Other Cisco Call Center Applications
The following sections discuss security considerations for other Cisco Call Center applications.
Cisco Unified ICM Router
The file dbagent.acl is an internal, background file. Do not edit this file. However, this file must have the READ permission set, so that the file can allow users to connect to the router's real-time feed.
Peripheral Gateways (PGs) and Agent Login
There’s a rate limit of Unified CCE agent login attempts with incorrect password. By default, the agent account is disabled for 15 minutes after three incorrect password attempts, counted over a period of 15 minutes.
You can change this default by using registry keys. The registry keys are under: HKLM\SOFTWARE\Cisco Systems, Inc.\\ICM\<inst>\PG(n)[A/B]\PG\CurrentVersion\PIMS\pim(n)\EAGENTData\Dynamic
The registry keys include the following:
-
AccountLockoutDuration: Default
After the account is locked out because of unsuccessful login attempts, this value is the number of minutes the account remains locked out.
-
AccountLockoutResetCountDuration: The default is 15. Number of minutes before the AccountLockoutThreshold count goes back to zero. This is applicable if the account doesn’t get locked out, but you have unsuccessful login attempts less than the value mentioned in AccountLockoutThreshold.
-
AccountLockoutThreshold: The default is 3. This is the number of unsuccessful login attempts after which the account is locked out.
When Single Sign-On (SSO) is enabled for an agent, the account lockout mechanism is managed by the associated identity provider.
Endpoint Security
Agent Desktops
Cisco Finesse supports HTTPS (TLS 1.2 only) for the Administration Console and agent and supervisor clients.
Unified IP Phone Device Authentication
When designing a contact center enterprise solution, you can implement device authentication for the Cisco Unified IP Phones. Contact center enterprise solutions support Unified Communications Manager’s Authenticated Device Security Mode, which ensures the following:
-
Device Identity—Mutual authentication using X.509 certificates
-
Signaling Integrity—SIP messages authenticated using HMAC-SHA-1
-
Signaling Privacy—SIP message content encrypted using AES-128-CBC
Media Encryption (SRTP) Considerations
Before enabling SRTP in your deployment, consider the following points:
-
To use secure media on the agent leg, ensure that the installed IP phones are compatible with SRTP.
-
The Virtualized Voice Browser supports SRTP for the VRU leg.
-
The IOS VXML Gateway does not support SRTP.
-
Mobile Agents cannot use SRTP.
-
The Cisco Outbound Option Dialers do not support SRTP. While calls are connected to the Dialer, the calls cannot use SRTP. But, calls can negotiate SRTP once the call is no longer connected to the Dialer.
-
Cisco MediaSense supports SRTP recording only for recording from the phone's BIB. It does not support SRTP recording for CUBE and Network Based Recording calls. It does not support SRTP recording for Outbound and Direct Inbound call flows.
-
MediaSense decrypts the incoming media before writing the media to the disk.
IP Phone Hardening
With the IP phone device configuration in Unified CM, you can disable certain phone features to harden the phones. For example, you can disable the phone's PC port or restrict a PC from accessing the voice VLAN. Changing some of these settings can disable the monitoring and recording features of the contact center enterprise solution. The settings are defined as follows:
-
PC Voice VLAN Access—Indicates whether the phone allows a device attached to the PC port to access the Voice VLAN. Disabling Voice VLAN Access prevents the attached PC from sending and receiving data on the Voice VLAN. It also prevents the PC from receiving data sent and received by the phone. Disabling this feature disables desktop-based monitoring and recording.
This setting is Enabled (the default).
-
Span to PC Port—Indicates whether the phone forwards packets transmitted and received on the Phone Port to the PC Port. To use this feature, enable PC Voice VLAN access. Disabling this feature disables desktop-based monitoring and recording.
This setting is Enabled.
Disable the following setting to prevent man-in-the-middle (MITM) attacks. Some third-party monitoring and recording applications use this mechanism for capturing voice streams.
-
Gratuitous ARP—Indicates whether the phone learns MAC addresses from Gratuitous ARP responses.
This setting is Disabled.