Cisco TelePresence Hardening Guide

Contents

Document Overview
Solution Overview
      Overview
      Cisco TelePresence Components
         Cisco TelePresence System
         Cisco TelePresence Codec
         Cisco Unified Communications Manager and Cisco Video Communications Server
         Cisco TelePresence Manager and Cisco TelePresence Management Suite
         Microsoft Exchange Server
         Cisco TelePresence Recording Server
      Unified Communications Infrastructure
      Specific Deployment Models
         Intra-Campus Deployment Model
         Intra-Enterprise Deployment Model
         MultiPoint Deployment Model
         Inter-Enterprise/Inter-Company Deployment Model
Securing the Cisco TelePresence Solution
      Overview
      Enabling Security For Cisco TelePresence Deployments
      Cisco TelePresence Server
      Cisco TelePresence Multipoint Switch
         CAPF Service and Username Passwords
         CAPF Profiles
         Locally Significant Certificates
         Session Initiation protocol Trunks
      Cisco TelePresence Multipoint Control Unit
      Cisco TelePresence Manager
         CAPF Service and Username Passwords
         CAPF Profiles
         Certificates and LSCs
      Cisco TelePresence System
         Cisco Unified Communications Manager
         Authentication Mechanisms
Securing Individual Cisco TelePresence Components
      Overview
         Physical Access
         Device Access
         Network Access
Securing the Unified Communications Infrastructure
      Image Authentication
      Device Authentication
      File Authentication
      Signaling Authentication and Encryption
      Digest Authentication
      Signaling Authorization
      Media Encryption
      Configuration File Encryption
      Interaction of Key Components
      Network Separation
         Separate Voice VLAN
      Private VLANs
      Virtual Routing and Forwarding
Securing the Network Infrastructure
      Attacker Targets to Consider
         Infrastructure Devices
         Services
         Endpoints
         Networks
      Network Segments to Consider
Maintaining Secure Operations
      Monitor Cisco Security Advisories
      Use Up to Date Software
      Limit Interactive and Management Access
      Centralize Logging
      Gain Visibility with NetFlow
      Configuration Management
Security Threats
      Major Data Flows
      Cisco TelePresence System Threats
         Cisco TelePresence System Physical Threats
         Cisco TelePresence System Management Threats
         Cisco TelePresence System Signaling Threats
         Cisco TelePresence System Media Threats
         Cisco TelePresence System Control Traffic Threats
      Cisco TelePresence System Manager Threats
         Cisco TelePresence System Manager Physical Threats
         Cisco TelePresence System Manager Management Threats
         Cisco TelePresence System Manager Signaling Threats
         Cisco TelePresence System Manager Media Threats
         Cisco TelePresence System Manager Control Traffic Threats
      Cisco TelePresence System Multipoint Switch Threats
         Cisco TelePresence System Multpoint Switch Physical Threats
         Cisco TelePresence System Multipoint Switch Management Threats
         Cisco TelePresence System Multipoint Switch Signaling Threats
         Cisco TelePresence System Multipoint Switch Media Threats
         Cisco TelePresence System Multipoint Switch Control Traffic Threats
      Cisco TelePresence System Recording Server
         Cisco TelePresence System Recording Server Physical Threats
         Cisco TelePresence System Recording Server Management Threats
         Cisco TelePresence System Recording Server Signaling Threats
         Cisco TelePresence System Recording Server Media Threats
         Cisco TelePresence System Recoding Server Control Traffic Threats
Acknowledgments

References

 

 

Document Overview

Many features and considerations contribute to the security of a Cisco TelePresence deployment. This document provides an overview of the various aspects that a customer should consider when securing a TelePresence environment. This document provides an overview of the security configuration of individual TelePresence devices and the overall TelePresence solution. Moreover, this document describes security controls that can be implemented in the network to enhance the overall security of the solution.

This document builds upon the security foundation established in the Voice Security sections of the Unified Communications Solution Reference Network Design (SRND) documents. Each feature or deployment consideration specific to TelePresence is briefly discussed here with references provided for additional information. This document also makes recommendations that, if implemented, will directly contribute to the security of deployed systems. For the purposes of this document TelePresence endpoints refers to both traditional Cisco TelePresence and Tandberg endpoints, except where explicitly stated.

The Voice Security sections of the Unified Communications SRND for Cisco Unified Communications Manager 6.x , 7.x, and 8.x are available at the Design Zone for Unified Communications.

Solution Overview

Overview

Before discussing how to secure a Cisco Telepresence deployment, the basic components of the solution and typical deployment models that are currently in use should be understood. In this section, we will cover the following topics:

  • Cisco TelePresence components
  • Cisco Unified Communications infrastructure
  • Specific deployment models

Note: The acquisition of Tandberg in 2010 has largely enriched the Cisco TelePresence solution. In addition, the infrastructure components and endpoint solutions have also increased comprehensively, most notably in the areas of call processing, conferencing, and scheduling. Therefore, similar components now exist and have been incorporated into this document for unification and understanding. Furthermore, note that the key differentiator among the TelePresence endpoint/solution and the integrated Tandberg endpoint/solution is the standard that is used for communications between the infrastructure components and endpoints. Most often Tandberg endpoints are referred to as “standards-based endpoints,” and traditional TelePresence endpoints are referred to as “TIP” endpoints, as the latter leverages the TelePresence Interoperability Protocol (TIP) for communication.

Plans for substantial enhancements continue to commence and transition into the TelePresence product line to further address integration of the two aforementioned solutions, with the end result being the evolution of a single integrated solution. As always, this document will continue to be updated and enhanced with new product developments and solutions and their respective security best practices.

Cisco TelePresence Components

The Cisco TelePresence solution consists of various components that holistically provide the reliable architecture required to run a successful conferencing solution.

  • Cisco TelePresence System
  • Cisco Unified Communications Manager and Cisco Video Communications Server
  • Cisco TelePresence Manager¬†and Cisco TelePresence Management Suite
  • Cisco Unified Communications Manager
  • Cisco TelePresence Manager 
  • Microsoft Exchange Server
  • Cisco TelePresence Recording Server
  • Network Infrastructure

Cisco TelePresence System

The Cisco TelePresence System supports several different models from small group (Cisco TelePresence System 500, 1000/1100, and EX and MXP Series) and one-on-one meetings around a “virtual table” to large boardroom meetings. On a small scale, two Cisco TelePresence 1000/1100 systems in a single meeting can create a virtual “roundtable” for a maximum of four participants. Furthermore, the multipoint meeting options can support up to 48 geographic locales on a single call.

The Cisco TelePresence System is suitable for uses such as direct customer engagements, small presentations, regular one-on-one meetings with remote employees or partners, supply-chain dealings, press briefings, operational or engineering reviews, or negotiations and interviews.  It has the ability to scale, based on model, to host up to 18 participants in boardroom style. In addition, the traditional Cisco TelePresence System is designed to be flush-mounted on wall space in smaller areas such as executive offices, bank branches, and doctors' offices, or anywhere that a one-on-one conversation is desired. However, the integration of Tandberg devices allows standalone units that can be placed on tables, desks, and other set-top configurations.

The traditional Cisco TelePresence System solution leverages varying-sized LCD displays (based on model), screen resolutions, high-definition cameras, full-duplex audio, and optimized environmental factors to provide high-quality lighting and sound.

Cisco TelePresence Codec

One of the goals of Cisco TelePresence is to hide the technology from the user so that participants experience the meeting instead of the technology. Hidden underneath the plasma displays of the CTS-3200, CTS-3000/3010, and CTS-1000/1100 solutions are the Cisco TelePresence codecs. The CTS-3000/3010 and CTS-3200/3210 consist of a primary codec and two secondary codecs. Both the CTS-1000/1100 and CTS-500/EX Series utilize a single primary codec. An additional optional codec is available as an upgrade for high-speed (30 frames per second) auxiliary video input.

The codec is the engine that drives the entire Cisco TelePresence solution. All displays, cameras, microphones, and speakers connect to the codec that communicates with the network and handles all audio and video processing. The codec runs a highly-integrated version of the Linux operating system on an embedded Compact Flash module, and is managed through Secure Shell (SSH) and Hyper-Text Transfer Protocol over Secure Sockets Layer (HTTPs) for security purposes.

Cisco Unified Communications Manager and Cisco Video Communications Server

Cisco Unified Communications Manager, formerly Cisco Unified CallManager, is an enterprise-class, IP telephony call-processing system that provides traditional telephony features as well as advanced capabilities such as mobility, presence, preference, and other rich media services. The TelePresence solution requires the use of Cisco Unified Communications Manager 7.1(3) or later, which leverages the Cisco TelePresence device plugin. Once the Cisco Unified Communications Manager is in production, the Cisco TelePresence System appears as a SIP (Session Initiation Protocol) endpoint. The Cisco Unified Communications Manager will be discussed later in this document.

In addition, the Cisco Video Communications Server is similar to Cisco Unified Communications Manager in that it provides endpoint registration, call-processing, and advanced capabilities and functionality (such as bandwidth management between H.323 and SIP endpoints and infrastructure) to Tandberg and third-party video endpoints and infrastructure components. Moreover, the Cisco Video Communications Server operates as an H.323 Gatekeeper and SIP proxy with an inert focus on video conferencing and communications capabilities.

The Cisco Video Communications Server can be deployed as Cisco Video Communications Server Control or as Cisco Video Communications Server Expressway. Cisco Video Communications Server Control is most often deployed within a local area network (LAN), and performs the operations of an H.323 gatekeeper, SIP registrar, and H.323 to SIP gateway server (translating between the two protocols). Cisco Video Communications Server Expressway provides a means for firewall traversal and for endpoint registration of SIP and H.323 devices across the Internet. In this capacity the Cisco Video Communications Server Expressway also provides standards-based Traversal Using Relay NAT (TURN) functionality. For the purposes of this document Cisco Video Communications Server refers to Cisco Video Communications Server Control, unless explicitly stated otherwise.

Cisco TelePresence Manager and Cisco TelePresence Management Suite

The Cisco TelePresence Manager provides management and scheduling of Cisco TelePresence rooms and acts as the “middleware” between the meeting rooms, Cisco Unified Communications Manager, and an organization’s calendaring application (Microsoft Exchange, IBM Notes, and others). In addition, Cisco TelePresence Manager is the software application that allows one-button-to-push call launch for Cisco TelePresence meetings by intelligently automating scheduling and conferencing tasks. The Cisco TelePresence Manager will be discussed later in this document.

Note: Cisco TelePresence Manager can be managed with SSH and HTTPS.

In contrast with the Cisco TelePresence Manager, the Cisco TelePresence Management Suite exists to provide scheduling, provisioning, and management for standards-based endpoints and infrastructure components, such as the TelePresence server and Multipoint Switch. In some deployments, the use of both Cisco Telepresence Manager and the Cisco TelePresence Management Suite may be utilized in parallel, each managing its own set of endpoints/devices. Moreover, as with many of the Cisco TelePresence and standards-based endpoints, administrators/engineers need to evaluate their needs and leverage an integrated and secure solution that supports point-to-point and multi-point conferencing.

Microsoft Exchange Server

The Microsoft Exchange Server provides users with a forum to schedule TelePresence meetings using the Microsoft Outlook group calendar and have the schedule automatically sent to the Cisco TelePresence systems involved in the call. These meetings are handled similarly to other resource requests. The Cisco TelePresence Manager or the Cisco TelePresence Management Suite communicates with the Microsoft Exchange server to determine which Cisco TelePresence meetings have been scheduled.

Because the Microsoft Exchange server typically supports more functionality than scheduling TelePresence meetings, the security is slightly out of the scope of this document. There are many resources for securing Exchange servers available on the Microsoft website. For instance, if you are running Microsoft Exchange 2003, you can follow the Windows Server 2003 Security Baseline. In any case, Exchange server configurations should be hardened.

Cisco TelePresence Recording Server

The Cisco TelePresence Recording Server provides the option to record in high-definition studio quality. In addition, Cisco TelePresence Recording Server allows a user to create and deliver high-quality, feature-rich video, and compelling internal or external communications such as organizational updates, training, or crisis management. Moreover, Cisco TelePresence Recording Server provides the ability to distribute and view video content instantly, as well as allowing the replay of recordings on Cisco TelePresence endpoints or standard Internet browser media players.

Further details can be found on the Cisco TelePresence Recording Server product page.

Unified Communications Infrastructure

Unified Communications infrastructure refers to the underlying architecture that enables your Cisco TelePresence system to operate. At the heart of this infrastructure are the key Unified Communications components, including the Cisco Unified Communications Manager/Cisco Video Communications Server and Cisco TelePresence Session Border Controller. These components use the basic network architecture—routers, switches, voice gateways, switches with inline power, etc.—to enable the Cisco TelePresence components to communicate with other systems including dual solutions that leverage Cisco Unified Communications Manager and Cisco Video Communications Server.

Besides the physical equipment, the Cisco Unified Communications infrastructure relies on various protocols that operate over the network infrastructure. For instance, the TelePresence codecs integrate into Cisco Unified Communications by leveraging established techniques for network automation, quality of service (QoS), and call control, such as:

  • Cisco Discovery Protocol and 802.1Q for discovery and assignment to the appropriate Virtual LAN (VLAN)
  • 802.1p and differentiated services code point (DSCP) for QoS
  • Automated provisioning of configuration and firmware from Cisco Unified Communications Manager
  • Session Initiation Protocol (SIP) for all call signaling communications in a traditional Cisco TelePresence solution
  • H.323 and SIP for all call signaling inter communications in a Cisco Video Communications Server leveraged Cisco TelePresence solution

From an administrator's perspective, the entire Cisco TelePresence virtual meeting room appears as a single SIP endpoint on Cisco Unified Communications Manager. The virtual meeting room is managed using tools and methodologies that are similar to those used for Cisco Unified IP Phones.

The Cisco TelePresence displays and cameras natively support 1080p resolution and use digital media interfaces to connect to the Cisco TelePresence codecs. The integration of digital media interfaces ensures the integrity of the video signal from end-to-end by eliminating the need for digital or analog conversion.

Inside the Cisco TelePresence codecs, an onboard array of Digital Signal Processors (DSPs) encode the digital video signal from the cameras into RTP packets using the H.264 encoding and compression standard. The Cisco TelePresence codecs can encode the video from the cameras at 1080p or 720p.

Specific Deployment Models

Deploying Cisco TelePresence typically involves one or more of the following components:

  • Enterprise Network
  • Remote Branches
  • External endpoints

Cisco TelePresence deployments tend to fall into one of the following models:

  • Intra-Campus Deployment Model
  • Intra-Enterprise Deployment Model
  • MultiPoint Deployment Model
  • Inter-Enterprise/Business-to-Business Deployment Model

The major difference between these deployment models involves determining which Cisco TelePresence endpoints are allowed to communicate with one another. One enterprise may only want to allow their Cisco TelePresence endpoints to communicate with other Cisco TelePresence endpoints in their network. Other deployments will require the ability to communicate with Telepresence endpoints on their network as well as endpoints that belong to business partners (standards-based endpoints). Each of the deployment models provides slightly different functionality and inherits different security risks.

Intra-Campus Deployment Model

The intra-campus network deployment model has Cisco TelePresence systems limited to a single enterprise campus, or between sites that are interconnected by means of a high-speed (1-Gigabit or higher) metropolitan-area network (MAN). This deployment model is appropriate for enterprises that have a large number of buildings on a given campus and employees who are often required to drive to several different buildings over the course of the day to attend meetings. Deploying multiple Cisco TelePresence systems intra-campus can reduce the time lost by employees driving between buildings to attend meetings, without sacrificing meeting effectiveness, and thus improve overall productivity. The intra-campus deployment model is also commonly used in conjunction with the two enterprise deployment models: where customers deploy multiple Cisco TelePresence rooms in their headquarters campus to meet demand for room availability as part of a global intra-enterprise or inter-enterprise deployment.

The network infrastructure of an intra-campus deployment model is predominantly Cisco Catalyst switches connecting through GigE or 10GigE links.

Figure 1. Cisco TelePresence Intra-Campus Network Deployment Model

Cisco TelePresence Intra-Campus Network Deployment Model

 

Intra-Enterprise Deployment Model

The intra-enterprise network deployment model for TelePresence systems connects not only buildings on a campus, but also geographically-separated campus sites and branch offices. The intra-enterprise model expands on the intra-campus model to include sites connected via a WAN (less than 1 Gigabit).

The intra-enterprise deployment model is suitable for businesses that require employees to travel extensively for internal meetings. Deploying Cisco TelePresence systems throughout the enterprise not only improves productivity—by saving travel time—but also reduces travel expenses. Furthermore, the overall quality of work/life balance is often improved when employees have to travel less.

The network infrastructure of an intra-enterprise deployment model is a combination of Cisco Catalyst switches within the campus and Cisco routers over the WAN, which may include private WANs, MPLS VPNs, or Metro Ethernet networks. WAN speeds may range from 34 Mbps E3 circuits to 1 Gbps OC-192 circuits.

Figure 2. Cisco TelePresence Intra-Enterprise Network Deployment Model

2_Cisco TelePresence Intra-Enterprise Network Deployment Model

 

MultiPoint Deployment Model

Adding a Cisco TelePresence Multipoint Switch to the deployment configuration enables intra-campus and intra-enterprise deployment models to allow customers the flexibility to use multiple Cisco TelePresence resources to facilitate multisite meetings (meetings with three or more Cisco TelePresence rooms). These resources may be located at any one of the campus locations or may be located within the service provider cloud as either a co-located resource or a managed/hosted resource.

Multipoint deployment models require further analysis such as platforms and network design recommendations, additional bandwidth and latency considerations, Cisco TelePresence Multipoint Switch considerations, and scaling considerations. See the Cisco Multipoint Technology and Design Details section of the Cisco TelePresence Network Systems Design Guide.

Inter-Enterprise/Inter-Company Deployment Model

The inter-enterprise network deployment model connects Cisco TelePresence systems within an enterprise and allows for Cisco TelePresence systems in one enterprise to call systems in another enterprise. The inter-enterprise model expands on the intra-campus and intra-enterprise models to include connectivity between different enterprises. This model is also referred to as the business-to-business (B2B) Cisco TelePresence deployment model.

The inter-enterprise model offers the most flexibility and is suitable for businesses that require employees to travel extensively for both internal and external meetings. In addition to the business advantages of the intra-enterprise model, the B2B TelePresence deployment model lets employees maintain high-quality customer relations without the associated costs of travel time and expense.

The network infrastructure of the inter-enterprise/B2B deployment model builds on the intra-enterprise model and requires the enterprises to share a common Multiprotocol Label Switching Virtual Private Network (MPLS VPN) service provider (SP). Additionally, the MPLS VPN SP must have a "shared services" Virtual Routing and Forwarding (VRF) instance provisioned with a Cisco IOS XR SBC.

The Cisco TelePresence SBC bridges a connection between two separate MPLS VPNs to perform secure inter-VPN communication between enterprises. Additionally, the Cisco TelePresence SBC provides topology and address-hiding services, Network Address Translation (NAT) and firewall traversal, fraud and theft of service prevention, distributed denial of service detection and prevention, call admission control policy enforcement, and guaranteed QoS.

Figure 3. Cisco TelePresence Inter-Enterprise Network Deployment Model

3_Cisco_TelePresence_Inter-Enterprise_Network_Deployment_Model

 

For more information on Cisco TelePresence network design, refer to the Cisco TelePresence Network Systems 2.0 Design Guide.

Securing the Cisco TelePresence Solution

Overview

In seeking to secure a telepresence solution, it is imperative that in addition to keeping a clear perspective of the holistic view of the TelePresence solution, administrators also need to understand each of the components. In this section, we will focus on securing the Cisco TelePresence solution. Other components will be addressed in the following sections of the document.

At the solution level, the key factors that need to be considered when hardening a Cisco TelePresence System include the following:

  • Signaling Authentication and Encryption
  • Digest Authentication
  • Signaling Authorization
  • Media Encryption

Much of this protection is provided through an Authentication and Encryption Framework. As of Cisco TelePresence version 1.5, Cisco TelePresence deployments support the security of all currently supported signaling and media streams through the following capabilities:

  • Data authentication and confidentiality of the RTP voice and video media flows, using the SRTP, for both point-to-point and multipoint Cisco TelePresence meetings.
  • Data authentication and confidentiality of the SIP signaling between the Cisco Unified Communications Manager, Cisco Video Communications Server, and Cisco TelePresence System endpoints, and between the Cisco Unified Communications Manager, Cisco Video Communications Server, and the Cisco TelePresence Multipoint Switch using Transport Layer Security (TLS).
  • Data authentication and confidentiality of the web services signaling between the Cisco TelePresence System Manager, Cisco TelePresence Multipoint Switch, Cisco Unified Communications Manager, Cisco Video Communications Server, and Cisco TelePresence System endpoints using TLS.

When using the Authentication and Encryption Framework, you should be familiar with the following terms:

  • Digital Certificates - A digital certificate is a mechanism for providing authentication of a particular entity (device, application, etc.), using public-key cryptography.
  • Cisco Certificate Authority Proxy Function - The Cisco Certificate Authority Proxy Function is a software service (installed as part of the Cisco Unified Communications Manager) that issues Locally Significant Certificates (LSCs) for TelePresence endpoints.
  • Cisco Certificate Trust List  Provider - The Certificate Trust List Provider is another software service, installed as part of Cisco Unified Communications Manager, which works with the CTL Client to generate a Certificate Trust List.
  • Cisco  Certificate Trust List Client - The Certificate Trust List Client is a software plugin that can be downloaded from the Cisco Unified Communications Manager server and run on a separate PC.
  • Cisco Certificate Trust List  - The Certificate Trust List is a pre-defined list of trusted certificates stored on the Cisco Unified Communications Manager server, which is downloaded as a file to the Cisco TelePresence endpoints when they boot up.
  • Security Profiles - Security profiles are sets of security attributes that can be configured once, and then applied to multiple Cisco TelePresence endpoints.

Enabling Security For Cisco TelePresence Deployments

Cisco TelePresence Server

The Cisco TelePresence Server is unique because it provides support and interoperability between TIP and standards-based endpoints. The TelePresence Server is a transcoding multipoint device, available as an appliance or blade, providing support of numerous screens (typically 16 or 48 respectively) at 720p resolution. The TelePresence Server can support many multipoint, multi-screen, and single-screen video and audio devices (both TIP and standards-based).

Configuring security for the Cisco TelePresence Server is based around the protocols that are supported, namely SIP and H.323. Note the Cisco TelePresence Server can be registered as SIP, H.323, or both, thus allowing the ability for any standards-based SIP or H.323 endpoint to join a TelePresence Server conference, and avoid unnecessary SIP/H.323 translation resources, which is recommended.

To secure the Cisco TelePresence Server, the encryption key feature must be installed. The encryption key feature provides the ability to configure TLS signaling encryption for SIP signaling, and AES-128k encryption for media to and from standards-based endpoints.

Cisco TelePresence Multipoint Switch

Configuring security for the Cisco TelePresence Multipoint Switch leverages the following key components:

  • Certificate Authority Proxy Function (CAPF) Server
  • CAPF Profiles
  • Locally Significant Certificates (LSCs)
  • SIP trunks

The CAPF is a software service that is installed as part of the Cisco Unified Communications Manager platform. Typically, the duty of the CAPF is to create certificates under its own authority, acting as a proxy by requesting certificates from an external certificate authority (CA), then providing those certificates to the Cisco TelePresence endpoints and Cisco Unified Communications Manager servers. The certificates provided by CAPF allow Cisco TelePresence to communicate over secure connections by establishing a hardened foundation, which Cisco TelePresence uses to establish secure, authenticated connections for protocols such as SIP signaling over TLS.

Note:  When employing CAPF, use the longest key size possible (for instance 2048 bits).

Also note that Cisco TelePresence Multipoint Switch requires an intermediary device (such as a Media Experience Engine) to integrate with standards-based endpoints. The Media Experience Engine is a video gateway device that provides transcoding, enabling the integration of TIP and standards-based endpoints.

CAPF Service and Username Passwords

Securing the CAPF component involves awareness of the CAPF server, which is installed by default and runs as a service. Activate the CAPF service, ensuring that unique usernames and passwords are used, and only administrators have access to monitor and maintain key processes such as CAPF.

You also need to create application users in the Standard Presence Group and add the user to the Standard CTI Enabled and Standard CTI Secure Connection groups. Adding these groups should give the users the following roles that are appropriate to the functions that they perform.
 

  • Standard AXL API Access
  • Standard CCM Admin Access
  • Standard CTI Enabled
  • Standard CTI Secure Connection

CAPF Profiles

You need to create CAPF profiles for the application users that you created. These profiles contain the specific details required to authenticate the Cisco TelePresence client to server communications. Leverage the CAPF profile security functionality by using an authentication mode of “By Authentication String” and a strong authentication string combination. In addition, ensure you leverage the longest key size possible (for instance 2048 bits).

Locally Significant Certificates

Locally significant certificates (LSC) are utilized to secure SIP trunks between Cisco Unified Communications Manager, Cisco Video Communications Server and the Cisco TelePresence Multipoint Switch, which provides multipoint meeting services. Cisco Unified Communications Manager creates this certificate and you must download it to your Cisco TelePresence System Multipoint Switch. This functionality provides confidentiality in the Cisco TelePresence infrastructure.

Session Initiation Protocol Trunks

SIP Trunks replace traditional fixed PSTN (public-switched telephone network) lines with a single aggregate link that leverages the SIP protocol for call control.

To provide secure SIP trunking, build and leverage a SIP trunk security profile using a unique name for identification. This profile will be applied to the SIP trunk configuration on the Cisco Unified Communications Manager. Ensure that the “Device Security Mode” is set to “Encrypted,” which will likely use TLS .

For additional details and configuration options, see the Configuring Security for Cisco TelePresence Multipoint Switch Configuration Guide.

Cisco TelePresence Multipoint Control Unit

The Cisco TelePresence Multipoint Control Unit is a transcoding device, offered in appliance and blade models, designed for single-screen standards-based endpoint solutions.  While not directly supporting TIP endpoints, any TIP to standards-based deployment will leverage Cisco TelePresence Multipoint Control Units for multipoint conferences of standards-based endpoints. Note the Cisco TelePresence Multipoint Control Unit can be registered as SIP, H.323, or both, thus allowing the ability for any standards-based SIP or H.323 endpoint to connect using their native protocol, and avoid unnecessary SIP/H.323 translation resources, which is recommended.

To secure the Cisco TelePresence Multipoint Control Unit, the encryption key feature must be installed. The encryption key feature provides the ability to configure TLS signaling encryption for SIP signaling, and AES-128k encryption for media to and from standards-based endpoints.

Cisco TelePresence Manager

Cisco TelePresence Manager is the software application that allows one-button-to-push call launch for Cisco TelePresence meetings by intelligently automating scheduling and conferencing tasks. Furthermore, Cisco TelePresence Manager automatically allocates multipoint resources for a meeting based on the information received from calendar applications.

The Cisco TelePresence Manager makes use of the following key components:

  • CAPF Service and Username Passwords
  • CAPF Profiles
  • Certificates and LSCs

CAPF Service and Username Passwords

Using the CAPF component involves awareness of the CAPF server, which is installed by default and runs as a service. Activate the CAPF service, ensuring that unique usernames and passwords are used and only administrators have access to monitor and maintain key processes such as CAPF.

You also need to create application users in the Standard Presence Group and add the user to the Standard CTI Enabled and Standard CTI Secure Connection groups. Adding these groups should give the users the following roles that are appropriate to the functions that they perform.

  • Standard AXL API Access
  • Standard CCM Admin Access
  • Standard CTI Enabled
  • Standard CTI Secure Connection

CAPF Profiles

You need to create CAPF profiles for the application users that you created. These profiles contain the specific details required to authenticate the Cisco TelePresence client to server communications. Leverage the CAPF profile security functionality by using an authentication mode of “By Authentication String” and a strong authentication string combination. In addition, ensure you leverage the longest key size possible (for instance 2048 bits).

Certificates and LSCs

The important factor to consider when using key to certificates is to leverage the CAPF and LSCs using trust relationships (Trust category) to upload the certificates. In addition, when LSCs are downloaded from Cisco Unified Communications Manager to the Cisco TelePresence Manager, they should be securely accessed based on CAPF instance ID and previously defined CAPF authentication string. In this instance, the certificates and LSCs are elicited by the use of multifactor authentication in that one must know the respective IDs and passwords (authentication strings).

For additional details and configuration options, see the Configuring Security for Cisco Telepresence Manager Configuration Guide.

Cisco TelePresence System

The Cisco TelePresence System leverages the following key components:

  •  Cisco Unified Communications Manager Secure Phone Profiles
  • Authentication Mechanisms

Cisco Unified Communications Manager

With regard to the Cisco TelePresence System, Cisco Unified Communications Manager focus is the security of the end devices, that is, phones and codecs. Securing these devices entails utilizing the phone/device security profile, enabling encrypted “Device Security Mode”secure transport types such as TLS, and authentication modes with the use of strings and key sizes as long as possible (for instance 2048 bits). The security profile should be assigned to all end devices that are to be secured. When defining the security profile, choose the default authentication mode, which is “By Authenticating String.”  Additionally, change the default credentials of admin/cisco that are defined in the profile to values that are much more difficult for an attacker to guess because these credentials are used to perform web administration on the Cisco Telepresence System.

Authentication Mechanisms

The authentication mechanisms are leveraged by the Cisco TelePresence System to provide an added layer of security. To implement an authentication mechanism one makes use of the CAPF authentication string field. Ensure that the authentication strings used in the system are unique and strong passwords. The authentication string defined when you created the security profile is used to provide an extra layer of authentication when the Cisco TelePresence System communicates with the Cisco Unified Communications Manager. For this process to work, the authentication string that you entered when creating the security profile on the Cisco Unified Communications Manager must also be configured on the Cisco TelePresence System itself.

For additional details and configuration options, see the Configuring Security for the Cisco TelePresence System Configuration Guide.

Securing Individual Cisco TelePresence Components

Overview

Securing your Cisco Telepresence configuration requires a solid foundation. The beginning of this foundation is the actual Cisco TelePresence components themselves. When securing the individual components, you need to consider the following:

  • Physical Access
  • Device Access
  • Network Access

Physical Access

With the common support servers (such as the Cisco Unified Communications Manager), physical access to the device is limited to a small number of IT personnel. Regular users are only granted limited network access to perform specific functions. When deploying Cisco TelePresence, the following servers should also be deployed in a controlled environment that restricts physical access.

  • Cisco TelePresence Multipoint Switch
  • Cisco TelePresence Manager
  • Cisco TelePresence Recording Server

The actual Cisco TelePresence System (codecs, cameras, microphones, speakers, and IP phone) is located in the room from which end users make telepresence calls. Therefore, physical access to these components must be considered in your security policy.
When deploying a Cisco TelePresence System, you need to consider how you plan to secure the telepresence room. Minimally, you should install some type of badge reader system so that you can log access to the physical equipment in the telepresence room.

Device Access

For server-type systems, device access should be limited by deploying the servers in a physically secure environment because they are key components that are used by all of the Cisco Telepresence endpoints. With the endpoints, the end users need to have access to the devices. Even if the room uses controlled access (such as a badge reader), users will have the ability to gain physical access to the telepresence devices located in the room.

By default, the Cisco TelePresence endpoints have physical plates over unused network ports on the secondary codecs. The user has access to the physical connections between the codes and the cameras and speakers. Because all of these devices use IP to communicate, they represent potential attack vectors. Depending on your security posture, you may want to periodically examine the components in the telepresence room for evidence of tampering.

Network Access

The final mode of access to the Cisco TelePresence components is the network. All of the Cisco TelePresence components reside on an IP-based network. Verifying that access to these devices is limited to authorized users and authorized services is crucial to maintaining the security of the Cisco TelePresence solution.  Securing the Network Infrastructure provides additional details on this topic. When determining how to limit access to the various Cisco TelePresence components, it is beneficial to determine the services that are required for the operation. The Cisco TelePresence Security Solutions guide for CTS Solution Release 1.7 outlines the services used by Cisco TelePresence and should be helpful when creating the firewall rules for limiting access to Cisco TelePresence  devices.

Securing the Unified Communications Infrastructure

Much time has been spent investigating ways to implement security mechanisms in the Cisco Unified Communications Manager system to prevent identity theft of the endpoints (phones and codecs) and Cisco Unified Communications Manager server, data, call-signaling and media-stream tampering.

A hardened Cisco Unified Communications network establishes and maintains authenticated communication streams, digitally signs files before transferring the file to the phone, and encrypts media streams and call signaling between Cisco Unified IP Phones and other endpoint devices. Not every network utilizes all of these features on every device, but these options are becoming more common.

Note:  This document provides a high level overview of the steps that you should take to secure your unified communications infrastructure. For detailed information you should refer to the specific security documentation for your version of Cisco Unified Communications Manager, such Cisco Unified Communications Manager Security Guide, Release 7.0 and Cisco Unified Communications Manager Security Guide, Release 8.0, as well as the Voice Security sections of the Unified Communications SRNDs for Cisco Unified Communications Manager 7.x and 8.x.

The common factors that need to be considered when hardening a Unified Communications Infrastructure include the following:

  • Image Authentication
  • Device Authentication
  • File Authentication
  • Signaling Authentication and Encryption
  • Digest Authentication
  • Signaling Authorization
  • Media Encryption
  • Configuration File Encryption

Image Authentication

Image Authentication is the process that prevents tampering with the binary image or firmware load prior to loading it on the phone. Without image authentication, an attacker can manipulate a binary image to run modified software on a device. With image authentication, tampering with the image causes the device to fail the authentication process and reject the image.

Device Authentication

When devices communicate, it is important to authenticate the identity of devices involved in the process. Without appropriate authentication, a malicious device can potentially make connections to servers or pretend to be a server on the network. Implementing device authentication causes connections between voice components to be authenticated using trusted certificates and allows verification of the identity of each device.

File Authentication

Similar to binary images, devices rely on various files to operate successfully, such as the configuration, ring list, locale, and Certificate Trust List files. If the integrity of the files is not verified, an attacker could manipulate the files and alter the operation of the devices on the network. File authentication validates files by digitally signing them so that the device can verify their integrity before use.

Signaling Authentication and Encryption

Each SIP call is initiated through control messages that are sent across the network using a signaling protocol. If an attacker could manipulate the control messages in transit, then he could alter the operation of the calls. When you implement signaling authentication, you protect the signaling traffic by encapsulating it in a TLS tunnel. The TLS tunnel protects the integrity of the signaling traffic and provides confidentiality by encrypting the signaling messages.

Digest Authentication

Basic SIP signaling operates by sending control messages (such as INVITE and REGISTER) to the Cisco Unified Communications Manager. It is important to verify the identity of a user or device making a SIP call. When digest authentication is enabled, the Cisco Unified Communications Manager can challenge the identity of a device that is connecting to Cisco Unified Communications Manager whenever it receives a call via a SIP trunk or from a SIP device. When challenged, the device presents its digest credentials, similar to a username and password, to Cisco Unified Communications Manager for verification.

Signaling Authorization

The SIP signaling protocol supports many different message types. Not all of these message types are needed for normal SIP calls. When signaling authorization is enabled, Cisco Unified Communications Manager uses the authorization process to restrict certain categories of messages from devices that are running SIP, from SIP trunks, and from SIP application requests on SIP trunks.

Media Encryption

When a SIP call is made, the actual media (such as the voice or video traffic) is sent through its own separate media channel. If an attacker could capture this traffic, he could eavesdrop on the conversation. Media encryption, which uses Secure Real-Time Protocol (SRTP), ensures that only the intended recipient can interpret the media streams between supported devices.

Configuration File Encryption

Device configuration files may contain sensitive information such as administrator passwords and SIP digest credentials. The use of configuration file encryption enables Cisco Unified Communications Manager to protect confidential data in the device’s configuration file by encrypting the files using symmetric encryption keys. When the configuration file is downloaded using TFTP or some other transport protocol, the data sent across the network is protected.

Interaction of Key Components

With a basic understanding of the key items that impact the security of a unified communication infrastructure, it is time to examine the interaction of the key unified communication components. The main components include the following:

  • Cisco Unified Communications Manager
  • Cisco Unified Messaging
  • IP Phones

Each of these components has a different asset value.  For instance, the Unified Communications Manager is more critical to a network than a single IP phone. Nevertheless, even an IP phone can have a high asset value if it belongs to the CEO.

Network Separation

When deploying a traditional IP telephony deployment, it is common to place the voice endpoints on a single VLAN dedicated to voice traffic. When incorporating Cisco TelePresence into your voice network, there are a various options to consider when separating your voice and video traffic from the rest of your network.

            1. Separate Voice VLAN
            2. Virtual Routing & Forwarding (VRF)
            3. Private VLANs

Since each network is unique, it is rare that any of these options by themselves will provide all of the functionality needed to secure your Cisco TelePresence deployment. Instead, a hybrid approach that incorporates aspects of each of these areas will typically be used to harden the telelpresence configuration.

We will examine each of these items individually to point out the benefits that they can provide when hardening your Cisco TelePresence, along with any potential downside that has to be considered when using them on your network.

Separate Voice VLAN

In a separate Voice VLAN configuration, all of the IP Phones and Cisco TelePresence Endpoints reside on a single voice VLAN.  With all of the devices on the same VLAN, it is easier to allow the devices to communicate with each other while isolating the voice endpoints from the rest of the network. In this configuration, there are more voice endpoints that have access to the Cisco TelePresence endpoints which represents a higher risk that one of the voice endpoints (i.e. a regular IP phone) may be used to launch an attack against one of the Cisco TelePresence endpoints. VLAN access control lists  (VACLs) can be used to minimize this risk by limiting inter-device traffic. Implementing regular ACLs can also be more complicated in this configuration given that traditional IP phones and telepresence endpoints have different service requirements.

Separate voice and data VLANs are recommended for the following reasons:

  • Address space conservation and voice device protection from external networks: Private addressing of phones on the voice or auxiliary VLAN ensures address conservation and that phones are not accessible directly through public networks. Servers are often addressed with publicly routed subnet addresses; however, voice endpoints and PCs are typically addressed using RFC 1918 private subnet addresses. It is also beneficial to establish a Development of an Addressing Methodology. The use of an addressing methodology allows network administrators to more effectively deploy ACLs and other access restrictions on the network.
  • QoS trust boundary extension to voice devices: QoS trust boundaries can be extended to voice devices without extending the trust boundaries and, in turn, QoS features to PCs and other data devices. Protection from malicious network attacks: VLAN access control, 802.1Q, and 802.1p tagging can provide protection for voice devices from malicious internal and external network attacks such as worms, denial of service (DoS) attacks, and attempts by data devices to gain access to priority queues through packet tagging.
  • Ease of management and configuration: Separate VLANs for voice and data devices at the access layer provide ease of management and simplified QoS configuration.

Private VLANs

Private VLANs (PVLANs) allow the isolation at Layer 2 of devices in the same IP subnet. With PVLANs, traffic between devices on the same VLAN is automatically restricted. This extra layer of protection limits the ACLs to the single gateway system that the devices on the VLAN must use to communicate with other devices on the same VLAN.

There are three types of PVLAN ports: promiscuous, isolated, and community.

  • A promiscuous port communicates with all other PVLAN ports. The promiscuous port is the port that you typically use to communicate with external routers, network management devices, backup servers, administrative workstations, and other devices. On some switches, the port to the router module (for example, Multilayer Switch Feature Card) needs to be promiscuous.
  • An isolated port has complete Layer 2 separation from other ports in the same PVLAN. This separation includes broadcasts and the only exception is the promiscuous port. A privacy grant at the Layer 2 level occurs with the block of outgoing traffic to all isolated ports. Traffic that comes from an isolated port forwards to all promiscuous ports only.
  • A community port can communicate with other community ports and with the promiscuous ports. These ports have Layer 2 isolation from all other ports in other communities, or isolated ports within the PVLAN. Broadcasts propagate only between associated community ports and the promiscuous port.

Given the scale of most voice deployments, the use of private VLANs will probably be limited to specific areas that are particularly untrusted. Typical areas may include lobby and common spaces that expose the IP phones to a wide variety of threats, including physical access.

Virtual Routing and Forwarding

Virtual network is a generic term that uses many different technologies to provide virtualization. Fundamentally, all virtual networks provide a mechanism to deploy what looks and operates like multiple networks that are all using the same hardware and physical connectivity.

Virtual Routing and Forwarding (VRF) is a technique that creates multiple virtual networks within a single network. In a single network component, multiple VRF resources create the isolation between virtual networks.

VRFs are already commonly used to connect softphones securely in the enterprise. Since softphones exist on the data network, instead of the normal voice VLAN, using a VRF configuration enables greater control over the traffic that can flow from the softphones to the other components on the voice network.

Securing the Network Infrastructure

Besides the specific Cisco TelePresence and unified communications security requirements, you also have to consider the security of your basic network infrastructure.  The security of a Cisco TelePresence configuration depends on many factors. One factor is the underlying network infrastructure, because it provides the foundation over which all of the Cisco TelePresence traffic traverses. Some of the targeted threats that a network may experience include:

  • Increasing botnet sophistication and effectiveness
  • Emerging mobile phone threats
  • Advanced identity theft Increasingly malicious spyware
  • Web application security exploits
  • Supply chain attacks infecting consumer devices

Security usually involves tradeoffs, so when securing a network, some strategy is required. The essential foundation for any security strategy is an intelligent security policy. Before you can secure your network infrastructure, you must develop a security policy for your network. Cisco SAFE Blueprint provides you with an underlying strategy to help you develop a security policy called “The Cisco Security Control Framework”.

The Cisco Security Control Framework provides a common framework that drives the selection of products and features that maximum visibility and control, the two most fundamental aspects driving security. When developing your security policy, you need to understand the targets on your networks and how to secure the different areas of your network. Different sections of a network require stronger security controls depending on the functionality that they provide. For instance, you usually have different security requirements for your Internet edge than you do for security controls placed on internal network segments.

Note: Although the specific network functional areas outlined by the Cisco SAFE Blueprint may not represent every functional area of your network, it provides enough different types of areas that you should be able to tweak a given area to match your unique requirements.

Attacker Targets to Consider

Your network infrastructure comprises a variety of devices, services, and other information sources. Any of these items can be attacked in an attempt to compromise confidentiality, integrity, or availability. To properly develop a security policy, an understanding of the major targets that an attacker will be going after is required.  The major targets on your network include the following:

  • Infrastructure Devices
  • Services
  • Endpoints
  • Networks

Infrastructure Devices

One of the target areas that you need to address is access to the key devices on your network. Your network infrastructure consists of many components besides routers and switches. A typical network includes a large variety of components, including firewalls, intrusion prevention systems, and load. Attackers are constantly trying to access devices on networks. Providing unnecessary access to a device gives attackers   a greater chance of compromising the device. Each device has some type of management interface, as well as other ways to access it. All of the devices on your network should be secured appropriately.

Services

Network communication depends on a variety of services, such as the following:

  • Domain Name System (DNS)
  • Network Time Protocol (NTP)
  • Dynamic Host Configuration Protocol (DHCP)
  • SIP

These services, which are vital to the successful operation of a network, are also prime targets for an attacker. Disrupting any of these services can cause serious problems for network operations.

Endpoints

An endpoint is essentially any system that connects to the network and communicates with other devices on the network. Examples of endpoints include:

  • Servers
  • Desktop computers
  • Laptops
  • Network storage systems
  • IP phones
  • Network-enabled mobile devices
  • IP-enabled video systems

Because of the immense diversity of hardware platforms, operating systems, and applications, endpoints present some of the most difficult challenges from a security perspective because they require a wide range of techniques to ensure a strong security posture.

Networks

Entire network segments may also be target of attacks such as:

  • Theft of service
  • Service abuse
  • Denial of Service (DoS)
  • Man-in-the-Middle (MITM)
  • Data loss

An example of a network threat would be an unauthorized user taking advantage of an open wireless access point to attack the network.

Network Segments to Consider

Following the guidelines of Safe, you can divide your network into functional areas, such as the following:

Each area requires security controls appropriate to the services it provides and the attack surface that it presents to your network.

Maintaining Secure Operations

Several things must be done to maintain the ongoing security of a deployed Cisco TelePresence network. The sections that follow provide an overview of actions that should be taken on an ongoing basis.

  • Monitor Cisco Security Advisories
  • Use Up-to-date software
  • Limit interactive and management access
  • Centralize logging
  • Gain visibility with NetFlow
  • Configuration management

Monitor Cisco Security Advisories

The Cisco Product Security Incident Response Team (PSIRT) uses Security Advisories and Reponses to notify customers of security vulnerabilities in Cisco products. It is important that these be monitored so that an organization can learn of security vulnerabilities that may impact the security of their network.

Cisco Security Advisories can be found online at the following address: http://www.cisco.com/go/psirt.

Use Up to Date Software

Cisco routinely releases software updates for Cisco TelePresence products. Updates generally contain stability fixes, as well as security enhancements. Customers should evaluate and consider software updates for deployment to take advantage of fixes and security enhancements.

Limit Interactive and Management Access

Much of the Cisco TelePresence solution allows network administrators to access components for management purposes. For stability and security, it is a best practice to limit management sessions to the smallest number of administrators that is operationally possible.

Administrative access to Cisco TelePresence devices should be denied for users who do not require that level of access.

Centralize Logging

Centralized logging enables the collection and monitoring of events from various network components at a single location. By viewing the events from multiple sources, a more complete picture of what is happening on the network can be determined. For instance, a single log in failure to a server may not be very interesting, but multiple failures to multiple servers from the same source system may indicate an attack against your network.

Gain Visibility with NetFlow

Cisco IOS NetFlow is a technology that allows network administrators or security practitioners to understand traffic as it traverses a network. Analogous to a telephone bill, NetFlow provides information on which devices are communicating with one another and the route that communication is taking across a network. Where possible, network devices should be configured for NetFlow.

More information about NetFlow can be found in the white paper Introduction to Cisco IOS NetFlow.

Configuration Management

Few networks are completely static. New locations and devices are added and software is updated to take advantage of new features. A structured change management process should be implemented in any production network. Furthermore, security should be integrated into the entire change management process, and all changes should be evaluated to determine if they affect the security posture of the network.

Security Threats

The previous sections of this document provide a broad overview and references to detailed documentation for many areas that may impact the security of your Cisco TelePresence deployment. This section outlines the major flows of information between the individual components. Then, for each component, threats and potential mitigations will be examined.

Note: The Cisco TelePresence components interact with various other outside components. Each of those components needs to be appropriately hardened. Hardening those components, however, is beyond the scope of this document.

Major Data Flows

The following diagrams provide a graphical overview of the major data flows between the Cisco TelePresence components. Management flows are not indicated in these diagrams.

Figure 4. Cisco TelePresence System Network Protocol Interaction

4_Cisco_TelePresence_System_Network_Protocol_Interaction

 

Figure 5. Cisco TelePresence System Call Setup

5_Cisco_TelePresence_System_Call_Setup

 

Figure 6. Cisco TelePresence Manager Exchange Interaction

6_Cisco_TelePresence_Manager_Exchange_Interaction

 

 

Figure 7. Cisco TelePresence Manager Domino Interaction

7_Cisco_TelePresence_Manager_Domino_Interaction

 

Figure 8. Cisco TelePresence Multipoint Switch Interaction

8_Cisco_TelePresence_Multipoint_Switch_Interaction

 

Figure 9. Secure Cisco TelePresence Multipoint Switch Interaction

9_Secure_Cisco_TelePresence_Multipoint_Switch_Interaction

 

Figure 10. Cisco TelePresence System Recording Server Interaction

10_Cisco_TelePresence_System_Recording_Server_Interaction

Cisco TelePresence System Threats

The Cisco TelePresence System is the endpoint from which Cisco TelePresence calls originate. Securing the Cisco TelePresence System involves examining threats in the following areas:

  • Physical
  • Management
  • Signaling
  • Media
  • Control Traffic

Cisco TelePresence System Physical Threats

The end users have access to the physical equipment located at the Cisco TelePresence endpoint (Cisco TelePresence System, displays, cameras, etc).  Minor threats associated with this access are shown in the following table.

Threat Potential Mitigation
Theft of equipment Utilize badge reader access controls to room.
Physically tampering with equipment in Cisco TelePresence room Frequent monitoring and/or installing physical barriers around CTS devices.

 

Cisco TelePresence System Management Threats

The Cisco TelePresence System supports the following management protocols:

  • SSH
  • HTTP
  • HTTPS
  • SNMP

The general threats to Cisco TelePresence System management include the following:

Threat Potential Mitigation

Brute force attacks against weak administrator passwords

Require strong passwords for all administrative accounts (SSH, HTTP, and SNMP)

Network access to management interfaces allows an attacker to launch various attacks against the interfaces.

Restrict access to CTS management interface to only necessary management subnets/hosts using ACLs on your network devices.

 

Threats related to using HTTP for management include the following:

Threat Potential Mitigation

Man-in-the-middle attack to manipulate management traffic

Require HTTPS for management access, which provide integrity checking.

Management traffic traversing the network in the clear allows an attacker to view credentials via sniffing traffic

Require HTTPS for management access

 

The Cisco TelePresence System supports SNMP Version 2c and Version 3. Version 3 of SNMP is the most secure version because it adds the following features:

  • Encryption of packets that prevents snooping by unauthorized users.
  • Message integrity that ensures that a packet has not been tampered with in transit.
  • Authentication that verifies that the SNMP message is from a valid source.

Threats that are related to using SNMP Version 2c for management include:

Threat Potential Mitigation

Sniffing the clear text community string from the network traffic.

Use SNMP V3 with encryption enabled instead of V2c.

Spoofing SNMP messages

Use Authenticated SNMP V3 messages.

 

Cisco TelePresence System Signaling Threats

The Cisco TelePresence System relies on the SIP protocol to perform signaling operations with the Cisco Unified Communications Manager (Cisco Unified Communications Manager). SIP is an open standard with tremendous flexibility, including the ability to add user-defined fields. However, SIP is also subject to many security threats and attacks. Besides basic SIP, Cisco TelePresence System also supports SIP over TLS, which provides an encrypted tunnel for signaling tasks.

Threat Potential Mitigation

Unauthorized calling

Use secure phone profiles that provide authentication for SIP calls

Capturing SIP credentials by sniffing network traffic

Utilize SIP over TLS for encrypted signaling

DoS attacks against SIP listening port (TCP/UDP port 5060, TCP port 5061) on Cisco Unified Communications Manager

Restrict network access to SIP ports (TCP/UDP 5060 and TCP 5061) on Cisco Unified Communications Managerto only necessary SIP devices (subnets/hosts) using ACLs on your network devices.

Spoofed SIP control messages (INVITE, BYTE, etc)

Utilize SIP TCP instead of UDP and or utilize SIP over TLS.

Mapping out internal network via external SIP messages

Enable topology hiding on the SBC

Initiating SIP messages to internal network from external sources

Restrict external system that can initiate SIP messages to the SBC

External DoS attack against SIP

Use Call Admission Control on the SBC to restrict the number of calls allowed

 

Note: The same signaling threats apply to the VoIP phone that resides in the Cisco TelePresence room.

Cisco TelePresence System Media Threats

The Cisco TelePresence System uses RTP and SRTP to transfer media. These protocols transfer the media data and they also use an associated control protocol, RTCP, to control the data transfer.

Threat Potential Mitigation

Manipulating the RTCP traffic to change disrupt the call.

Deploy secure phone profiles and utilize SRTP with encryption

Man-in-the middle attack to capture the audio or video data for a call.

Deploy secure phone profiles and utilize SRTP with encryption

Sniffing media stream from network traffic

Deploy secure phone profiles and utilize SRTP with encryption

DoS attacks to cause a call to drop

Deploy QoS across the end-to-end network infrastructure

 

Cisco TelePresence System Control Traffic Threats

The Cisco TelePresence System uses Trivial File Transfer Protocol (TFTP) to retrieve software images and configuration files from the Cisco Unified Communications Manager. TFTP exposes the following threats:

Threat Potential Mitigation

Man-in-the-middle manipulation of system images

Enabled signed firmware images on Cisco Unified Communications Manager

Man-in-the-middle manipulation of system images

Enabled signed/encrypted configuration files on Cisco Unified Communications Manager

Sniffing network traffic and getting sensitive information from configuration files

Enabled signed/encrypted configuration files on Cisco Unified Communications Manager

Rogue DHCP server on network

Configure port security and Dynamic Host Configuration Protocol (DHCP) Snooping on the switch connecting Cisco TelePresence System to network

 

The Cisco TelePresence System can be configured to obtain an IP address via DHCP or use a static IP address. If DHCP is utilized, then the following threats are relevant:

Threat Potential Mitigation

Rogue DHCP server on network

Configure port security and DHCP Snooping on the switch connecting CTS to network

 

The Cisco TelePresence System utilizes XML/SOAP messaging to receive meeting information from the CTS Manager. XML/SOAP to the CTS exposes the following threats:

Threat Potential Mitigation

Spoofed XML/SOAP Messages

Install certificates on Cisco TelePresence System and Cisco TelePresence System Manager and enable secure web traffic.

Man-in-the-middle manipulation of meeting information

Install certificates on Cisco TelePresence System and Cisco TelePresence System Manager and enable secure web traffic.

Network access to XML/SOAP interface allows an attacker to launch various attacks against the interface.

Restrict access to Cisco TelePresence System XML/SOAP interface to Cisco TelePresence System Manager address using ACLs on network devices.

 

Cisco TelePresence System Manager Threats

Cisco TelePresence System Manager Physical Threats

The Cisco TelePresence System Manager is a network server that should reside in a controlled environment similar to other servers (such as Cisco Unified Communications Manager and Microsoft Exchange). The restrictions on that environment should mitigate the basic physical access threats to the CTS Manager system.

Cisco TelePresence System Manager Management Threats

The Cisco TelePresence System Manager supports the following management protocols:

  • SSH
  • HTTP
  • HTTPS
  • SNMP

The general threats to Cisco TelePresence SystemManager include the following:

Threat Potential Mitigation

Brute force attacks against weak administrator passwords

Require strong passwords for all administrative accounts (SSH, HTTP, and SNMP)

Attacks against the management interfaces that are accessible via the network.

Restrict access to CTS management interface to only necessary management subnets/hosts using ACLs on your network devices.

 

Threats related to using HTTP for management include the following:

Threat Potential Mitigation

Man-in-the-middle attack to manipulate management traffic

Require HTTPS for management access, which provide integrity checking.

Sniffing network traffic reveals credentials.

Require HTTPS for management access

 

The Cisco TelePresence System supports SNMP Version 2c and Version 3 (Default). Version 3 of SNMP is the most secure version because it adds the following features:

  • Encryption of packets that prevents snooping by an unauthorized source.
  • Message integrity that ensures that a packet has not been tampered with in transit.
  • Authentication that verifies that the SNMP message is from a valid source.
Threat Potential Mitigation

Sniffing the clear text community string from the network traffic.

Use SNMP V3 with encryption enabled instead of V2c.

Spoofing SNMP messages

Use Authenticated SNMP V3 messages.

 

Cisco TelePresence System Manager Signaling Threats

The Cisco TelePresence System Manager does not handle any of the call signaling traffic, so there are no threats for this area.

Cisco TelePresence System Manager Media Threats

The Cisco TelePresence System Manager does not handle any of the call media traffic, so there are no threats for this area.

Cisco TelePresence System Manager Control Traffic Threats

The Cisco TelePresence System utilizes XML/SOAP the following functions:

  • Send meeting information to the Cisco TelePresence System
  • Monitor CTS devices on Cisco Unified Communications Manager
  • Send meeting information to Cisco TelePresence Multipoint Switch

The XML/SOAP network communication used by Cisco TelePresence System Manager exposes the following threats:

Threat Potential Mitigation

Spoofed XML/SOAP Messages

Install certificates on Cisco TelePresence System and Cisco TelePresence System Manager and enable secure web traffic.

Man-in-the-middle manipulation of meeting information

Install certificates on Cisco TelePresence System and Cisco TelePresence System Manager and enable secure web traffic.

Attacks against the XML/SOAP interface accessible via the network.

Restrict access to Cisco TelePresence System Manager XML/SOAP interface to configured Cisco TelePresence System Multipoint Switch addresses using ACLs on your network devices.

 

Cisco TelePresence System Multipoint Switch Threats

Cisco TelePresence System Multpoint Switch Physical Threats

The Cisco TelePresence System Multipoint Switch is a network server that should reside in a controlled environment similar to other servers (such as Cisco Unified Communications Manager and Microsoft Exchange). The restrictions on that environment should mitigate the basic physical access threats to the Cisco TelePresence System Multipoint Switch system.

Cisco TelePresence System Multipoint Switch Management Threats

The Cisco TelePresence System Multipoint Switch supports the following management protocols:

  • SSH
  • HTTP
  • HTTPS
  • SNMP

The general threats to Cisco TelePresence System Multipoint Switch management include the following:

Threat Potential Mitigation

Brute force attacks against weak administrator passwords

Require strong passwords for all administrative accounts (SSH, HTTP, and SNMP)

Attacks against the management interfaces that are accessible via the network.

Restrict access to Cisco TelePresence System management interface to only necessary management subnets/hosts using ACLs on your network devices.

 

The Cisco TelePresence System Multipoint Switch supports SNMP Version 2c and Version 3 (Default). Version 3 of SNMP is the most secure version because it added the following features:

  • Encryption of packets to prevent snooping by an unauthorized source.
  • Message integrity to ensure that a packet has not been tampered with in transit.
  • Authentication to verify that the SNMP message is from a valid source.
Threat Potential Mitigation

Sniffing the clear text community string from the network traffic.

Use SNMP V3 with encryption enabled instead of V2c.

Spoofing SNMP messages

Use authenticated SNMP V3 messages.

The threats related to using HTTP for management include the following:

Threat Potential Mitigation

Man-in-the-middle attack to manipulate management traffic

Require HTTPS for management access, which provide integrity checking.

Sniffing management traffic traversing the network exposes credentials and other sensitive traffic

Require HTTPS for management access

 

Cisco TelePresence System Multipoint Switch Signaling Threats

The Cisco TelePresence Multipoint Switch relies on the SIP protocol to perform signaling operations with the Cisco Unified Communications Manager (Cisco Unified Communications Manager). SIP is an open standard and has lots of flexibility, including the ability to add user-defined fields. SIP is also subject to many security threats and attacks. In addition to basic SIP, the Cisco TelePresence Mulipoint Switch also supports SIP over TLS that provides an encrypted tunnel through which to perform the signaling.

Threat Potential Mitigation

Unauthorized calling

Use secure phone profiles that provide authentication for SIP calls

Capturing SIP credentials by sniffing network traffic

Utilize SIP over TLS for encrypted signaling

DoS attacks against SIP listening port (TCP/UDP port 5060 and TCP port 5061) on Cisco Unified Communications Manager

Restrict network access to SIP ports (TCP/UDP 5060 and TCP 5061) on Cisco Unified Communications Manager to only necessary SIP devices (subnets/hosts) using ACLs on your network devices.

Spoofed SIP control messages (INVITE, BYTE, etc)

Utilize SIP TCP instead of User Datagram Protocol (UDP) and or utilize SIP over TLS.

Mapping out internal network via external SIP messages

Enable topology hiding on the SBC

Initiating external SIP messages to internal network

Restrict external system that can initiate SIP messages to the SBC

Initiating external DoS attack against SIP

Use Call Admission Control on the SBC to restrict the number of calls allowed

 

Cisco TelePresence System Multipoint Switch Media Threats

The Cisco TelePresence System uses RTP and SRTP to transfer media. These protocols transfer the media data and they also use an associated control protocol, RTCP, to control the data transfer.

Threat Potential Mitigation

Manipulating the RTCP traffic to change disrupt the call.

Deploy secure phone profiles and utilize SRTP with encryption

Man-in-the middle attack to capture the audio or video data for a call.

Deploy secure phone profiles and utilize SRTP with encryption

Sniffing media stream from network traffic

Deploy secure phone profiles and utilize SRTP with encryption

 

Cisco TelePresence System Multipoint Switch Control Traffic Threats

The Cisco TelePresence System Multipoint Switch uses XML/SOAP traffic to receive meeting information from the Cisco TelePresence System Manager.

Threat Potential Mitigation

Spoofed XML/SOAP Messages

Install certificates on Cisco TelePresence System Multipoint Switch and Cisco TelePresence System Manager and enable secure web traffic on both devices.

Man-in-the-middle manipulation of meeting information

Install certificates on Cisco TelePresence System Multipoint Switch and Cisco TelePresence System Manager and enable secure web traffic on both devices.

Attacks against the XML/SOAP interface accessible via the network

Restrict access to Cisco TelePresence System Multipoint Switch XML/SOAP interface to configured Cisco TelePresence System Manager addresses using ACL’s on your network devices.

 

Cisco TelePresence System Recording Server

The Cisco TelePresence System Recording Server provides a method to record Cisco TelePresence calls. All of the endpoints use the single Cisco TelePresence System Recording ServerS, which is configured as a static mapping between each endpoint and the Recording Serveron the Cisco Unified Communications Manager. Users log in to the user portal that is authenticated with a PIN to initiate a recording.

Cisco TelePresence System Recording Server Physical Threats

The Cisco TelePresence System Recording Server is a network server that should reside in a controlled environment similar to other servers (such as Cisco Unified Communications Manager and Microsoft Exchange). The restrictions on that environment should mitigate the basic physical access threats to the Cisco TelePresence System Recording Server system.

Cisco TelePresence System Recording Server Management Threats

The Cisco TelePresence System Recording Server supports the following management protocols:

  • SSH
  • HTTP
  • HTTPS
  • SNMP

The general threats to Cisco TelePresence System Recording Server management include the following:

Threat Potential Mitigation

Brute force attacks against weak administrator passwords

Require strong passwords for all administrative accounts (SSH, HTTP, and SNMP)

Attacks against the management interfaces that are accessible via the network.

Restrict access to CTS management interface to only necessary management subnets/hosts using ACLs on your network devices. For HTTP, this filtering must be performed on a URL basis since the end users creating the recording must also access the web portal.

 

The Cisco TelePresence System Recording Server supports SNMP Version 2c and Version 3 (Default). Version 3 of SNMP is the most secure version because it adds the following features:

  • Encryption of packets to prevent snooping by an unauthorized source.
  • Message integrity to ensure that a packet has not been tampered with in transit.
  • Authentication to verify that the SNMP message is from a valid source.

 

Threat Potential Mitigation

Sniffing the clear text community string from the network traffic.

Use SNMP V3 with encryption enabled instead of V2c.

Spoofing SNMP messages

Use Authenticated SNMP V3 messages.

 

The threats related to using HTTP for management include the following:

Threat Potential Mitigation

Man-in-the-middle attack to manipulate management traffic

Require HTTPS for management access, which provide integrity checking.

Attacks against the management interfaces that are accessible via the network.

Restrict access to Cisco TelePresence System Recording Server Administration interface. Since normal users access the web interface for producing recordings, you can’t just restrict access to all HTTP traffic, your restrictions must be based on specific web URLs.

Sniffing management traffic traversing the network exposes credentials and other sensitive traffic

Require HTTPS for management access

 

Cisco TelePresence System Recording Server Signaling Threats

The Cisco TelePresence System Recording Server relies on the SIP protocol to perform signaling operations with the Cisco Unified Communications Manager (Cisco Unified Communications Manager). SIP is an open standard and has lots of flexibility including the ability to add user-defined fields. Furthermore, SIP is also subject to many security threats and attacks. Besides basic SIP, the CTS Recording Server also supports SIP over TLS that provides an encrypted tunnel through which to perform the signaling.

Threat Potential Mitigation

Unauthorized calling

Use secure phone profiles that provide authentication for SIP calls

Capturing SIP credentials by sniffing network traffic

Utilize an encrypted SIP trunk for signaling between CTRS and Cisco Unified Communications Manager

DoS attacks against SIP listening port (TCP/UDP port 5060 and TCP port 5061) on Cisco Unified Communications Manager

Restrict network access to SIP ports (TCP/UDP 5060 and TCP 5061) on Cisco Unified Communications Manager to only necessary SIP devices (subnets/hosts) using ACLs on your network devices.

Spoofed SIP control messages (INVITE, BYTE, etc)

Utilize SIP TCP instead of UDP and or utilize SIP over TLS.

 

Cisco TelePresence System Recording Server Media Threats

The Cisco TelePresence System Recording Server uses RTP and SRTP to transfer media during calls. These protocols transfer the actual media data and they also utilize an associated control protocol, RTCP, to control the data transfer.

Threat Potential Mitigation

Manipulating the RTCP traffic to change or disrupt the call.

Deploy secure phone profiles and utilize SRTP with encryption

Man-in-the middle attack to capture the audio or video data for a call.

Deploy secure phone profiles and utilize SRTP with encryption

Sniffing media stream from network traffic

Deploy secure phone profiles and utilize SRTP with encryption

 

Cisco TelePresence System Recoding Server Control Traffic Threats

The Cisco TelePresence System Recording Server uses Trivial File Transfer Protocol (TFTP) to retrieve software images and configuration files from the Cisco Unified Communications Manager. TFTP exposes the following threats:

Threat Potential Mitigation

Man-in-the-middle manipulation of system images

Enabled signed firmware images on Cisco Unified Communications Manager

Man-in-the-middle manipulation of system images

Enabled signed/encrypted configuration files on Cisco Unified Communications Manager

Sniffing network traffic and getting sensitive information from configuration files

Enabled signed/encrypted configuration files on Cisco Unified Communications Manager

Rogue DHCP server on network

Configure port security and Dynamic Host Configuration Protocol (DHCP) Snooping on the switch connecting Cisco TelePresence System to network

 

The Cisco TelePresence Recording Server can be configured to obtain an IP address via DHCP or use a static IP address. If DHCP is utilized, then the following threats are relevant:

Threat Potential Mitigation

Rogue DHCP server on network

Configure port security and DHCP Snooping on the switch connecting Cisco TelePresence Recording Server to network

 

The Cisco TelePresence System Recording Server utilizes XML/SOAP messaging to receive meeting information from the IP Phone in the Cisco TelePresence room, as well as the Cisco TelePresence Manager. XML/SOAP to the Cisco TelePresence Recording Server exposes the following threats:

Threat Potential Mitigation

Spoofed XML/SOAP Messages

Use secure phone profiles on the Cisco TelePresence Recording Server and Cisco TelePresence System. Install appropriate certificates and enable secure web traffic on the Cisco TelePresence Manager.

Man-in-the-middle manipulation of meeting information

Use secure phone profiles on the Cisco TelePresence Recording Server and Cisco TelePresence System. Install appropriate certificates and enable secure web traffic on the Cisco TelePresence Manager

Network access to XML/SOAP interface allows an attacker to launch various attacks against the interface.

Restrict access to Cisco TelePresence Recording Server XML/SOAP interface to Cisco TelePresence System address and Cisco TelePresence System Manager addresses using ACLs on network devices.

 

Acknowledgments

Earl Carter (ecarter@cisco.com) and Andrae Middleton (amiddlet@cisco.com), Network Consulting Engineers

 

References

Cisco TelePresence Secure Communications and Signaling

Installing Cisco TelePresence Manager

Cisco TelePresence Security Solutions

Configuring Security For the Cisco TelePresence Manager

Configuring Security For Cisco Multipoint Switch

Cisco SAFE

Cisco SAFE Reference Guide


This document is part of Cisco Security Intelligence Operations.

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top

Cisco Security Intelligence Operations