how to design the various security layers required for a Unified CCE network,
this section introduces the differences that are inherent in the applications
making up the Unified CCE solution.
The Unified CCE
solution consists of a number of application servers that are managed
differently. The primary servers, those with the most focus in this document,
are the Routers, Loggers (also known as Central Controllers), Peripheral
Gateways, Administration & Data Servers, and so forth. These application
servers can be installed only on a standard (default) operating system
installation. All installations can be done on Windows Server 2008 R2 Standard
or Enterprise Edition. The maintenance of this operating system in terms of
device drivers, security updates, and so forth, is the responsibility of the
customer, as is acquiring the necessary software from the appropriate vendors.
This category of application servers is the primary focus of this topic.
The secondary group
of servers, those running applications that are part of the solution but that
are deployed differently, are Cisco Unified Communications Manager (Unified
CM), Cisco Unified IP IVR, and so forth. Customers are required to obtain all
relevant patches and updates to this operating system from Cisco. The security
hardening specifications for this operating system can be found in the
Cisco Unified Communications Solution Reference Network Design
(SRND) Guide and other Unified CM documentation at
The approach to
securing the Unified CCE solution as it pertains to the various layers listed
above differs from one group of servers to another. It is useful to keep this
in mind as you design, deploy, and maintain these servers in your environment.
Cisco is constantly enhancing its Unified Communications products with the
eventual goal of having them all support the same customized operating system,
antivirus applications, and security path management techniques. Some examples
of these enhancements include the support of Cisco's host-based intrusion
prevention software (Cisco Security Agent) and default server hardening
provided by the customized operating system or applications.