alarm? What information is needed if log data is required for a criminal investigation? How do I deal with the volume of messages that can be generated by a large network? You must address all these questions when considering managing log files effectively. From a management standpoint, a different set of questions needs to be asked: How do I securely manage a device? How can I push content out to public servers and ensure that it is not tampered with in transit? How can I track changes on devices to troubleshoot when attacks or network failures occur?

From an architectural point of view, providing out-of-band (OOB) management of network systems is the best first step in any management and reporting strategy. Out-of-band, as its name implies, refers to a network on which no production traffic resides. Devices should have a direct local connection to such a network where possible, and where impossible, (due to geographic, or system-related issues) the device should connect via a private encrypted tunnel over the production network. Such a tunnel should be preconfigured to communicate across only the specific ports required for management and reporting. The tunnel should also be locked down so that only appropriate hosts can initiate and terminate tunnels. Be sure that the OOB network does not itself create security issues.

Most networking devices can send syslog data, which can be invaluable when troubleshooting network problems or security threats. Send this data to one or more syslog analysis hosts on the management network. Depending on the device involved, you can choose various logging levels to ensure that the correct amount of data is sent to the logging devices. You also need to flag device log data within the analysis software to permit granular viewing and reporting. For example, during an attack the log data provided by Layer 2 switches might not be as interesting as the data provided by the intrusion detection system. Specialized applications, such as IDS, often use their own logging protocols to transmit alarm information. Usually this data should be logged to separate management hosts that are better equipped to deal with attack alarms. When combined, alarm data from many different sources can provide information about the overall health of the network. To ensure that log messages are time-synchronized to one another, clocks on hosts and network devices must be in sync. For devices that support it, Network Time Protocol (NTP) provides a way to ensure that accurate time is kept on all devices. When dealing with attacks, seconds matter because it is important to identify the order in which a specified attack took place.

Cisco IOS Software Devices: Routers, Gateways, Gatekeepers, CallManager Express, and Unity Express

Cisco IOS® Software security is a critical element in any security deployment. By their nature, routers provide access and, therefore, you should secure them to reduce the likelihood that they can be directly compromised. Please refer to other documents that have been written about router security. These may provide more detail on the following guidelines and router security best practices:

Locking down Telnet access to a router

Locking down Simple Network Management Protocol (SNMP) access to a router

Controlling access to a router through the use of Terminal Access Controller Access Control System Plus (TACACS+)

Turning off unneeded services

Logging at appropriate levels

Authenticating routing updates

The most current document on router security is available at the following URL:

http://www.cisco.com/warp/public/707/21.html

Cisco IOS Software devices can record information about a variety of events, many of which have security significance. Logs can be invaluable in characterizing and responding to security incidents. The main types of logging used by IOS device are:

AAA logging, which collects information about user dial-in connections, logins, logouts, HTTP accesses, privilege level changes, commands executed, and similar events. AAA log entries are sent to authentication servers using the TACACS+ and/or RADIUS protocols, and are recorded locally by those servers, typically in disk files. If you are using a TACACS+ or RADIUS server, you may wish to enable AAA logging of various sorts; this is done using AAA configuration commands such as aaa accounting. Detailed description of AAA configuration is beyond the scope of this document.

SNMP trap logging, which sends notifications of significant changes in system status to SNMP management stations. You will probably want to use SNMP traps only if you have a pre-existing SNMP management infrastructure.

System logging (syslog), which records a large variety of events, depending on the system configuration. System logging events may be reported to a variety of destinations, including the following:

The system console port (logging console).

Servers using the UNIX "syslog" protocol (logging ip-address, logging trap).

Remote sessions on VTYs and local sessions on TTYs (logging monitor, terminal monitor).

A local logging buffer in router RAM (logging buffered).

From a security point of view, the most important events usually recorded by system logging are interface status changes, changes to the system configuration, access list matches (permits and denies), and events detected by the optional firewall and intrusion detection features. Each system logging event is tagged with an urgency level. The levels range from debugging information (at the lowest urgency), to major system emergencies. Each logging destination may be configured with a "threshold" urgency, and will receive logging events only at or above that threshold.

Syslog should be enabled on all Cisco IOS Software routers to help ensure that any pertinent data is regularly logged and maintained to a central logging facility. Syslog data provides insight into possible problems with performance and/or security of your network.

Proper aggregation and analysis of the syslog information is critical to the proper management of a network. From a security perspective, syslog provides important information regarding security violations and configuration changes. Depending on the device in question, different levels of syslog information might be required. Having full logging with all messages sent might provide too much information for an individual or syslog analysis algorithm to sort. Logging for the sake of logging does not improve security.

Switches

Like routers, switches (both Layer 2 and Layer 3) have their own set of security considerations. Unlike routers, not much public information is available about the security risks in switches and what can be done to mitigate those risks. Switches typically rely on virtual LANs (VLANs) for Layer 2 traffic segmentation. Most of the security techniques detailed in the preceding section on routers applies to switches. In addition, you should take the following precautions:

Disable all unused ports on a switch. This setup prevents hackers from plugging into unused ports and communicating with the rest of the network.

Ports without any need to trunk should have any trunk settings set to off, as opposed to auto. This setup prevents a host from becoming a trunk port and receiving all traffic that would normally reside on a trunk port.

For ports that require trunking, always use a dedicated VLAN identifier. The use of VLAN 1 may have implications for some switch vendors. Eliminate native VLANs from 802.1q trunks.

When feasible for user ports, limit each port to associate a limited number of MAC address (say 2-3). This limit will mitigate MAC flooding and other attacks.

As VLANs do not inherently provide security functions such as confidentiality and authentication, care must be taken to follow the security guidelines defined by Cisco and in this section when implementing VLANs in any environment. For instance, filtering and/or stateful firewalling in addition to VLAN segmentation provides a defense-in-depth approach to securing the access between two subnets.

Procedures for carrying out change control and configuration analysis must be in place to ensure that, after changes are made, a secure configuration results. This is especially valuable in cases where multiple organizational groups may control the same switch, and even more valuable in security deployments where even greater care must be taken.

Recent testing of Cisco software has shown that as long as care is taken in configuration, specifically following the best practices in this section, VLANs provide Layer 2 separation. For more information, please refer to:
http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/stake_wp.pdf.

Within an existing VLAN, private VLANs provide some added security to specific network applications. Private VLANs work by limiting which ports within a VLAN can communicate with other ports in the same VLAN. Isolated ports within a VLAN can communicate only with promiscuous ports. Community ports can communicate only with other members of the same community and promiscuous ports. Promiscuous ports can communicate with any port. This is an effective way to mitigate the effects of a single compromised host. Consider a standard public services segment with a Web, File Transfer Protocol (FTP), and Domain Name System (DNS) server. If the DNS server is compromised, a hacker can pursue the other two hosts without passing back through the firewall. If private VLANs are deployed, if one system is compromised, it cannot communicate with the other systems. The only targets a hacker can pursue are hosts on the other side of the firewall. Because they restrict layer 2 connectivity, private VLANs make troubleshooting network problems more difficult. Remember that private VLANs are not supported on all Ethernet switches available on the market today. In particular, most low-end switches do not yet support this feature.

The same best practices with regard to logging that were described in the preceding section on Cisco IOS Software devices also apply to switches.

Syslog should be enabled on all Cisco Catalyst® Series operating systems and Cisco IOS Software switches to help ensure that any pertinent data is regularly logged and maintained to a central logging facility. Syslog data provides insight into possible problems with performance and/or security of your network.

Proper aggregation and analysis of the syslog information is critical to the proper management of a network. From a security perspective, syslog provides important information regarding security violations and configuration changes. Depending on the device in question, different levels of syslog information might be required. Having full logging with all messages sent might provide too much information for an individual or syslog analysis algorithm to sort. Logging for the sake of logging does not improve security.

Firewalls

Just as with routers and switches, syslog should be enabled on firewalls to ensure that any pertinent data is regularly logged and maintained to a central logging facility. Syslog data provides insight into possible problems with performance and/or security of your network.

Enabling Logging To Syslog Servers

This section describes how to enable logging messages to one or more syslog servers. For information about saving messages to a buffer, displaying them on the console, specifying the transport used for syslog messages, or various other options, refer to the logging command in the Cisco PIX® Firewall Command Reference. Use the logging command to identify one or more syslog servers and to set the various options available. To enable or disable logging, enter the following commands:

logging on 
no logging on 

To view the current logging options, enter the following command:

show logging 

To identify a syslog server that will receive the messages sent from the Cisco PIX Firewall, enter the following command:

logging host [<in_if>] <ip_address> 

Replace in_if with the interface on which the syslog server resides. Replace ip_address with the syslog server's IP address. You can use multiple logging host commands to specify additional servers.

Changing Syslog Message Levels

Cisco PIX Firewall Version 6.3 gives you the option to modify the level at which a specific syslog message is issued and to disable specific syslog messages. Previous versions of Cisco PIX Firewall only let you specify the message level or disable all messages to a specific syslog server.

To change the logging level for all syslog servers, enter the following command:

logging message <syslog_id> level <level_id>

Replace syslog_id with the numeric identifier assigned to the syslog message. Replace level_id with one of the following numeric or text identifiers for the syslog level:

0—emergencies—System unusable messages

1—alerts—Take immediate action

2—critical—Critical condition

3—errors—Error message

4—warnings—Warning message

5—notifications—Normal but significant condition

6—informational—Information message

7—debugging—Debug messages and log FTP commands and WWW URLs

For example, if you want to log the message "denied by ACL" (106023), but you do not want to increase the overall logging level, you can change the specific syslog level to Critical, as shown in the following command:

pix(config)# logging message 106023 level critical 

To restore the default syslog level for a specific message, precede the command with no. To restore all of the currently changed syslog messages to their default levels, enter the following command:

pix(config)# clear logging level 

By default, the emergencies level is not used for any Cisco PIX Firewall syslog messages, so you can use this level to restrict syslog messages to those in which you are interested. To do this, change the level of interesting messages to emergencies.

Logging Access Control List Activity

This section describes a logging option, introduced with Cisco PIX Firewall Version 6.3, that lets you log the number of permits or denies of a flow by an Access Control List (ACL) entry during a specific time period.

When logging is enabled for specific ACL activity, statistics are provided for each flow. A flow is defined by protocol, source IP address, source port, destination IP address, and destination port. The statistics include the number of permits or denies of the flow by an ACL entry during the specified time interval. When a flow is permitted or denied, the system checks to see if the flow already exists in the system. If not, an initial syslog message with a hit-count of 1 for the flow is generated. The flow entry is then created and the hit-count for the flow is incremented every time the flow is permitted or denied. For an existing flow, a syslog message is generated at the end of each configurable interval to report the non-zero hit-count for the flow in the current interval. After the syslog message is generated, the hit-count for the flow is reset to 0 for the next interval. If there is no hit recorded during the interval, the flow is deleted and no syslog message is generated. There may exist a large number of flows concurrently at any point of time. To prevent unlimited consumption of memory and CPU resources, a limit is placed on the number of concurrent deny-flows. When the limit is reached, no new deny-flow will be created until the existing deny-flows expire. If the new logging option is not configured on an ACL that is used in an access-group command, the older logging scheme (syslog 106023 for denied flows) remains in effect.

Intrusion Detection Systems

Intrusion Detection Systems (IDSs) or Intrusion Prevention Systems (IPSs) act like an alarm system in the physical world. When an IDS detects something it considers an attack, it can either take corrective action itself or notify a management system for actions by the administrator. Some systems are more or less equipped to respond and prevent such an attack. Host-based intrusion detection can work by intercepting operating system and application calls on an individual host. It also can operate by after-the-fact analysis of local log files. The former approach allows better attack prevention, whereas the latter approach dictates a more passive attack-response role. Because of the specificity of their role, host-based IDS (HIDS) systems are often better at preventing specific attacks than network IDS (NIDS) systems, which usually issue only an alert upon discovery of an attack. However, that specificity causes a loss of perspective to the overall network. This is where NIDS excels. Cisco recommends a combination of the two systems, i.e., HIDS on critical hosts and NIDS looking over the whole network-for a complete intrusion detection system.

When an IDS is deployed, you must tune its implementation to increase its effectiveness and remove "false positives." False-positives are defined as alarms caused by legitimate traffic or activity. False negatives are attacks that the IDS system fails to see. When the IDS is tuned, you can configure it more specifically as to its threat-mitigation role. As mentioned above, you should configure HIDS to stop most valid threats at the host level because it is well prepared to determine that certain activity is, indeed, a threat.

Both Network and Host IDS products should be actively maintained and configured to ensure that they have the most current versions and signature updates applied.

Cisco Intrusion Detection System Sensors are network devices that perform real-time monitoring of network traffic for suspicious activities and active network attacks. Sensors come in two physical models: dedicated, standalone network appliances, and line-card modules running in certain Cisco Catalyst 6000 Series switches. The sensor analyzes network packets to determine if their contents appear to indicate an attack against your network. IDS MC manages configurations for up to 300 Cisco Intrusion Detection System Sensors. You use a series of Web-based screens to manage all aspects of sensor configuration. You can manage individual sensors, and you can manage groups of sensors having a common configuration. The sensor configuration data resides in a database. A separate but closely related product, Monitoring Center for Security (Security Monitor), provides event collection, viewing, and reporting capability for network devices. You can install IDS MC by itself or with Security Monitor. (You can also install Security Monitor by itself.) You must install CiscoWorks before installing IDS MC or Security Monitor.

Subscribe to the Cisco IDS Active Update Notification system to keep up to date on the latest signature updates and product news. To view a chronological listing of previous notifications, visit the IDS Active Update Archives.

Security Monitor

A number of logs are created on the various IP telephony and infrastructure devices if the recommended security steps are implemented. The logs are meaningless if they are not periodically monitored. Monitoring the logs can provide additional warnings of a system that is compromised. Each customer's network is unique and requires that a baseline for the log be created. Once the baseline is understood, then log anomalies can be recognized and addressed. Be careful to not take down a server because the logs filled the disk. Monitor the disk utilization and archive or delete unnecessary logs. Logs to monitor are:

Windows 2000 Server Event Viewer Security Logs

Syslog server logs

Intrusion Detection Systems

Security Monitor Event Viewer provides a near real-time view of security events as they occur on your network. Near real-time refers to the slight delay that may occur as events are detected by your network devices and then propagated to your Security Monitor server. In most cases, this delay is negligible. Event Viewer provides a tabular view of the incoming event data. The data is arranged in a hierarchal tree that allows you to drill down quickly to isolate problems and find trends in the event data. You can sort the view based on the various elements of the data, such as signature name. The ability to drill down and reorder the data provides a basic means to perform real-time event correlation.

Event Viewer also provides access to tools that provide additional security information. You can select groups of events to display as a graph. You can resolve IP addresses within events to hostnames. You can launch the Network Security Database to provide details about a signature. And, for some events, you can display "context" data, such as the traffic that actually triggered the event.

Event Notification

Using Event Rules, you can configure Security Monitor to send e-mail notifications when specific criteria are met. You can also use Event Rules to trigger custom scripts. Security Monitor does not support pager notifications directly; however, you can use pager notifications if you have an e-mail gateway to your paging system. You can use Event Rules to create simple rules that provide notifications when a single event occurs. However, you gain their main benefit by using logical operators to create complex rules. These operators allow you to correlate the events or conditions that trigger the notification. You can also set thresholds that allow you to specify the number of times the criteria must be met before the notification is triggered. Using thresholds allows you to distinguish between purposeful events and random occurrences.

Event Reporting

Event reporting provides a snapshot view of security events on your network. Report filters, such as dates and event type, allow you to refine the information shown in the report. You can run reports on-demand or schedule them to be run regularly. By default, reports are stored in the database. However, you can export the report to an HTML file or send the report to one or more recipients through e-mail.

Event Correlation

Security Monitor supports basic event correlation through the Event Viewer, Event Rule, and Reporting subsystems. When you start the Security Monitor Event Viewer with the setting to view "All IDS Alarms", you see the IDS alarms from all monitored devices. Reordering the columns in the Event Viewer provides you with a flexible view of event data and multiple ways to correlate those events. You can then reorder the columns in the Event Viewer to correlate the events by specific attributes, such as source address, signature name, and so on. For example, by grouping the events in the Event Viewer by source address, signature name, and then by device, you can determine which devices detected a specific event from a specific source. In the same manner, you can filter the reports to provide you with a correlated, snapshot view of your event data. Filter options include source and destination addresses of the events, device detecting the event, signature the event matched, and so on. These reports can be scheduled or produced on-demand, and can include information from all the monitored devices. They can also be run for a specific range of dates to provide a historical view of the data. Event Rules provide an even more flexible manner of event correlation by allowing you to create logical relationships between the IDS events produced by all monitored devices, and then to send e-mail notifications or run a custom script based on the relationships that you define.