Secure collab on prem hikmat

Secure Collaboration for On-
Premise VoIP Deployments
(CUCM and CUBE/SBC)
Hikmat El Ajaltouni
Systems Engineer
Jan.26, 2017

• Secure Network, Secure Endpoints, Secure Call Control
• Collaboration System Release 11.5 Security Update
• Deploying and Handling Certificates & PKI in CUCM
• CUBE/SBC
• Cisco Product Security
Agenda

Secure Network, Secure Endpoints,
Secure Call Control
BRKUCC-2501

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Infrastructure Security Measures
Segregation
• Virtual LANs (VLANs)
separate voice and data
traffic
• VLAN Access Control
Lists (VACLs) limit traffic
between devices on the
voice VLAN
• QoS Packet Marking
ensures UC traffic
receives appropriate
priority over other traffic
Layer 3
• IP Source Guard
examines physical port,
VLAN, IP, & MAC for
inconsistencies
Layer 2
• DHCP Snooping creates
binding table
• Dynamic ARP Inspection
examines ARP & GARP
for violations
• Port Security limits the
number of MAC
addresses allowed per
port
• 802.1x limits network
access to authentic
devices on assigned
VLANs
BRKUCC-2501 5

IP Phone Security Features
• Cryptographically assured device identity
• Manufacture Installed Certificate(MIC)
• Locally Significant Certificates (LSC)
• Signed firmware images
• Signed & encrypted configuration files
• Mutually authenticated & encrypted
signaling & media
• Embedded 802.1x Supplicant
• Positive disconnect for handset &
speakerphone
• Positive off-hook indicator for speakerphone
• Disable or block access to voice VLAN for
downstream port
• Disable web interface
• Disable “settings” button
• Disable SSH access
• FIPS mode (select models)
• Gratuitous ARP rejection
BRKUCC-2501 6

Unified Communications Manager Security
• Disallow trivial passwords
• Require minimum length
• Prevent reuse with configurable depth
• Lockout on failed attempts with
configurable depth, time span, &
duration
• Lockout on inactivity with configurable
time span
• Expire after configurable time span
• Expiry warning with configurable time
span
User Credential Policies
• Control frequency of credential
modifications with configurable time
span
• Force credential modification on next
attempt
• Prevent credential modification by user
• Lockout by administrator
• Configurable session timeouts
• SAML Single-Sign-On (SSO)
BRKUCC-2501 7

Encrypted Signaling & Media
• SIP & SCCP Phones
• SIP Video Endpoints
• MGCP, H.323, & SIP Trunks
• TAPI & JTAPI Applications
• Meet-me, ad-hoc, & barge Conferences
• Extension Mobility Cross-Cluster
• Intercluster Lookup Service (ILS)
• Location Bandwidth Manager (LBM)
Secure Interfaces & Protocols
• Web, CLI, CTI, & LDAP
• HTTPS, TLS, SRTP, SSH, SFTP,
SLDAP, IPSec, TFTP
BRKUCC-2501 8

UCM Cluster Security Mode
• Non-Secure or Mixed
• NOT On/Off
• Mixed Mode Requirements:
• Export Restricted version of UCM
• CTL File
• Configured via Windows CTL Client or
‘utils ctl set-cluster’ CLI
Mixed
Non-Secure
BRKUCC-2501 9

Encrypted Signaling & Media
• SIP & SCCP Phones
• SIP Video Endpoints
• MGCP, H.323, & SIP Trunks
• TAPI & JTAPI Applications
• Meet-me, ad-hoc, & barge Conferences
• Extension Mobility Cross-Cluster
• Intercluster Lookup Service (ILS)
• Location Bandwidth Manager (LBM)
Secure Interfaces & Protocols
• Web, CLI, CTI, & LDAP
• HTTPS, TLS, SRTP, SSH, SFTP,
SLDAP, IPSec, TFTP
Require Mixed Mode
BRKUCC-2501 10

Cluster Security Mode: Feature Tradeoffs
Feature Non Secure Cluster Mixed Mode Cluster
Auto-registration*  
Signed & Encrypted Phone Configs  
Signed Phone Firmware  
Secure Phone Services (HTTPS)  
CAPF + LSC  
IP VPN Phone  
Secure Endpoints (TLS & SRTP)  
BRKUCC-2501
New
in 11.5
11

Hardened Appliance Model
• SELinux enforcing mode provides host based intrusion protection
• iptables provides host based firewall
• Third party software installations NOT allowed
• Root account disabled, no other uid=0 accounts
• OS and applications are installed with a single package
• All software updates must be signed packages from Cisco
• Secure Management (HTTPS, SSH, SFTP)
• Audit logging
• Active & Inactive partition architecture – easy to fallback if needed
Why is CUCM considered a hardened platform?
BRKUCC-2501 12

Balancing Risk
Low
Easy or Default
Medium
Moderate and Reasonable
High
Advanced or Not Integrated
Hardened Platform IP VPN Phone UC-Aware Firewall (Inspection)
SELinux – Host Based Intrusion
Protection
Secure Directory Integration (SLDAP) Phone Proxy
iptables - Integrated Host Firewall Encrypted Configuration Ipsec
Signed Firmware & Configuration TLS & SRTP for Phones & Gateways Rate Limiting
HTTPS Trusted Relay Points (TRP) Managed VPN (Remote Worker)
Separate Voice & Data VLANs QoS Packet Marking Network Anomaly Detection
STP, BPDU Guard, SmartPorts DHCP Snooping Scavenger Class QoS
Basic Layer 3 ACL’s (Stateless) Dynamic ARP Inspection 802.1x & NAC
Phone Security Settings IP Source Guard, Port Security
Cost - Complexity - Resources - Performance - Manpower - Overhead
BRKUCC-2501 13

Eliminate Toll Fraud
• Deny network access to
unauthorized users
• Partitions and Calling search spaces
provide dial plan segmentation and
access control
• Device Pool “Calling Search Space
for Auto-registration” to limit access
to dial plan
• Employ Time of day routing to
deactivate segments of the dial plan
after hours
How Do Our Customers Prevent Toll Fraud?
• Require Forced Authentication
Codes on route patterns to restrict
access on long distance or internal
calls.
• “Drop Ad hoc Conferences”
(CallManager Service Parameter)
• “Block OffNet to OffNet transfer”
(CallManager Service Parameter)
• Monitor Call Detail Records
• Employ Multilevel Administration
• Voice Gateways: Call Source
Authentication (IOS 15.1(2) feature)
BRKUCC-2501 14

• Secure Network, Secure Endpoints, Secure Call Control
• Collaboration System Release 11.5 Security Update
• Deploying and Handling Certificates & PKI in CUCM
• Securing the Edge with CUBE/SBC
• Cisco Product Security
Agenda

CSR 11.5 – The Federal Space
Federal Certifications Testing Agencies
Common Criteria NIAP (NSA)
DoD Unified Capability
Approved Products List
JITC
Commercial Solutions
for Classified
NSA / CSS
FedRAMP 3PAO

Common Criteria Support
CUCM 11.0 Enhancement
• Accepted and supported by 26 Countries Worldwide via Common Criteria
Recognition Arrangement (CCRA)
• The following features have been added/modified in CUCM to meet certification
requirement for SIP Signaling and Media:
• Support for ECC(Elliptical Curve Cryptography) for CUCM certificates*. Software
features that required modification to support ECC:
• Self-signed certificates, certificate signing requests (CSR), certificate import and bulk certificate management
• Certificate Trust List (CTL) and ITL (Initial Trust List).
• SIP connections.
• CAPF (Certificate Authority Proxy Function)
• CTI (Computer Telephony Integration)
• Support configuration download over secure channel– HTTPS
• New entropy source and entropy management
• Audit logging as outlined in Network Device Protection Profile
Data Protection
https://www.nsa.gov/business/programs/elliptic_curve.shtml*
The certificate manager
will support generating
ECC certificates that
have an EC Key Pair of
256, 384 or 521 bits

CSR 11.5 – FIPS 140-2
FIPS 186-4 Digital Signature Standards:
DSA, RSA, ECDSA
FIPS 180-4 Secure Hash Standards:
SHA-1, SHA-256, SHA-384
FIPS 197 Advanced Encryption
Standards: AES-128, AES-256
NIST SP 800-
38(A-F)
AES Block Cipher Modes:
CBC, CCM, GCM
NIST SP 800-52 Selection, Config and Use of
TLS Implementations

CSR 11.5 – Encryption Strengths
11.5
11.0

CSR 11.5 – Encryption Strengths
NSA Top Secret
NSA Secret
11.5
11.0

CSR 11.5 – Robust Security
TOP SECRET

Enhancements in 11.5
• Auto-registration allowed in mixed mode
• New ECDSA certificates for Tomcat and XMPP
• RSA key sizes increased to 4096 bits
• Configurable SHA2 (512) signed files from TFTP
• Authenticated UDS search
• Configurable form-based authentication for web applications
BRKUCC-2501 22

LSC Enhancements in 11.5
• Certificate Monitoring service monitors LSCs for expiry
• CCMAdmin / BAT “Find & List Phone” page allows search by
• LSC expiration
• LSC issued by
• LSC issuer expires by
• Configurable LSC certificate expiry (CAPF Service Parameter)
• CAPF signs LSCs with SHA2 hash algorithm
BRKUCC-2501
For LSCs installed on
11.5 or later only
23

LSC Expiration Visibility in UCM 11.5
Search & Reporting
BRKUCC-2501 24

PKI – Public Key Infrastructure
Consists Of…
Public + Private keypair
• Private Key remains secret
• Public Key widely distributed
Allows For…
• Asymmetric key encryption
• one-way encryption and decryption
• Symmetric key encryption
• Public Key exchange used to establish shared-secret between two parties
• Message encryption and authentication protocols
BRKUCC-2501 26

Types of Certificates
Self-Signed certificates used by
Certificate Authorities to sign other
certificates.
Certificates issued to a specific
entity (a device) and signed or
issued by a root CA and
sometimes also by intermediate
CAs.
Certificates signed by a Root CA
and in turn can sign other identity
certificates.

Lorem ipsum dolor sit
amet, consectetur
adipiscing elit.
John Doe
CCIE# 63542
Certificate
What’s a Digital Certificate?
X.509 Certificate
Version
Serial Number
Signature Algorithm
Signature Hash Algorithm
Issuer
Valid From
Valid To
Subject Name
Public Key
Serial Number: 63542
Issued By: Cisco Systems
Issued To: John Doe
5/4/20
Validity: May 4th, 2020

Digital Certificates
• Digital passport
• Self-signed or CA-Signed
• Contains the owner’s public key
• Proves the identity of a public
key’s owner
BRKUCC-2501 29

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Pubic Key Infrastructure

Certificate File Formats
-----BEGIN CERTIFICATE-----
MIIE2TCCA8GgAwIBAgIKamlnswAAAAAAAzANBgkqhkiG9w0BAQUFADA1MRYwFAYD
VQQKEw1DaXNjbyBTeXN0ZW1zMRswGQYDVQQDExJDaXNjbyBSb290IENBIDIwNDgw
HhcNMDUwNjEwMjIxNjAxWhcNMjkwNTE0MjAyNTQyWjA5MRYwFAYDVQQKEw1DaXNj
byBTeXN0ZW1zMR8wHQYDVQQDExZDaXNjbyBNYW51ZmFjdHVyaW5nIENBMIIBIDAN
BgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAoMX33JaUNRXx9JlOu5tB4X3beRaR
u/NU8kFKlDJiYskj95rnu5t56AcpTjD1rhvFIVZGsPj05o6BuBbMqJuF0kKB23zL
lKkRYRIcXOozIByaFqd925kGauI2r+z4Cv+YZwf0MO6l+IgaqujHPBzO7kj9zVw3
8YaTnj1xdX007ksUqcApewUQ74eeaTEw9Ug2P9irzhXi6FifPmJxBIcmpBViASWq
1d/JyVu4yaEHe75okpOTIKhsvRV100RdRUvsqNpgx9jI1cjtQeH1X1eOUzKTSdXZ
D/g2qgfEMkHFp68dGf/2c5k5WnNnYhM0DR9elXBSZBcG7FNcXNtq6jUAQQIBA6OC
AecwggHjMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFNDFIiarT0Zg7K4F
kcfcWtGwR/dsMAsGA1UdDwQEAwIBhjAQBgkrBgEEAYI3FQEEAwIBADAZBgkrBgEE
AYI3FAIEDB4KAFMAdQBiAEMAQTAfBgNVHSMEGDAWgBQn88gVHm6aAgkWrSugiWBf
2nsvqjBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vd3d3LmNpc2NvLmNvbS9zZWN1
cml0eS9wa2kvY3JsL2NyY2EyMDQ4LmNybDBQBggrBgEFBQcBAQREMEIwQAYIKwYB
BQUHMAKGNGh0dHA6Ly93d3cuY2lzY28uY29tL3NlY3VyaXR5L3BraS9jZXJ0cy9j
cmNhMjA0OC5jZXIwXAYDVR0gBFUwUzBRBgorBgEEAQkVAQIAMEMwQQYIKwYBBQUH
AgEWNWh0dHA6Ly93d3cuY2lzY28uY29tL3NlY3VyaXR5L3BraS9wb2xpY2llcy9p
bmRleC5odG1sMF4GA1UdJQRXMFUGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUH
AwUGCCsGAQUFBwMGBggrBgEFBQcDBwYKKwYBBAGCNwoDAQYKKwYBBAGCNxQCAQYJ
KwYBBAGCNxUGMA0GCSqGSIb3DQEBBQUAA4IBAQAw8zAtjPLKN0pkmSQpCvKGqkLV
I+ii6itvaSN6go4cTAnPpE+rhC836WVg0ZrG2PML9d7QJwBcbx2RvdFOWFEdyeP3
OOfTC9Fovo4ipUsG4eakqjN9GnW6JvNwxmEApcN5JlunGdGTjaubEBEpH6GC/f08
S25l3JNFBemvM2tnIwcGhiLa69yHz1khQhrpz3B1iOAkPV19TpY4gJfVb/Cbcdi6
YBmlsGGGrd1lZva5J6LuL2GbuqEwYf2+rDUU+bgtlwavw+9tzD0865XpgdOKXrbO
+nmka9eiV2TEP0zJ2+iC7AFm1BCIolblPFft6QKoSJFjB6thJksaE5/k3Npf
-----END CERTIFICATE-----
Base-64 encoding

CUCM Certificate Types
• Used for TLS connections to CallManager service (TCP port
5061 for SIP or 2002 for SCCP)
• Signs TFTP files like configuration files, localization files, etc.
CallManager
CallManager-EC
• Use for TLS connections to CAPF service (TCP port 3804)
• Signer of the phones Locally Signed Certificates (LSC)CAPF
• Used for HTTPS connections from Web services (TCP port
8443)Tomcat
• For TLS connections to the TVS service (TCP port 2445)TVS

CallManager
Service
•CallManager
•CallManager-trust
Tomcat
Service
• tomcat
• tomcat-trust
CAPF
Service
•CAPF
•CAPF-trust
Certificate Trust Stores

CUCM Trust Certificate Management

Do I trust this
device?
High Level View of a Secure Connection Establishment
?
Yes
Trust
it?Yes
Trust-store
CUCM CUBE

Transport Layer Security (TLS)
Client Server
TLS Record Protocol
TLS Handshake
Client/Server model
Application protocol independent
• Uses asymmetric cryptography to
authenticate peer identity
• Shared secret negotiation is
secure and reliable

TLS connections in Wireshark
• Client: Entity initiating the connection
• Server: Entity receiving the connection
• Wireshark filters:
• ‘ssl’ – Only packets with SSL data
• ‘tcp.port == nnn’ – All TCP packets for the connection including SYN, ACK with no data
BRKUCC-2501 37

Certificates in Wireshark
BRKUCC-2501 38

• New option to share a single CA signed certificate across all nodes in a cluster
• Each cluster node’s FQDN included as Subject Alternative Name (SAN) in a
single certificate, custom SANs can also be included
• Available for Unified CM (UCM + IM&P) and Unity Connection clusters
• Specifically for Tomcat, CallManager, CallManager-ECDSA, CUP-XMPP &
CUP-XMPP-S2S certificate types
Multi-Server Certificate Support
Simplify Certificate Management In Clustered Environments Of UCM 10.5 And Later
Unified CM Cluster
UCM nodes IM&P nodes
One CA signed Multi-Server Tomcat
certificate for the entire Unified CM cluster
BRKUCC-2501 39

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKUCC-2501
Endpoint Certificates
• Manufacturing Installed Certificate (MIC)
• Installed in the factory for Cisco IP Phones
• Valid for 10 years
• No certificate revocation support
• Locally Significant Certificates (LSC)
• Preferred certificate for endpoint identity
• Endpoint support includes IP Phones, TelePresence, Jabber clients, CIPC
• LSC signed by CAPF Service running on UCM Publisher
• LSC supports the same RSA and EC key sizes as Unified CM
• LSC can be installed, re-issued, deleted in bulk with UCM Bulk Admin Tool
• LSC signed by CAPF is valid for 5 years, configurable in UCM 11.5
• Paper process required to track certificate expiration prior to UCM 11.5
Cryptographically assured device identity
40
8811, 8841, 8851, 8861

LSC Revocation
Catered for in CUCM 10.X
• Historic Elephant in the room
• Prior to release 10 what happened if a phone was lost or stolen?
• Offline CA Mode
• CUCM still can’t revoke LSC but the CA can!
CA
CAPF
(Offline CA Mode)
(1) LSC CSR
(2) CA Signed LSC
CA
LSC:XXXX
LSC Serial No. XXXX
Revoked!
ISE

Certificate Trust List (CTL) &
Initial Trust List (ITL)
BRKUCC-2501

Certificate Trust List (CTL)
• Enabling Mixed Mode to support encrypted
signaling and media requires CTL
• Minimum of 2 USB secure tokens required, KEY-
CCM-ADMIN-K9= or new KEY-CCM-ADMIN2-K9=
• CTL client produces Certificate Trust List (CTL) file
and uploads to CUCM TFTP
• Download the CTL Client from CUCM Admin,
install on Windows workstation
• CTL file is downloaded by endpoints and is the
basis for endpoint certificate trust
CTL provides a trust mechanism for Cisco endpoints
BRKUCC-2501 43

Certificate Trust List (CTL)
• Unified CM 10.0 supports two different methods of building the CTL
• Classic CTL client, minimum 2 USB tokens required
• New token-less CTL
• Token-less CTL is activated with admin cli command (publisher only),
• utils ctl set-cluster mixed-mode
• CallManager certificate private key is used to sign the CTL, rather than the USB
token
• DRS backup !!!
• Other CTL cli commands include
• utils ctl update CTLFile
• utils ctl set-cluster non-secure-mode
New token-less CTL option
BRKUCC-2501 44

Initial Trust List (ITL)
• Unlike the CTL file, the ITL file is built
automatically when the cluster is installed
or upgraded to 8.0+
• Downloaded by phones at boot or reset,
after CTL file
• Has the same format as the CTL File
• Does not require eTokens; uses a soft
eToken (the CallManager cert private key)
• Static and Dynamic ITL Files are built
• ITLFile.tlv ITLSEPMAC.tlv
Security by Default component
BRKUCC-2501 45

Trust Verification Service
• Trust Verification Service (TVS) runs on each CUCM server and authenticates
certificates on behalf of the phone
• Provides endpoint trusted certificates scale
• Instead of downloading all the trusted certificates, phones need only to trust TVS
• Up to 3 TVS per phone (primary, secondary and tertiary from CallManager
Group)
• No support when failover to SRST by phone
• TVS function relies on SBD enabled and correct TVS certificate in the endpoint’s
ITL file
Security by Default Component
BRKUCC-2501 46

• ITL file is built by the TFTP service in UCM 8.6+
• TVS service built the ITL file in UCM 8.0 & 8.5
• Each node running TFTP creates a unique ITL
• ITL file is rebuilt when:
• TFTP Service Restarts
• Any certificate inside the ITL changes
• CallManager Group Changes
• IP Phones automatically reset on certificate change (8.6+)
• ITL Signature should always match on endpoint and TFTP server
Managing Security by Default (SBD)
ITL File Awareness
BRKUCC-2501 47

Why does an Enterprise need an SBC ?
SESSION
CONTROL
Call Admissions
Control
Trunk Routing
Ensuring QoS
Statistics and Billing
Redundancy/
Scalability
INTERWORKING
SIP - SIP
H.323 - SIP
SIP Normalization
DTMF Interworking
Transcoding
Codec Filtering
DEMARCATION
Fault Isolation
Topology Hiding
Network Borders
L5/L7 Protocol
Demarcation
SECURITY
Encryption
Authentication
Registration
SIP Protection
Voice Policy
Firewall Placement
Toll Fraud
Enterprise 1
IP
SIP
CUBE
IP
Enterprise 2
IP
CUBE
SIP
Rich Media (Real time Voice, Video, Screenshare etc.. ) Rich Media

VXML
SRST
Cisco Unified Border Element
 Address Hiding
 H.323 and SIP interworking
 DTMF interworking
 SIP security
 Transcoding
Note: An SBC appliance would
have only these features
Unified CM
Conferencing and
Transcoding
IP Routing &
MPLS
WAN & LAN
Physical
Interfaces
CUBE
Voice Policy
TDM Gateway
PSTN Backup
FW, IPS,
QoS
Note: Some features/components may require additional licensing
An Integrated Network Infrastructure Service

CUBE Call Processing
 Actively involved in the call treatment,
signaling and media streams
 SIP B2B User Agent
 Signaling is terminated, interpreted and
re-originated
 Provides full inspection of signaling, and
protection against malformed and malicious
packets
 Media is handled in two different modes:
 Media Flow-Through
 Media Flow-Around
 Digital Signal Processors (DSPs) are
required for transcoding (calls with
dissimilar codecs)
IP
CUBE
CUBE
IP
Media Flow-Around
 Signaling and media terminated by the Cisco
Unified Border Element
 Media bypasses the Cisco Unified Border
Element
Media Flow-Through
 Signaling and media terminated by the Cisco
Unified Border Element
 Transcoding and complete IP address hiding
require this model

High-density Dedicated
Gateways
Transitioning to SIP Trunking...
52
Re-purpose your existing Cisco voice gateway’s as Session Border Controllers
SIP/H323/MGCP
Media
TDM PBX
SRST CME
A Enterprise Campus
Enterprise
Branch Offices
MPLS
BEFORE Media
SIP Trunks
SRST
IP PSTNA
TDM PBX
CME
MPLS
CUBE with High
Availability
Active
Standby
CUBE
CUBE
PSTN is now
used only for
emergency
calls over FXO
lines
AFTER
Enterprise
Branch Offices

• Step 1 – Configure IP PBX to route
all calls (HQ and branch offices) to
the edge SBC
• Step 2 – Get SIP Trunk details from
the provider
• Step 3 – Enable CUBE application
on Cisco routers
• Step 4 – Configure call routing on
CUBE (Incoming & Outgoing dial-
peers)
• Step 5 – Normalize SIP messages
to meet SIP Trunk provider’s
requirements
• Step 6 – Execute the test plan
Steps to transitioning...
53
Media
SRST
Enterprise
Campus
IP PSTN
A
TDM PBX
CME
MPLS
Enterprise Branch
Offices
CUBE with High
Availability
Active
Standby
CUBE
CUBE
PSTN is now
used only for
emergency
calls over FXO
lines
SIP Trunk

SIP Trunking and Design Deployment
Reference Slides

Cisco Session Management & CUBE:
Essential Elements for Collaboration
• CUBE provides session border control
between IP networks
• Demarcation
• Interworking
• Session control
• Security
• Cisco SME centralizes
network control
• Centralizes dial plan
• Centralized applications
• Aggregates PBXs
55
Video
Mobile
SIP TRUNK TO CUBE
3rd Party IP
PBX
TDM PBX
CUBE
Cisco Session
ManagementIM, Presence,
Voicemail
Cisco B2B

CUBE Deployment Scenarios
SIP Trunks
for PSTN
Access
Network-
based
Media
Recording
Solution
SIP
H.323
SP VOIP
ServicesSBC
TDM
SIP Trunk
Partner API MediaSense
CUBE
SIP
RTP
SIP
Active
Standby
SP IP
NetworkSBC
Extending to Video and
High Availability for Audio Calls
IVR
Integration
for Contact
Centers
SIP
CVP
vXML Server
Media
Server
SP IP
NetworkSBC
Business to
Business
Telepresence
SP IP
Network
SIP SIP
SBC
CUBE
CUBE
CUBE CUBE
CUBE
56

Cisco Product Security Awareness
BRKUCC-2501

Cisco PSIRT Has Your Back
• Dedicated, global team managing security vulnerability information related to
Cisco products and networks
• Responsible for Cisco Security Advisories, Responses and Notices
• Interface with security researchers and hackers
• Assist Cisco product teams in securing products
• Subscribe (RSS or email) to Cisco notification service
Product Security Incident Response Team (PSIRT) - www.cisco.com/go/psirt
BRKUCC-2501 59

Product Security Awareness
• Subscribe/Monitor PSIRT security
advisories, responses and
notices
• Consult advisory details to
understand impact, workarounds,
and other details
• Reference linked Cisco Applied Mitigation Bulletins (AMB) when available
• Make preparations to patch systems via upgrade or COP files
• Verify DRS backups available before patching critical systems
BRKUCC-2501 60

Secure collab on prem hikmat

Secure collab on prem hikmat

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Secure collab on prem hikmat

Similar to Secure collab on prem hikmat (20)

More from Cisco Canada

More from Cisco Canada (20)

Recently uploaded

Recently uploaded (20)

Secure collab on prem hikmat