Contents
Document Overview
Document OverviewMany features and considerations contribute to the security of a Cisco TelePresence deployment. This document provides an overview of the various aspects that a customer should consider when securing a TelePresence environment. This document provides an overview of the security configuration of individual TelePresence devices and the overall TelePresence solution. Moreover, this document describes security controls that can be implemented in the network to enhance the overall security of the solution. This document builds upon the security foundation established in the Voice Security sections of the Unified Communications Solution Reference Network Design (SRND) documents. Each feature or deployment consideration specific to TelePresence is briefly discussed here with references provided for additional information. This document also makes recommendations that, if implemented, will directly contribute to the security of deployed systems. For the purposes of this document TelePresence endpoints refers to both traditional Cisco TelePresence and Tandberg endpoints, except where explicitly stated. The Voice Security sections of the Unified Communications SRND for Cisco Unified Communications Manager 6.x , 7.x, and 8.x are available at the Design Zone for Unified Communications. Solution OverviewOverviewBefore discussing how to secure a Cisco Telepresence deployment, the basic components of the solution and typical deployment models that are currently in use should be understood. In this section, we will cover the following topics:
Note: The acquisition of Tandberg in 2010 has largely enriched the Cisco TelePresence solution. In addition, the infrastructure components and endpoint solutions have also increased comprehensively, most notably in the areas of call processing, conferencing, and scheduling. Therefore, similar components now exist and have been incorporated into this document for unification and understanding. Furthermore, note that the key differentiator among the TelePresence endpoint/solution and the integrated Tandberg endpoint/solution is the standard that is used for communications between the infrastructure components and endpoints. Most often Tandberg endpoints are referred to as “standards-based endpoints,” and traditional TelePresence endpoints are referred to as “TIP” endpoints, as the latter leverages the TelePresence Interoperability Protocol (TIP) for communication. Plans for substantial enhancements continue to commence and transition into the TelePresence product line to further address integration of the two aforementioned solutions, with the end result being the evolution of a single integrated solution. As always, this document will continue to be updated and enhanced with new product developments and solutions and their respective security best practices. Cisco TelePresence ComponentsThe Cisco TelePresence solution consists of various components that holistically provide the reliable architecture required to run a successful conferencing solution.
Cisco TelePresence SystemThe Cisco TelePresence System supports several different models from small group (Cisco TelePresence System 500, 1000/1100, and EX and MXP Series) and one-on-one meetings around a “virtual table” to large boardroom meetings. On a small scale, two Cisco TelePresence 1000/1100 systems in a single meeting can create a virtual “roundtable” for a maximum of four participants. Furthermore, the multipoint meeting options can support up to 48 geographic locales on a single call. The Cisco TelePresence System is suitable for uses such as direct customer engagements, small presentations, regular one-on-one meetings with remote employees or partners, supply-chain dealings, press briefings, operational or engineering reviews, or negotiations and interviews. It has the ability to scale, based on model, to host up to 18 participants in boardroom style. In addition, the traditional Cisco TelePresence System is designed to be flush-mounted on wall space in smaller areas such as executive offices, bank branches, and doctors' offices, or anywhere that a one-on-one conversation is desired. However, the integration of Tandberg devices allows standalone units that can be placed on tables, desks, and other set-top configurations. The traditional Cisco TelePresence System solution leverages varying-sized LCD displays (based on model), screen resolutions, high-definition cameras, full-duplex audio, and optimized environmental factors to provide high-quality lighting and sound. Cisco TelePresence CodecOne of the goals of Cisco TelePresence is to hide the technology from the user so that participants experience the meeting instead of the technology. Hidden underneath the plasma displays of the CTS-3200, CTS-3000/3010, and CTS-1000/1100 solutions are the Cisco TelePresence codecs. The CTS-3000/3010 and CTS-3200/3210 consist of a primary codec and two secondary codecs. Both the CTS-1000/1100 and CTS-500/EX Series utilize a single primary codec. An additional optional codec is available as an upgrade for high-speed (30 frames per second) auxiliary video input. The codec is the engine that drives the entire Cisco TelePresence solution. All displays, cameras, microphones, and speakers connect to the codec that communicates with the network and handles all audio and video processing. The codec runs a highly-integrated version of the Linux operating system on an embedded Compact Flash module, and is managed through Secure Shell (SSH) and Hyper-Text Transfer Protocol over Secure Sockets Layer (HTTPs) for security purposes. Cisco Unified Communications Manager and Cisco Video Communications ServerCisco Unified Communications Manager, formerly Cisco Unified CallManager, is an enterprise-class, IP telephony call-processing system that provides traditional telephony features as well as advanced capabilities such as mobility, presence, preference, and other rich media services. The TelePresence solution requires the use of Cisco Unified Communications Manager 7.1(3) or later, which leverages the Cisco TelePresence device plugin. Once the Cisco Unified Communications Manager is in production, the Cisco TelePresence System appears as a SIP (Session Initiation Protocol) endpoint. The Cisco Unified Communications Manager will be discussed later in this document. In addition, the Cisco Video Communications Server is similar to Cisco Unified Communications Manager in that it provides endpoint registration, call-processing, and advanced capabilities and functionality (such as bandwidth management between H.323 and SIP endpoints and infrastructure) to Tandberg and third-party video endpoints and infrastructure components. Moreover, the Cisco Video Communications Server operates as an H.323 Gatekeeper and SIP proxy with an inert focus on video conferencing and communications capabilities. The Cisco Video Communications Server can be deployed as Cisco Video Communications Server Control or as Cisco Video Communications Server Expressway. Cisco Video Communications Server Control is most often deployed within a local area network (LAN), and performs the operations of an H.323 gatekeeper, SIP registrar, and H.323 to SIP gateway server (translating between the two protocols). Cisco Video Communications Server Expressway provides a means for firewall traversal and for endpoint registration of SIP and H.323 devices across the Internet. In this capacity the Cisco Video Communications Server Expressway also provides standards-based Traversal Using Relay NAT (TURN) functionality. For the purposes of this document Cisco Video Communications Server refers to Cisco Video Communications Server Control, unless explicitly stated otherwise. Cisco TelePresence Manager and Cisco TelePresence Management SuiteThe Cisco TelePresence Manager provides management and scheduling of Cisco TelePresence rooms and acts as the “middleware” between the meeting rooms, Cisco Unified Communications Manager, and an organization’s calendaring application (Microsoft Exchange, IBM Notes, and others). In addition, Cisco TelePresence Manager is the software application that allows one-button-to-push call launch for Cisco TelePresence meetings by intelligently automating scheduling and conferencing tasks. The Cisco TelePresence Manager will be discussed later in this document. Note: Cisco TelePresence Manager can be managed with SSH and HTTPS. In contrast with the Cisco TelePresence Manager, the Cisco TelePresence Management Suite exists to provide scheduling, provisioning, and management for standards-based endpoints and infrastructure components, such as the TelePresence server and Multipoint Switch. In some deployments, the use of both Cisco Telepresence Manager and the Cisco TelePresence Management Suite may be utilized in parallel, each managing its own set of endpoints/devices. Moreover, as with many of the Cisco TelePresence and standards-based endpoints, administrators/engineers need to evaluate their needs and leverage an integrated and secure solution that supports point-to-point and multi-point conferencing. Microsoft Exchange ServerThe Microsoft Exchange Server provides users with a forum to schedule TelePresence meetings using the Microsoft Outlook group calendar and have the schedule automatically sent to the Cisco TelePresence systems involved in the call. These meetings are handled similarly to other resource requests. The Cisco TelePresence Manager or the Cisco TelePresence Management Suite communicates with the Microsoft Exchange server to determine which Cisco TelePresence meetings have been scheduled. Because the Microsoft Exchange server typically supports more functionality than scheduling TelePresence meetings, the security is slightly out of the scope of this document. There are many resources for securing Exchange servers available on the Microsoft website. For instance, if you are running Microsoft Exchange 2003, you can follow the Windows Server 2003 Security Baseline. In any case, Exchange server configurations should be hardened. Cisco TelePresence Recording ServerThe Cisco TelePresence Recording Server provides the option to record in high-definition studio quality. In addition, Cisco TelePresence Recording Server allows a user to create and deliver high-quality, feature-rich video, and compelling internal or external communications such as organizational updates, training, or crisis management. Moreover, Cisco TelePresence Recording Server provides the ability to distribute and view video content instantly, as well as allowing the replay of recordings on Cisco TelePresence endpoints or standard Internet browser media players. Further details can be found on the Cisco TelePresence Recording Server product page. Unified Communications InfrastructureUnified Communications infrastructure refers to the underlying architecture that enables your Cisco TelePresence system to operate. At the heart of this infrastructure are the key Unified Communications components, including the Cisco Unified Communications Manager/Cisco Video Communications Server and Cisco TelePresence Session Border Controller. These components use the basic network architecture—routers, switches, voice gateways, switches with inline power, etc.—to enable the Cisco TelePresence components to communicate with other systems including dual solutions that leverage Cisco Unified Communications Manager and Cisco Video Communications Server. Besides the physical equipment, the Cisco Unified Communications infrastructure relies on various protocols that operate over the network infrastructure. For instance, the TelePresence codecs integrate into Cisco Unified Communications by leveraging established techniques for network automation, quality of service (QoS), and call control, such as:
From an administrator's perspective, the entire Cisco TelePresence virtual meeting room appears as a single SIP endpoint on Cisco Unified Communications Manager. The virtual meeting room is managed using tools and methodologies that are similar to those used for Cisco Unified IP Phones. The Cisco TelePresence displays and cameras natively support 1080p resolution and use digital media interfaces to connect to the Cisco TelePresence codecs. The integration of digital media interfaces ensures the integrity of the video signal from end-to-end by eliminating the need for digital or analog conversion. Inside the Cisco TelePresence codecs, an onboard array of Digital Signal Processors (DSPs) encode the digital video signal from the cameras into RTP packets using the H.264 encoding and compression standard. The Cisco TelePresence codecs can encode the video from the cameras at 1080p or 720p. Specific Deployment ModelsDeploying Cisco TelePresence typically involves one or more of the following components:
Cisco TelePresence deployments tend to fall into one of the following models:
The major difference between these deployment models involves determining which Cisco TelePresence endpoints are allowed to communicate with one another. One enterprise may only want to allow their Cisco TelePresence endpoints to communicate with other Cisco TelePresence endpoints in their network. Other deployments will require the ability to communicate with Telepresence endpoints on their network as well as endpoints that belong to business partners (standards-based endpoints). Each of the deployment models provides slightly different functionality and inherits different security risks. Intra-Campus Deployment ModelThe intra-campus network deployment model has Cisco TelePresence systems limited to a single enterprise campus, or between sites that are interconnected by means of a high-speed (1-Gigabit or higher) metropolitan-area network (MAN). This deployment model is appropriate for enterprises that have a large number of buildings on a given campus and employees who are often required to drive to several different buildings over the course of the day to attend meetings. Deploying multiple Cisco TelePresence systems intra-campus can reduce the time lost by employees driving between buildings to attend meetings, without sacrificing meeting effectiveness, and thus improve overall productivity. The intra-campus deployment model is also commonly used in conjunction with the two enterprise deployment models: where customers deploy multiple Cisco TelePresence rooms in their headquarters campus to meet demand for room availability as part of a global intra-enterprise or inter-enterprise deployment. The network infrastructure of an intra-campus deployment model is predominantly Cisco Catalyst switches connecting through GigE or 10GigE links. Figure 1. Cisco TelePresence Intra-Campus Network Deployment Model
Intra-Enterprise Deployment ModelThe intra-enterprise network deployment model for TelePresence systems connects not only buildings on a campus, but also geographically-separated campus sites and branch offices. The intra-enterprise model expands on the intra-campus model to include sites connected via a WAN (less than 1 Gigabit). The intra-enterprise deployment model is suitable for businesses that require employees to travel extensively for internal meetings. Deploying Cisco TelePresence systems throughout the enterprise not only improves productivity—by saving travel time—but also reduces travel expenses. Furthermore, the overall quality of work/life balance is often improved when employees have to travel less. The network infrastructure of an intra-enterprise deployment model is a combination of Cisco Catalyst switches within the campus and Cisco routers over the WAN, which may include private WANs, MPLS VPNs, or Metro Ethernet networks. WAN speeds may range from 34 Mbps E3 circuits to 1 Gbps OC-192 circuits. Figure 2. Cisco TelePresence Intra-Enterprise Network Deployment Model
MultiPoint Deployment ModelAdding a Cisco TelePresence Multipoint Switch to the deployment configuration enables intra-campus and intra-enterprise deployment models to allow customers the flexibility to use multiple Cisco TelePresence resources to facilitate multisite meetings (meetings with three or more Cisco TelePresence rooms). These resources may be located at any one of the campus locations or may be located within the service provider cloud as either a co-located resource or a managed/hosted resource. Multipoint deployment models require further analysis such as platforms and network design recommendations, additional bandwidth and latency considerations, Cisco TelePresence Multipoint Switch considerations, and scaling considerations. See the Cisco Multipoint Technology and Design Details section of the Cisco TelePresence Network Systems Design Guide. Inter-Enterprise/Inter-Company Deployment ModelThe inter-enterprise network deployment model connects Cisco TelePresence systems within an enterprise and allows for Cisco TelePresence systems in one enterprise to call systems in another enterprise. The inter-enterprise model expands on the intra-campus and intra-enterprise models to include connectivity between different enterprises. This model is also referred to as the business-to-business (B2B) Cisco TelePresence deployment model. The inter-enterprise model offers the most flexibility and is suitable for businesses that require employees to travel extensively for both internal and external meetings. In addition to the business advantages of the intra-enterprise model, the B2B TelePresence deployment model lets employees maintain high-quality customer relations without the associated costs of travel time and expense. The network infrastructure of the inter-enterprise/B2B deployment model builds on the intra-enterprise model and requires the enterprises to share a common Multiprotocol Label Switching Virtual Private Network (MPLS VPN) service provider (SP). Additionally, the MPLS VPN SP must have a "shared services" Virtual Routing and Forwarding (VRF) instance provisioned with a Cisco IOS XR SBC. The Cisco TelePresence SBC bridges a connection between two separate MPLS VPNs to perform secure inter-VPN communication between enterprises. Additionally, the Cisco TelePresence SBC provides topology and address-hiding services, Network Address Translation (NAT) and firewall traversal, fraud and theft of service prevention, distributed denial of service detection and prevention, call admission control policy enforcement, and guaranteed QoS. Figure 3. Cisco TelePresence Inter-Enterprise Network Deployment Model
For more information on Cisco TelePresence network design, refer to the Cisco TelePresence Network Systems 2.0 Design Guide. Securing the Cisco TelePresence SolutionOverviewIn seeking to secure a telepresence solution, it is imperative that in addition to keeping a clear perspective of the holistic view of the TelePresence solution, administrators also need to understand each of the components. In this section, we will focus on securing the Cisco TelePresence solution. Other components will be addressed in the following sections of the document. At the solution level, the key factors that need to be considered when hardening a Cisco TelePresence System include the following:
Much of this protection is provided through an Authentication and Encryption Framework. As of Cisco TelePresence version 1.5, Cisco TelePresence deployments support the security of all currently supported signaling and media streams through the following capabilities:
When using the Authentication and Encryption Framework, you should be familiar with the following terms:
Enabling Security For Cisco TelePresence DeploymentsCisco TelePresence ServerThe Cisco TelePresence Server is unique because it provides support and interoperability between TIP and standards-based endpoints. The TelePresence Server is a transcoding multipoint device, available as an appliance or blade, providing support of numerous screens (typically 16 or 48 respectively) at 720p resolution. The TelePresence Server can support many multipoint, multi-screen, and single-screen video and audio devices (both TIP and standards-based). Configuring security for the Cisco TelePresence Server is based around the protocols that are supported, namely SIP and H.323. Note the Cisco TelePresence Server can be registered as SIP, H.323, or both, thus allowing the ability for any standards-based SIP or H.323 endpoint to join a TelePresence Server conference, and avoid unnecessary SIP/H.323 translation resources, which is recommended. To secure the Cisco TelePresence Server, the encryption key feature must be installed. The encryption key feature provides the ability to configure TLS signaling encryption for SIP signaling, and AES-128k encryption for media to and from standards-based endpoints. Note: Currently, encryption of media to TIP endpoints is not supported. Cisco TelePresence Multipoint SwitchConfiguring security for the Cisco TelePresence Multipoint Switch leverages the following key components:
The CAPF is a software service that is installed as part of the Cisco Unified Communications Manager platform. Typically, the duty of the CAPF is to create certificates under its own authority, acting as a proxy by requesting certificates from an external certificate authority (CA), then providing those certificates to the Cisco TelePresence endpoints and Cisco Unified Communications Manager servers. The certificates provided by CAPF allow Cisco TelePresence to communicate over secure connections by establishing a hardened foundation, which Cisco TelePresence uses to establish secure, authenticated connections for protocols such as SIP signaling over TLS. Note: When employing CAPF, use the longest key size possible (for instance 2048 bits). Also note that Cisco TelePresence Multipoint Switch requires an intermediary device (such as a Media Experience Engine) to integrate with standards-based endpoints. The Media Experience Engine is a video gateway device that provides transcoding, enabling the integration of TIP and standards-based endpoints. CAPF Service and Username PasswordsSecuring the CAPF component involves awareness of the CAPF server, which is installed by default and runs as a service. Activate the CAPF service, ensuring that unique usernames and passwords are used, and only administrators have access to monitor and maintain key processes such as CAPF. You also need to create application users in the Standard Presence Group and add the user to the Standard CTI Enabled and Standard CTI Secure Connection groups. Adding these groups should give the users the following roles that are appropriate to the functions that they perform.
CAPF ProfilesYou need to create CAPF profiles for the application users that you created. These profiles contain the specific details required to authenticate the Cisco TelePresence client to server communications. Leverage the CAPF profile security functionality by using an authentication mode of “By Authentication String” and a strong authentication string combination. In addition, ensure you leverage the longest key size possible (for instance 2048 bits). Locally Significant CertificatesLocally significant certificates (LSC) are utilized to secure SIP trunks between Cisco Unified Communications Manager, Cisco Video Communications Server and the Cisco TelePresence Multipoint Switch, which provides multipoint meeting services. Cisco Unified Communications Manager creates this certificate and you must download it to your Cisco TelePresence System Multipoint Switch. This functionality provides confidentiality in the Cisco TelePresence infrastructure. Session Initiation Protocol TrunksSIP Trunks replace traditional fixed PSTN (public-switched telephone network) lines with a single aggregate link that leverages the SIP protocol for call control. To provide secure SIP trunking, build and leverage a SIP trunk security profile using a unique name for identification. This profile will be applied to the SIP trunk configuration on the Cisco Unified Communications Manager. Ensure that the “Device Security Mode” is set to “Encrypted,” which will likely use TLS . For additional details and configuration options, see the Configuring Security for Cisco TelePresence Multipoint Switch Configuration Guide. Cisco TelePresence Multipoint Control UnitThe Cisco TelePresence Multipoint Control Unit is a transcoding device, offered in appliance and blade models, designed for single-screen standards-based endpoint solutions. While not directly supporting TIP endpoints, any TIP to standards-based deployment will leverage Cisco TelePresence Multipoint Control Units for multipoint conferences of standards-based endpoints. Note the Cisco TelePresence Multipoint Control Unit can be registered as SIP, H.323, or both, thus allowing the ability for any standards-based SIP or H.323 endpoint to connect using their native protocol, and avoid unnecessary SIP/H.323 translation resources, which is recommended. To secure the Cisco TelePresence Multipoint Control Unit, the encryption key feature must be installed. The encryption key feature provides the ability to configure TLS signaling encryption for SIP signaling, and AES-128k encryption for media to and from standards-based endpoints. Cisco TelePresence ManagerCisco TelePresence Manager is the software application that allows one-button-to-push call launch for Cisco TelePresence meetings by intelligently automating scheduling and conferencing tasks. Furthermore, Cisco TelePresence Manager automatically allocates multipoint resources for a meeting based on the information received from calendar applications. The Cisco TelePresence Manager makes use of the following key components:
CAPF Service and Username PasswordsUsing the CAPF component involves awareness of the CAPF server, which is installed by default and runs as a service. Activate the CAPF service, ensuring that unique usernames and passwords are used and only administrators have access to monitor and maintain key processes such as CAPF. You also need to create application users in the Standard Presence Group and add the user to the Standard CTI Enabled and Standard CTI Secure Connection groups. Adding these groups should give the users the following roles that are appropriate to the functions that they perform.
CAPF ProfilesYou need to create CAPF profiles for the application users that you created. These profiles contain the specific details required to authenticate the Cisco TelePresence client to server communications. Leverage the CAPF profile security functionality by using an authentication mode of “By Authentication String” and a strong authentication string combination. In addition, ensure you leverage the longest key size possible (for instance 2048 bits). Certificates and LSCsThe important factor to consider when using key to certificates is to leverage the CAPF and LSCs using trust relationships (Trust category) to upload the certificates. In addition, when LSCs are downloaded from Cisco Unified Communications Manager to the Cisco TelePresence Manager, they should be securely accessed based on CAPF instance ID and previously defined CAPF authentication string. In this instance, the certificates and LSCs are elicited by the use of multifactor authentication in that one must know the respective IDs and passwords (authentication strings). For additional details and configuration options, see the Configuring Security for Cisco Telepresence Manager Configuration Guide. Cisco TelePresence SystemThe Cisco TelePresence System leverages the following key components:
Cisco Unified Communications ManagerWith regard to the Cisco TelePresence System, Cisco Unified Communications Manager focus is the security of the end devices, that is, phones and codecs. Securing these devices entails utilizing the phone/device security profile, enabling encrypted “Device Security Mode”secure transport types such as TLS, and authentication modes with the use of strings and key sizes as long as possible (for instance 2048 bits). The security profile should be assigned to all end devices that are to be secured. When defining the security profile, choose the default authentication mode, which is “By Authenticating String.” Additionally, change the default credentials of admin/cisco that are defined in the profile to values that are much more difficult for an attacker to guess because these credentials are used to perform web administration on the Cisco Telepresence System. Authentication MechanismsThe authentication mechanisms are leveraged by the Cisco TelePresence System to provide an added layer of security. To implement an authentication mechanism one makes use of the CAPF authentication string field. Ensure that the authentication strings used in the system are unique and strong passwords. The authentication string defined when you created the security profile is used to provide an extra layer of authentication when the Cisco TelePresence System communicates with the Cisco Unified Communications Manager. For this process to work, the authentication string that you entered when creating the security profile on the Cisco Unified Communications Manager must also be configured on the Cisco TelePresence System itself. For additional details and configuration options, see the Configuring Security for the Cisco TelePresence System Configuration Guide. Securing Individual Cisco TelePresence ComponentsOverviewSecuring your Cisco Telepresence configuration requires a solid foundation. The beginning of this foundation is the actual Cisco TelePresence components themselves. When securing the individual components, you need to consider the following:
Physical AccessWith the common support servers (such as the Cisco Unified Communications Manager), physical access to the device is limited to a small number of IT personnel. Regular users are only granted limited network access to perform specific functions. When deploying Cisco TelePresence, the following servers should also be deployed in a controlled environment that restricts physical access.
The actual Cisco TelePresence System (codecs, cameras, microphones, speakers, and IP phone) is located in the room from which end users make telepresence calls. Therefore, physical access to these components must be considered in your security policy. Device AccessFor server-type systems, device access should be limited by deploying the servers in a physically secure environment because they are key components that are used by all of the Cisco Telepresence endpoints. With the endpoints, the end users need to have access to the devices. Even if the room uses controlled access (such as a badge reader), users will have the ability to gain physical access to the telepresence devices located in the room. By default, the Cisco TelePresence endpoints have physical plates over unused network ports on the secondary codecs. The user has access to the physical connections between the codes and the cameras and speakers. Because all of these devices use IP to communicate, they represent potential attack vectors. Depending on your security posture, you may want to periodically examine the components in the telepresence room for evidence of tampering. Network AccessThe final mode of access to the Cisco TelePresence components is the network. All of the Cisco TelePresence components reside on an IP-based network. Verifying that access to these devices is limited to authorized users and authorized services is crucial to maintaining the security of the Cisco TelePresence solution. Securing the Network Infrastructure provides additional details on this topic. When determining how to limit access to the various Cisco TelePresence components, it is beneficial to determine the services that are required for the operation. The Cisco TelePresence Security Solutions guide for CTS Solution Release 1.7 outlines the services used by Cisco TelePresence and should be helpful when creating the firewall rules for limiting access to Cisco TelePresence devices. Securing the Unified Communications InfrastructureMuch time has been spent investigating ways to implement security mechanisms in the Cisco Unified Communications Manager system to prevent identity theft of the endpoints (phones and codecs) and Cisco Unified Communications Manager server, data, call-signaling and media-stream tampering. A hardened Cisco Unified Communications network establishes and maintains authenticated communication streams, digitally signs files before transferring the file to the phone, and encrypts media streams and call signaling between Cisco Unified IP Phones and other endpoint devices. Not every network utilizes all of these features on every device, but these options are becoming more common. Note: This document provides a high level overview of the steps that you should take to secure your unified communications infrastructure. For detailed information you should refer to the specific security documentation for your version of Cisco Unified Communications Manager, such Cisco Unified Communications Manager Security Guide, Release 7.0 and Cisco Unified Communications Manager Security Guide, Release 8.0, as well as the Voice Security sections of the Unified Communications SRNDs for Cisco Unified Communications Manager 7.x and 8.x. The common factors that need to be considered when hardening a Unified Communications Infrastructure include the following:
Image AuthenticationImage Authentication is the process that prevents tampering with the binary image or firmware load prior to loading it on the phone. Without image authentication, an attacker can manipulate a binary image to run modified software on a device. With image authentication, tampering with the image causes the device to fail the authentication process and reject the image. Device AuthenticationWhen devices communicate, it is important to authenticate the identity of devices involved in the process. Without appropriate authentication, a malicious device can potentially make connections to servers or pretend to be a server on the network. Implementing device authentication causes connections between voice components to be authenticated using trusted certificates and allows verification of the identity of each device. File AuthenticationSimilar to binary images, devices rely on various files to operate successfully, such as the configuration, ring list, locale, and Certificate Trust List files. If the integrity of the files is not verified, an attacker could manipulate the files and alter the operation of the devices on the network. File authentication validates files by digitally signing them so that the device can verify their integrity before use. Signaling Authentication and EncryptionEach SIP call is initiated through control messages that are sent across the network using a signaling protocol. If an attacker could manipulate the control messages in transit, then he could alter the operation of the calls. When you implement signaling authentication, you protect the signaling traffic by encapsulating it in a TLS tunnel. The TLS tunnel protects the integrity of the signaling traffic and provides confidentiality by encrypting the signaling messages. Digest AuthenticationBasic SIP signaling operates by sending control messages (such as INVITE and REGISTER) to the Cisco Unified Communications Manager. It is important to verify the identity of a user or device making a SIP call. When digest authentication is enabled, the Cisco Unified Communications Manager can challenge the identity of a device that is connecting to Cisco Unified Communications Manager whenever it receives a call via a SIP trunk or from a SIP device. When challenged, the device presents its digest credentials, similar to a username and password, to Cisco Unified Communications Manager for verification. Signaling AuthorizationThe SIP signaling protocol supports many different message types. Not all of these message types are needed for normal SIP calls. When signaling authorization is enabled, Cisco Unified Communications Manager uses the authorization process to restrict certain categories of messages from devices that are running SIP, from SIP trunks, and from SIP application requests on SIP trunks. Media EncryptionWhen a SIP call is made, the actual media (such as the voice or video traffic) is sent through its own separate media channel. If an attacker could capture this traffic, he could eavesdrop on the conversation. Media encryption, which uses Secure Real-Time Protocol (SRTP), ensures that only the intended recipient can interpret the media streams between supported devices. Configuration File EncryptionDevice configuration files may contain sensitive information such as administrator passwords and SIP digest credentials. The use of configuration file encryption enables Cisco Unified Communications Manager to protect confidential data in the device’s configuration file by encrypting the files using symmetric encryption keys. When the configuration file is downloaded using TFTP or some other transport protocol, the data sent across the network is protected. Interaction of Key ComponentsWith a basic understanding of the key items that impact the security of a unified communication infrastructure, it is time to examine the interaction of the key unified communication components. The main components include the following:
Each of these components has a different asset value. For instance, the Unified Communications Manager is more critical to a network than a single IP phone. Nevertheless, even an IP phone can have a high asset value if it belongs to the CEO. Network SeparationWhen deploying a traditional IP telephony deployment, it is common to place the voice endpoints on a single VLAN dedicated to voice traffic. When incorporating Cisco TelePresence into your voice network, there are a various options to consider when separating your voice and video traffic from the rest of your network. 1. Separate Voice VLAN Since each network is unique, it is rare that any of these options by themselves will provide all of the functionality needed to secure your Cisco TelePresence deployment. Instead, a hybrid approach that incorporates aspects of each of these areas will typically be used to harden the telelpresence configuration. We will examine each of these items individually to point out the benefits that they can provide when hardening your Cisco TelePresence, along with any potential downside that has to be considered when using them on your network. Separate Voice VLANIn a separate Voice VLAN configuration, all of the IP Phones and Cisco TelePresence Endpoints reside on a single voice VLAN. With all of the devices on the same VLAN, it is easier to allow the devices to communicate with each other while isolating the voice endpoints from the rest of the network. In this configuration, there are more voice endpoints that have access to the Cisco TelePresence endpoints which represents a higher risk that one of the voice endpoints (i.e. a regular IP phone) may be used to launch an attack against one of the Cisco TelePresence endpoints. VLAN access control lists (VACLs) can be used to minimize this risk by limiting inter-device traffic. Implementing regular ACLs can also be more complicated in this configuration given that traditional IP phones and telepresence endpoints have different service requirements. Separate voice and data VLANs are recommended for the following reasons:
Private VLANsPrivate VLANs (PVLANs) allow the isolation at Layer 2 of devices in the same IP subnet. With PVLANs, traffic between devices on the same VLAN is automatically restricted. This extra layer of protection limits the ACLs to the single gateway system that the devices on the VLAN must use to communicate with other devices on the same VLAN. There are three types of PVLAN ports: promiscuous, isolated, and community.
Given the scale of most voice deployments, the use of private VLANs will probably be limited to specific areas that are particularly untrusted. Typical areas may include lobby and common spaces that expose the IP phones to a wide variety of threats, including physical access. Virtual Routing and ForwardingVirtual network is a generic term that uses many different technologies to provide virtualization. Fundamentally, all virtual networks provide a mechanism to deploy what looks and operates like multiple networks that are all using the same hardware and physical connectivity. Virtual Routing and Forwarding (VRF) is a technique that creates multiple virtual networks within a single network. In a single network component, multiple VRF resources create the isolation between virtual networks. VRFs are already commonly used to connect softphones securely in the enterprise. Since softphones exist on the data network, instead of the normal voice VLAN, using a VRF configuration enables greater control over the traffic that can flow from the softphones to the other components on the voice network. Securing the Network InfrastructureBesides the specific Cisco TelePresence and unified communications security requirements, you also have to consider the security of your basic network infrastructure. The security of a Cisco TelePresence configuration depends on many factors. One factor is the underlying network infrastructure, because it provides the foundation over which all of the Cisco TelePresence traffic traverses. Some of the targeted threats that a network may experience include:
Security usually involves tradeoffs, so when securing a network, some strategy is required. The essential foundation for any security strategy is an intelligent security policy. Before you can secure your network infrastructure, you must develop a security policy for your network. Cisco SAFE Blueprint provides you with an underlying strategy to help you develop a security policy called “The Cisco Security Control Framework”. The Cisco Security Control Framework provides a common framework that drives the selection of products and features that maximum visibility and control, the two most fundamental aspects driving security. When developing your security policy, you need to understand the targets on your networks and how to secure the different areas of your network. Different sections of a network require stronger security controls depending on the functionality that they provide. For instance, you usually have different security requirements for your Internet edge than you do for security controls placed on internal network segments. Note: Although the specific network functional areas outlined by the Cisco SAFE Blueprint may not represent every functional area of your network, it provides enough different types of areas that you should be able to tweak a given area to match your unique requirements. Attacker Targets to ConsiderYour network infrastructure comprises a variety of devices, services, and other information sources. Any of these items can be attacked in an attempt to compromise confidentiality, integrity, or availability. To properly develop a security policy, an understanding of the major targets that an attacker will be going after is required. The major targets on your network include the following:
Infrastructure DevicesOne of the target areas that you need to address is access to the key devices on your network. Your network infrastructure consists of many components besides routers and switches. A typical network includes a large variety of components, including firewalls, intrusion prevention systems, and load. Attackers are constantly trying to access devices on networks. Providing unnecessary access to a device gives attackers a greater chance of compromising the device. Each device has some type of management interface, as well as other ways to access it. All of the devices on your network should be secured appropriately. ServicesNetwork communication depends on a variety of services, such as the following:
These services, which are vital to the successful operation of a network, are also prime targets for an attacker. Disrupting any of these services can cause serious problems for network operations. EndpointsAn endpoint is essentially any system that connects to the network and communicates with other devices on the network. Examples of endpoints include:
Because of the immense diversity of hardware platforms, operating systems, and applications, endpoints present some of the most difficult challenges from a security perspective because they require a wide range of techniques to ensure a strong security posture. NetworksEntire network segments may also be target of attacks such as:
An example of a network threat would be an unauthorized user taking advantage of an open wireless access point to attack the network. Network Segments to ConsiderFollowing the guidelines of Safe, you can divide your network into functional areas, such as the following:
Each area requires security controls appropriate to the services it provides and the attack surface that it presents to your network. Maintaining Secure OperationsSeveral things must be done to maintain the ongoing security of a deployed Cisco TelePresence network. The sections that follow provide an overview of actions that should be taken on an ongoing basis.
Monitor Cisco Security AdvisoriesThe Cisco Product Security Incident Response Team (PSIRT) uses Security Advisories and Reponses to notify customers of security vulnerabilities in Cisco products. It is important that these be monitored so that an organization can learn of security vulnerabilities that may impact the security of their network. Cisco Security Advisories can be found online at the following address: http://www.cisco.com/go/psirt. Use Up to Date SoftwareCisco routinely releases software updates for Cisco TelePresence products. Updates generally contain stability fixes, as well as security enhancements. Customers should evaluate and consider software updates for deployment to take advantage of fixes and security enhancements. Limit Interactive and Management AccessMuch of the Cisco TelePresence solution allows network administrators to access components for management purposes. For stability and security, it is a best practice to limit management sessions to the smallest number of administrators that is operationally possible. Administrative access to Cisco TelePresence devices should be denied for users who do not require that level of access. Centralize LoggingCentralized logging enables the collection and monitoring of events from various network components at a single location. By viewing the events from multiple sources, a more complete picture of what is happening on the network can be determined. For instance, a single log in failure to a server may not be very interesting, but multiple failures to multiple servers from the same source system may indicate an attack against your network. Gain Visibility with NetFlowCisco IOS NetFlow is a technology that allows network administrators or security practitioners to understand traffic as it traverses a network. Analogous to a telephone bill, NetFlow provides information on which devices are communicating with one another and the route that communication is taking across a network. Where possible, network devices should be configured for NetFlow. More information about NetFlow can be found in the white paper Introduction to Cisco IOS NetFlow. Configuration ManagementFew networks are completely static. New locations and devices are added and software is updated to take advantage of new features. A structured change management process should be implemented in any production network. Furthermore, security should be integrated into the entire change management process, and all changes should be evaluated to determine if they affect the security posture of the network. Security ThreatsThe previous sections of this document provide a broad overview and references to detailed documentation for many areas that may impact the security of your Cisco TelePresence deployment. This section outlines the major flows of information between the individual components. Then, for each component, threats and potential mitigations will be examined. Note: The Cisco TelePresence components interact with various other outside components. Each of those components needs to be appropriately hardened. Hardening those components, however, is beyond the scope of this document. Major Data FlowsThe following diagrams provide a graphical overview of the major data flows between the Cisco TelePresence components. Management flows are not indicated in these diagrams. Figure 4. Cisco TelePresence System Network Protocol Interaction
Figure 5. Cisco TelePresence System Call Setup
Figure 6. Cisco TelePresence Manager Exchange Interaction
Figure 7. Cisco TelePresence Manager Domino Interaction
Figure 8. Cisco TelePresence Multipoint Switch Interaction
Figure 9. Secure Cisco TelePresence Multipoint Switch Interaction
Figure 10. Cisco TelePresence System Recording Server Interaction
Cisco TelePresence System ThreatsThe Cisco TelePresence System is the endpoint from which Cisco TelePresence calls originate. Securing the Cisco TelePresence System involves examining threats in the following areas:
Cisco TelePresence System Physical ThreatsThe end users have access to the physical equipment located at the Cisco TelePresence endpoint (Cisco TelePresence System, displays, cameras, etc). Minor threats associated with this access are shown in the following table.
Cisco TelePresence System Management ThreatsThe Cisco TelePresence System supports the following management protocols:
The general threats to Cisco TelePresence System management include the following:
Threats related to using HTTP for management include the following:
The Cisco TelePresence System supports SNMP Version 2c and Version 3. Version 3 of SNMP is the most secure version because it adds the following features:
Threats that are related to using SNMP Version 2c for management include:
Cisco TelePresence System Signaling ThreatsThe Cisco TelePresence System relies on the SIP protocol to perform signaling operations with the Cisco Unified Communications Manager (Cisco Unified Communications Manager). SIP is an open standard with tremendous flexibility, including the ability to add user-defined fields. However, SIP is also subject to many security threats and attacks. Besides basic SIP, Cisco TelePresence System also supports SIP over TLS, which provides an encrypted tunnel for signaling tasks.
Note: The same signaling threats apply to the VoIP phone that resides in the Cisco TelePresence room. Cisco TelePresence System Media ThreatsThe Cisco TelePresence System uses RTP and SRTP to transfer media. These protocols transfer the media data and they also use an associated control protocol, RTCP, to control the data transfer.
Cisco TelePresence System Control Traffic ThreatsThe Cisco TelePresence System uses Trivial File Transfer Protocol (TFTP) to retrieve software images and configuration files from the Cisco Unified Communications Manager. TFTP exposes the following threats:
The Cisco TelePresence System can be configured to obtain an IP address via DHCP or use a static IP address. If DHCP is utilized, then the following threats are relevant:
The Cisco TelePresence System utilizes XML/SOAP messaging to receive meeting information from the CTS Manager. XML/SOAP to the CTS exposes the following threats:
Cisco TelePresence System Manager ThreatsCisco TelePresence System Manager Physical ThreatsThe Cisco TelePresence System Manager is a network server that should reside in a controlled environment similar to other servers (such as Cisco Unified Communications Manager and Microsoft Exchange). The restrictions on that environment should mitigate the basic physical access threats to the CTS Manager system. Cisco TelePresence System Manager Management ThreatsThe Cisco TelePresence System Manager supports the following management protocols:
The general threats to Cisco TelePresence SystemManager include the following:
Threats related to using HTTP for management include the following:
The Cisco TelePresence System supports SNMP Version 2c and Version 3 (Default). Version 3 of SNMP is the most secure version because it adds the following features:
Cisco TelePresence System Manager Signaling ThreatsThe Cisco TelePresence System Manager does not handle any of the call signaling traffic, so there are no threats for this area. Cisco TelePresence System Manager Media ThreatsThe Cisco TelePresence System Manager does not handle any of the call media traffic, so there are no threats for this area. Cisco TelePresence System Manager Control Traffic ThreatsThe Cisco TelePresence System utilizes XML/SOAP the following functions:
The XML/SOAP network communication used by Cisco TelePresence System Manager exposes the following threats:
Cisco TelePresence System Multipoint Switch ThreatsCisco TelePresence System Multpoint Switch Physical ThreatsThe Cisco TelePresence System Multipoint Switch is a network server that should reside in a controlled environment similar to other servers (such as Cisco Unified Communications Manager and Microsoft Exchange). The restrictions on that environment should mitigate the basic physical access threats to the Cisco TelePresence System Multipoint Switch system. Cisco TelePresence System Multipoint Switch Management ThreatsThe Cisco TelePresence System Multipoint Switch supports the following management protocols:
The general threats to Cisco TelePresence System Multipoint Switch management include the following:
The Cisco TelePresence System Multipoint Switch supports SNMP Version 2c and Version 3 (Default). Version 3 of SNMP is the most secure version because it added the following features:
The threats related to using HTTP for management include the following:
Cisco TelePresence System Multipoint Switch Signaling ThreatsThe Cisco TelePresence Multipoint Switch relies on the SIP protocol to perform signaling operations with the Cisco Unified Communications Manager (Cisco Unified Communications Manager). SIP is an open standard and has lots of flexibility, including the ability to add user-defined fields. SIP is also subject to many security threats and attacks. In addition to basic SIP, the Cisco TelePresence Mulipoint Switch also supports SIP over TLS that provides an encrypted tunnel through which to perform the signaling.
Cisco TelePresence System Multipoint Switch Media ThreatsThe Cisco TelePresence System uses RTP and SRTP to transfer media. These protocols transfer the media data and they also use an associated control protocol, RTCP, to control the data transfer.
Cisco TelePresence System Multipoint Switch Control Traffic ThreatsThe Cisco TelePresence System Multipoint Switch uses XML/SOAP traffic to receive meeting information from the Cisco TelePresence System Manager.
Cisco TelePresence System Recording ServerThe Cisco TelePresence System Recording Server provides a method to record Cisco TelePresence calls. All of the endpoints use the single Cisco TelePresence System Recording ServerS, which is configured as a static mapping between each endpoint and the Recording Serveron the Cisco Unified Communications Manager. Users log in to the user portal that is authenticated with a PIN to initiate a recording. Cisco TelePresence System Recording Server Physical ThreatsThe Cisco TelePresence System Recording Server is a network server that should reside in a controlled environment similar to other servers (such as Cisco Unified Communications Manager and Microsoft Exchange). The restrictions on that environment should mitigate the basic physical access threats to the Cisco TelePresence System Recording Server system. Cisco TelePresence System Recording Server Management ThreatsThe Cisco TelePresence System Recording Server supports the following management protocols:
The general threats to Cisco TelePresence System Recording Server management include the following:
The Cisco TelePresence System Recording Server supports SNMP Version 2c and Version 3 (Default). Version 3 of SNMP is the most secure version because it adds the following features:
The threats related to using HTTP for management include the following:
Cisco TelePresence System Recording Server Signaling ThreatsThe Cisco TelePresence System Recording Server relies on the SIP protocol to perform signaling operations with the Cisco Unified Communications Manager (Cisco Unified Communications Manager). SIP is an open standard and has lots of flexibility including the ability to add user-defined fields. Furthermore, SIP is also subject to many security threats and attacks. Besides basic SIP, the CTS Recording Server also supports SIP over TLS that provides an encrypted tunnel through which to perform the signaling.
Cisco TelePresence System Recording Server Media ThreatsThe Cisco TelePresence System Recording Server uses RTP and SRTP to transfer media during calls. These protocols transfer the actual media data and they also utilize an associated control protocol, RTCP, to control the data transfer.
Cisco TelePresence System Recoding Server Control Traffic ThreatsThe Cisco TelePresence System Recording Server uses Trivial File Transfer Protocol (TFTP) to retrieve software images and configuration files from the Cisco Unified Communications Manager. TFTP exposes the following threats:
The Cisco TelePresence Recording Server can be configured to obtain an IP address via DHCP or use a static IP address. If DHCP is utilized, then the following threats are relevant:
The Cisco TelePresence System Recording Server utilizes XML/SOAP messaging to receive meeting information from the IP Phone in the Cisco TelePresence room, as well as the Cisco TelePresence Manager. XML/SOAP to the Cisco TelePresence Recording Server exposes the following threats:
AcknowledgmentsEarl Carter (ecarter@cisco.com) and Andrae Middleton (amiddlet@cisco.com), Network Consulting Engineers
ReferencesCisco TelePresence Secure Communications and Signaling Installing Cisco TelePresence Manager Cisco TelePresence Security Solutions Configuring Security For the Cisco TelePresence Manager This document is part of Cisco Security Intelligence Operations. This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time. Cisco Security Intelligence Operations
|
