Secure collab on prem hikmat

207 views

Published on

Secure Collaboration for On-premise VoIP Deployments (CUCM and CUBE/ SBC)

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
207
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Secure collab on prem hikmat

  1. 1. Secure Collaboration for On- Premise VoIP Deployments (CUCM and CUBE/SBC) Hikmat El Ajaltouni Systems Engineer Jan.26, 2017
  2. 2. • Secure Network, Secure Endpoints, Secure Call Control • Collaboration System Release 11.5 Security Update • Deploying and Handling Certificates & PKI in CUCM • CUBE/SBC • Cisco Product Security Agenda
  3. 3. Secure Network, Secure Endpoints, Secure Call Control BRKUCC-2501
  4. 4. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Infrastructure Security Measures Segregation • Virtual LANs (VLANs) separate voice and data traffic • VLAN Access Control Lists (VACLs) limit traffic between devices on the voice VLAN • QoS Packet Marking ensures UC traffic receives appropriate priority over other traffic Layer 3 • IP Source Guard examines physical port, VLAN, IP, & MAC for inconsistencies Layer 2 • DHCP Snooping creates binding table • Dynamic ARP Inspection examines ARP & GARP for violations • Port Security limits the number of MAC addresses allowed per port • 802.1x limits network access to authentic devices on assigned VLANs BRKUCC-2501 5
  5. 5. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public IP Phone Security Features • Cryptographically assured device identity • Manufacture Installed Certificate(MIC) • Locally Significant Certificates (LSC) • Signed firmware images • Signed & encrypted configuration files • Mutually authenticated & encrypted signaling & media • Embedded 802.1x Supplicant • Positive disconnect for handset & speakerphone • Positive off-hook indicator for speakerphone • Disable or block access to voice VLAN for downstream port • Disable web interface • Disable “settings” button • Disable SSH access • FIPS mode (select models) • Gratuitous ARP rejection BRKUCC-2501 6
  6. 6. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Unified Communications Manager Security • Disallow trivial passwords • Require minimum length • Prevent reuse with configurable depth • Lockout on failed attempts with configurable depth, time span, & duration • Lockout on inactivity with configurable time span • Expire after configurable time span • Expiry warning with configurable time span User Credential Policies • Control frequency of credential modifications with configurable time span • Force credential modification on next attempt • Prevent credential modification by user • Lockout by administrator • Configurable session timeouts • SAML Single-Sign-On (SSO) BRKUCC-2501 7
  7. 7. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Unified Communications Manager Security Encrypted Signaling & Media • SIP & SCCP Phones • SIP Video Endpoints • MGCP, H.323, & SIP Trunks • TAPI & JTAPI Applications • Meet-me, ad-hoc, & barge Conferences • Extension Mobility Cross-Cluster • Intercluster Lookup Service (ILS) • Location Bandwidth Manager (LBM) Secure Interfaces & Protocols • Web, CLI, CTI, & LDAP • HTTPS, TLS, SRTP, SSH, SFTP, SLDAP, IPSec, TFTP BRKUCC-2501 8
  8. 8. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public UCM Cluster Security Mode • Non-Secure or Mixed • NOT On/Off • Mixed Mode Requirements: • Export Restricted version of UCM • CTL File • Configured via Windows CTL Client or ‘utils ctl set-cluster’ CLI Mixed Non-Secure BRKUCC-2501 9
  9. 9. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Unified Communications Manager Security Encrypted Signaling & Media • SIP & SCCP Phones • SIP Video Endpoints • MGCP, H.323, & SIP Trunks • TAPI & JTAPI Applications • Meet-me, ad-hoc, & barge Conferences • Extension Mobility Cross-Cluster • Intercluster Lookup Service (ILS) • Location Bandwidth Manager (LBM) Secure Interfaces & Protocols • Web, CLI, CTI, & LDAP • HTTPS, TLS, SRTP, SSH, SFTP, SLDAP, IPSec, TFTP Require Mixed Mode BRKUCC-2501 10
  10. 10. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Cluster Security Mode: Feature Tradeoffs Feature Non Secure Cluster Mixed Mode Cluster Auto-registration*   Signed & Encrypted Phone Configs   Signed Phone Firmware   Secure Phone Services (HTTPS)   CAPF + LSC   IP VPN Phone   Secure Endpoints (TLS & SRTP)   BRKUCC-2501 New in 11.5 11
  11. 11. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Hardened Appliance Model • SELinux enforcing mode provides host based intrusion protection • iptables provides host based firewall • Third party software installations NOT allowed • Root account disabled, no other uid=0 accounts • OS and applications are installed with a single package • All software updates must be signed packages from Cisco • Secure Management (HTTPS, SSH, SFTP) • Audit logging • Active & Inactive partition architecture – easy to fallback if needed Why is CUCM considered a hardened platform? BRKUCC-2501 12
  12. 12. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Balancing Risk Low Easy or Default Medium Moderate and Reasonable High Advanced or Not Integrated Hardened Platform IP VPN Phone UC-Aware Firewall (Inspection) SELinux – Host Based Intrusion Protection Secure Directory Integration (SLDAP) Phone Proxy iptables - Integrated Host Firewall Encrypted Configuration Ipsec Signed Firmware & Configuration TLS & SRTP for Phones & Gateways Rate Limiting HTTPS Trusted Relay Points (TRP) Managed VPN (Remote Worker) Separate Voice & Data VLANs QoS Packet Marking Network Anomaly Detection STP, BPDU Guard, SmartPorts DHCP Snooping Scavenger Class QoS Basic Layer 3 ACL’s (Stateless) Dynamic ARP Inspection 802.1x & NAC Phone Security Settings IP Source Guard, Port Security Cost - Complexity - Resources - Performance - Manpower - Overhead BRKUCC-2501 13
  13. 13. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Eliminate Toll Fraud • Deny network access to unauthorized users • Partitions and Calling search spaces provide dial plan segmentation and access control • Device Pool “Calling Search Space for Auto-registration” to limit access to dial plan • Employ Time of day routing to deactivate segments of the dial plan after hours How Do Our Customers Prevent Toll Fraud? • Require Forced Authentication Codes on route patterns to restrict access on long distance or internal calls. • “Drop Ad hoc Conferences” (CallManager Service Parameter) • “Block OffNet to OffNet transfer” (CallManager Service Parameter) • Monitor Call Detail Records • Employ Multilevel Administration • Voice Gateways: Call Source Authentication (IOS 15.1(2) feature) BRKUCC-2501 14
  14. 14. • Secure Network, Secure Endpoints, Secure Call Control • Collaboration System Release 11.5 Security Update • Deploying and Handling Certificates & PKI in CUCM • Securing the Edge with CUBE/SBC • Cisco Product Security Agenda
  15. 15. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public CSR 11.5 – The Federal Space Federal Certifications Testing Agencies Common Criteria NIAP (NSA) DoD Unified Capability Approved Products List JITC Commercial Solutions for Classified NSA / CSS FedRAMP 3PAO
  16. 16. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Common Criteria Support CUCM 11.0 Enhancement • Accepted and supported by 26 Countries Worldwide via Common Criteria Recognition Arrangement (CCRA) • The following features have been added/modified in CUCM to meet certification requirement for SIP Signaling and Media: • Support for ECC(Elliptical Curve Cryptography) for CUCM certificates*. Software features that required modification to support ECC: • Self-signed certificates, certificate signing requests (CSR), certificate import and bulk certificate management • Certificate Trust List (CTL) and ITL (Initial Trust List). • SIP connections. • CAPF (Certificate Authority Proxy Function) • CTI (Computer Telephony Integration) • Support configuration download over secure channel– HTTPS • New entropy source and entropy management • Audit logging as outlined in Network Device Protection Profile Data Protection https://www.nsa.gov/business/programs/elliptic_curve.shtml* The certificate manager will support generating ECC certificates that have an EC Key Pair of 256, 384 or 521 bits
  17. 17. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public CSR 11.5 – FIPS 140-2 FIPS 186-4 Digital Signature Standards: DSA, RSA, ECDSA FIPS 180-4 Secure Hash Standards: SHA-1, SHA-256, SHA-384 FIPS 197 Advanced Encryption Standards: AES-128, AES-256 NIST SP 800- 38(A-F) AES Block Cipher Modes: CBC, CCM, GCM NIST SP 800-52 Selection, Config and Use of TLS Implementations
  18. 18. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public CSR 11.5 – Encryption Strengths 11.5 11.0
  19. 19. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public CSR 11.5 – Encryption Strengths NSA Top Secret NSA Secret 11.5 11.0
  20. 20. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public CSR 11.5 – Robust Security TOP SECRET
  21. 21. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Enhancements in 11.5 • Auto-registration allowed in mixed mode • New ECDSA certificates for Tomcat and XMPP • RSA key sizes increased to 4096 bits • Configurable SHA2 (512) signed files from TFTP • Authenticated UDS search • Configurable form-based authentication for web applications BRKUCC-2501 22
  22. 22. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public LSC Enhancements in 11.5 • Certificate Monitoring service monitors LSCs for expiry • CCMAdmin / BAT “Find & List Phone” page allows search by • LSC expiration • LSC issued by • LSC issuer expires by • Configurable LSC certificate expiry (CAPF Service Parameter) • CAPF signs LSCs with SHA2 hash algorithm BRKUCC-2501 For LSCs installed on 11.5 or later only 23
  23. 23. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public LSC Expiration Visibility in UCM 11.5 Search & Reporting BRKUCC-2501 24
  24. 24. • Secure Network, Secure Endpoints, Secure Call Control • Collaboration System Release 11.5 Security Update • Deploying and Handling Certificates & PKI in CUCM • Securing the Edge with CUBE/SBC • Cisco Product Security Agenda
  25. 25. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public PKI – Public Key Infrastructure Consists Of… Public + Private keypair • Private Key remains secret • Public Key widely distributed Allows For… • Asymmetric key encryption • one-way encryption and decryption • Symmetric key encryption • Public Key exchange used to establish shared-secret between two parties • Message encryption and authentication protocols BRKUCC-2501 26
  26. 26. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Types of Certificates Self-Signed certificates used by Certificate Authorities to sign other certificates. Certificates issued to a specific entity (a device) and signed or issued by a root CA and sometimes also by intermediate CAs. Certificates signed by a Root CA and in turn can sign other identity certificates.
  27. 27. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Lorem ipsum dolor sit amet, consectetur adipiscing elit. John Doe CCIE# 63542 Certificate What’s a Digital Certificate? X.509 Certificate Version Serial Number Signature Algorithm Signature Hash Algorithm Issuer Valid From Valid To Subject Name Public Key Serial Number: 63542 Issued By: Cisco Systems Issued To: John Doe 5/4/20 Validity: May 4th, 2020
  28. 28. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Digital Certificates • Digital passport • Self-signed or CA-Signed • Contains the owner’s public key • Proves the identity of a public key’s owner BRKUCC-2501 29
  29. 29. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 Pubic Key Infrastructure
  30. 30. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Certificate File Formats -----BEGIN CERTIFICATE----- MIIE2TCCA8GgAwIBAgIKamlnswAAAAAAAzANBgkqhkiG9w0BAQUFADA1MRYwFAYD VQQKEw1DaXNjbyBTeXN0ZW1zMRswGQYDVQQDExJDaXNjbyBSb290IENBIDIwNDgw HhcNMDUwNjEwMjIxNjAxWhcNMjkwNTE0MjAyNTQyWjA5MRYwFAYDVQQKEw1DaXNj byBTeXN0ZW1zMR8wHQYDVQQDExZDaXNjbyBNYW51ZmFjdHVyaW5nIENBMIIBIDAN BgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAoMX33JaUNRXx9JlOu5tB4X3beRaR u/NU8kFKlDJiYskj95rnu5t56AcpTjD1rhvFIVZGsPj05o6BuBbMqJuF0kKB23zL lKkRYRIcXOozIByaFqd925kGauI2r+z4Cv+YZwf0MO6l+IgaqujHPBzO7kj9zVw3 8YaTnj1xdX007ksUqcApewUQ74eeaTEw9Ug2P9irzhXi6FifPmJxBIcmpBViASWq 1d/JyVu4yaEHe75okpOTIKhsvRV100RdRUvsqNpgx9jI1cjtQeH1X1eOUzKTSdXZ D/g2qgfEMkHFp68dGf/2c5k5WnNnYhM0DR9elXBSZBcG7FNcXNtq6jUAQQIBA6OC AecwggHjMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFNDFIiarT0Zg7K4F kcfcWtGwR/dsMAsGA1UdDwQEAwIBhjAQBgkrBgEEAYI3FQEEAwIBADAZBgkrBgEE AYI3FAIEDB4KAFMAdQBiAEMAQTAfBgNVHSMEGDAWgBQn88gVHm6aAgkWrSugiWBf 2nsvqjBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vd3d3LmNpc2NvLmNvbS9zZWN1 cml0eS9wa2kvY3JsL2NyY2EyMDQ4LmNybDBQBggrBgEFBQcBAQREMEIwQAYIKwYB BQUHMAKGNGh0dHA6Ly93d3cuY2lzY28uY29tL3NlY3VyaXR5L3BraS9jZXJ0cy9j cmNhMjA0OC5jZXIwXAYDVR0gBFUwUzBRBgorBgEEAQkVAQIAMEMwQQYIKwYBBQUH AgEWNWh0dHA6Ly93d3cuY2lzY28uY29tL3NlY3VyaXR5L3BraS9wb2xpY2llcy9p bmRleC5odG1sMF4GA1UdJQRXMFUGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUH AwUGCCsGAQUFBwMGBggrBgEFBQcDBwYKKwYBBAGCNwoDAQYKKwYBBAGCNxQCAQYJ KwYBBAGCNxUGMA0GCSqGSIb3DQEBBQUAA4IBAQAw8zAtjPLKN0pkmSQpCvKGqkLV I+ii6itvaSN6go4cTAnPpE+rhC836WVg0ZrG2PML9d7QJwBcbx2RvdFOWFEdyeP3 OOfTC9Fovo4ipUsG4eakqjN9GnW6JvNwxmEApcN5JlunGdGTjaubEBEpH6GC/f08 S25l3JNFBemvM2tnIwcGhiLa69yHz1khQhrpz3B1iOAkPV19TpY4gJfVb/Cbcdi6 YBmlsGGGrd1lZva5J6LuL2GbuqEwYf2+rDUU+bgtlwavw+9tzD0865XpgdOKXrbO +nmka9eiV2TEP0zJ2+iC7AFm1BCIolblPFft6QKoSJFjB6thJksaE5/k3Npf -----END CERTIFICATE----- Base-64 encoding
  31. 31. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public CUCM Certificate Types • Used for TLS connections to CallManager service (TCP port 5061 for SIP or 2002 for SCCP) • Signs TFTP files like configuration files, localization files, etc. CallManager CallManager-EC • Use for TLS connections to CAPF service (TCP port 3804) • Signer of the phones Locally Signed Certificates (LSC)CAPF • Used for HTTPS connections from Web services (TCP port 8443)Tomcat • For TLS connections to the TVS service (TCP port 2445)TVS
  32. 32. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public CallManager Service •CallManager •CallManager-trust Tomcat Service • tomcat • tomcat-trust CAPF Service •CAPF •CAPF-trust Certificate Trust Stores
  33. 33. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public CUCM Trust Certificate Management
  34. 34. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Do I trust this device? High Level View of a Secure Connection Establishment ? Yes Trust it?Yes Trust-store CUCM CUBE
  35. 35. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Transport Layer Security (TLS) Client Server TLS Record Protocol TLS Handshake Client/Server model Application protocol independent • Uses asymmetric cryptography to authenticate peer identity • Shared secret negotiation is secure and reliable
  36. 36. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public TLS connections in Wireshark • Client: Entity initiating the connection • Server: Entity receiving the connection • Wireshark filters: • ‘ssl’ – Only packets with SSL data • ‘tcp.port == nnn’ – All TCP packets for the connection including SYN, ACK with no data BRKUCC-2501 37
  37. 37. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Certificates in Wireshark BRKUCC-2501 38
  38. 38. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public • New option to share a single CA signed certificate across all nodes in a cluster • Each cluster node’s FQDN included as Subject Alternative Name (SAN) in a single certificate, custom SANs can also be included • Available for Unified CM (UCM + IM&P) and Unity Connection clusters • Specifically for Tomcat, CallManager, CallManager-ECDSA, CUP-XMPP & CUP-XMPP-S2S certificate types Multi-Server Certificate Support Simplify Certificate Management In Clustered Environments Of UCM 10.5 And Later Unified CM Cluster UCM nodes IM&P nodes One CA signed Multi-Server Tomcat certificate for the entire Unified CM cluster BRKUCC-2501 39
  39. 39. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKUCC-2501 Endpoint Certificates • Manufacturing Installed Certificate (MIC) • Installed in the factory for Cisco IP Phones • Valid for 10 years • No certificate revocation support • Locally Significant Certificates (LSC) • Preferred certificate for endpoint identity • Endpoint support includes IP Phones, TelePresence, Jabber clients, CIPC • LSC signed by CAPF Service running on UCM Publisher • LSC supports the same RSA and EC key sizes as Unified CM • LSC can be installed, re-issued, deleted in bulk with UCM Bulk Admin Tool • LSC signed by CAPF is valid for 5 years, configurable in UCM 11.5 • Paper process required to track certificate expiration prior to UCM 11.5 Cryptographically assured device identity 40 8811, 8841, 8851, 8861
  40. 40. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public LSC Revocation Catered for in CUCM 10.X • Historic Elephant in the room • Prior to release 10 what happened if a phone was lost or stolen? • Offline CA Mode • CUCM still can’t revoke LSC but the CA can! CA CAPF (Offline CA Mode) (1) LSC CSR (2) CA Signed LSC CA LSC:XXXX LSC Serial No. XXXX Revoked! ISE
  41. 41. Certificate Trust List (CTL) & Initial Trust List (ITL) BRKUCC-2501
  42. 42. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Certificate Trust List (CTL) • Enabling Mixed Mode to support encrypted signaling and media requires CTL • Minimum of 2 USB secure tokens required, KEY- CCM-ADMIN-K9= or new KEY-CCM-ADMIN2-K9= • CTL client produces Certificate Trust List (CTL) file and uploads to CUCM TFTP • Download the CTL Client from CUCM Admin, install on Windows workstation • CTL file is downloaded by endpoints and is the basis for endpoint certificate trust CTL provides a trust mechanism for Cisco endpoints BRKUCC-2501 43
  43. 43. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Certificate Trust List (CTL) • Unified CM 10.0 supports two different methods of building the CTL • Classic CTL client, minimum 2 USB tokens required • New token-less CTL • Token-less CTL is activated with admin cli command (publisher only), • utils ctl set-cluster mixed-mode • CallManager certificate private key is used to sign the CTL, rather than the USB token • DRS backup !!! • Other CTL cli commands include • utils ctl update CTLFile • utils ctl set-cluster non-secure-mode New token-less CTL option BRKUCC-2501 44
  44. 44. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Initial Trust List (ITL) • Unlike the CTL file, the ITL file is built automatically when the cluster is installed or upgraded to 8.0+ • Downloaded by phones at boot or reset, after CTL file • Has the same format as the CTL File • Does not require eTokens; uses a soft eToken (the CallManager cert private key) • Static and Dynamic ITL Files are built • ITLFile.tlv ITLSEPMAC.tlv Security by Default component BRKUCC-2501 45
  45. 45. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Trust Verification Service • Trust Verification Service (TVS) runs on each CUCM server and authenticates certificates on behalf of the phone • Provides endpoint trusted certificates scale • Instead of downloading all the trusted certificates, phones need only to trust TVS • Up to 3 TVS per phone (primary, secondary and tertiary from CallManager Group) • No support when failover to SRST by phone • TVS function relies on SBD enabled and correct TVS certificate in the endpoint’s ITL file Security by Default Component BRKUCC-2501 46
  46. 46. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public • ITL file is built by the TFTP service in UCM 8.6+ • TVS service built the ITL file in UCM 8.0 & 8.5 • Each node running TFTP creates a unique ITL • ITL file is rebuilt when: • TFTP Service Restarts • Any certificate inside the ITL changes • CallManager Group Changes • IP Phones automatically reset on certificate change (8.6+) • ITL Signature should always match on endpoint and TFTP server Managing Security by Default (SBD) ITL File Awareness BRKUCC-2501 47
  47. 47. • Secure Network, Secure Endpoints, Secure Call Control • Collaboration System Release 11.5 Security Update • Deploying and Handling Certificates & PKI in CUCM • Securing the Edge with CUBE/SBC • Cisco Product Security Agenda
  48. 48. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Why does an Enterprise need an SBC ? SESSION CONTROL Call Admissions Control Trunk Routing Ensuring QoS Statistics and Billing Redundancy/ Scalability INTERWORKING SIP - SIP H.323 - SIP SIP Normalization DTMF Interworking Transcoding Codec Filtering DEMARCATION Fault Isolation Topology Hiding Network Borders L5/L7 Protocol Demarcation SECURITY Encryption Authentication Registration SIP Protection Voice Policy Firewall Placement Toll Fraud Enterprise 1 IP SIP CUBE IP Enterprise 2 IP CUBE SIP Rich Media (Real time Voice, Video, Screenshare etc.. ) Rich Media
  49. 49. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public VXML SRST Cisco Unified Border Element  Address Hiding  H.323 and SIP interworking  DTMF interworking  SIP security  Transcoding Note: An SBC appliance would have only these features Unified CM Conferencing and Transcoding IP Routing & MPLS WAN & LAN Physical Interfaces CUBE Voice Policy TDM Gateway PSTN Backup FW, IPS, QoS Note: Some features/components may require additional licensing An Integrated Network Infrastructure Service
  50. 50. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public CUBE Call Processing  Actively involved in the call treatment, signaling and media streams  SIP B2B User Agent  Signaling is terminated, interpreted and re-originated  Provides full inspection of signaling, and protection against malformed and malicious packets  Media is handled in two different modes:  Media Flow-Through  Media Flow-Around  Digital Signal Processors (DSPs) are required for transcoding (calls with dissimilar codecs) IP CUBE CUBE IP Media Flow-Around  Signaling and media terminated by the Cisco Unified Border Element  Media bypasses the Cisco Unified Border Element Media Flow-Through  Signaling and media terminated by the Cisco Unified Border Element  Transcoding and complete IP address hiding require this model
  51. 51. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public High-density Dedicated Gateways Transitioning to SIP Trunking... 52 Re-purpose your existing Cisco voice gateway’s as Session Border Controllers SIP/H323/MGCP Media TDM PBX SRST CME A Enterprise Campus Enterprise Branch Offices MPLS BEFORE Media SIP Trunks SRST IP PSTNA TDM PBX CME MPLS CUBE with High Availability Active Standby CUBE CUBE PSTN is now used only for emergency calls over FXO lines AFTER Enterprise Branch Offices
  52. 52. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public • Step 1 – Configure IP PBX to route all calls (HQ and branch offices) to the edge SBC • Step 2 – Get SIP Trunk details from the provider • Step 3 – Enable CUBE application on Cisco routers • Step 4 – Configure call routing on CUBE (Incoming & Outgoing dial- peers) • Step 5 – Normalize SIP messages to meet SIP Trunk provider’s requirements • Step 6 – Execute the test plan Steps to transitioning... 53 Media SRST Enterprise Campus IP PSTN A TDM PBX CME MPLS Enterprise Branch Offices CUBE with High Availability Active Standby CUBE CUBE PSTN is now used only for emergency calls over FXO lines SIP Trunk
  53. 53. SIP Trunking and Design Deployment Reference Slides
  54. 54. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco Session Management & CUBE: Essential Elements for Collaboration • CUBE provides session border control between IP networks • Demarcation • Interworking • Session control • Security • Cisco SME centralizes network control • Centralizes dial plan • Centralized applications • Aggregates PBXs 55 Video Mobile SIP TRUNK TO CUBE 3rd Party IP PBX TDM PBX CUBE Cisco Session ManagementIM, Presence, Voicemail Cisco B2B
  55. 55. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public CUBE Deployment Scenarios SIP Trunks for PSTN Access Network- based Media Recording Solution SIP H.323 SP VOIP ServicesSBC TDM SIP Trunk Partner API MediaSense CUBE SIP RTP SIP Active Standby SP IP NetworkSBC Extending to Video and High Availability for Audio Calls IVR Integration for Contact Centers SIP CVP vXML Server Media Server SP IP NetworkSBC Business to Business Telepresence SP IP Network SIP SIP SBC CUBE CUBE CUBE CUBE CUBE 56
  56. 56. • Secure Network, Secure Endpoints, Secure Call Control • Collaboration System Release 11.5 Security Update • Deploying and Handling Certificates & PKI in CUCM • Securing the Edge with CUBE/SBC • Cisco Product Security Agenda
  57. 57. Cisco Product Security Awareness BRKUCC-2501
  58. 58. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco PSIRT Has Your Back • Dedicated, global team managing security vulnerability information related to Cisco products and networks • Responsible for Cisco Security Advisories, Responses and Notices • Interface with security researchers and hackers • Assist Cisco product teams in securing products • Subscribe (RSS or email) to Cisco notification service Product Security Incident Response Team (PSIRT) - www.cisco.com/go/psirt BRKUCC-2501 59
  59. 59. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public Product Security Awareness • Subscribe/Monitor PSIRT security advisories, responses and notices • Consult advisory details to understand impact, workarounds, and other details • Reference linked Cisco Applied Mitigation Bulletins (AMB) when available • Make preparations to patch systems via upgrade or COP files • Verify DRS backups available before patching critical systems BRKUCC-2501 60
  60. 60. Thank you BRKUCC-2501

×