Security Best Practices for Cisco CME

Cisco IPC Express provides integrated IP communications on Cisco IOS routers. Therefore, the same security best practices recommended for all Cisco IOS voice-enabled routers also apply to Cisco CME. In addition, you should implement Cisco CME-specific security practices to provide additional security protection.

This section explains how you can set up the Cisco CME using the CLI to prevent users from intentionally or accidentally gaining system-level control from the GUI as well as local or remote CLI access.

Securing GUI Access

A Cisco IOS router authenticates an administrator CLI login against the enable password only, and the default setting for HTTP access is ip http authentication enable. If the system administrator, customer administrator, or phone user has the same password as the router's enable password, he or she can gain level 15 EXEC privilege access to Cisco IOS via HTTP. A normal IP phone user can then accidentally change the Cisco CME configuration, erase Flash, or reload the router when logging on to this URL:

http://cme-ip-address/

You should configure the following commands for Cisco CME to use AAA or local authentication to prevent a normal user from gaining access to the enable password and therefore having access to the system administrator page:

ip http authentication aaa
or
ip http authentication local

Note

Note that authentication, AAA is applied only to the system administrator login. Local authentication, which is clear-text-based, is applied to both the customer administrator and phone user logins.

 

Using HTTPS for Cisco CME GUI Management

HTTP over SSL (HTTPS) provides Secure Socket Layer (SSL) version 3.0 support for the HTTP 1.1 server and HTTP 1.1 client within Cisco IOS software. SSL provides server authentication, encryption, and message integrity to allow secure HTTP communications. SSL also provides HTTP client authentication. This feature is supported only in Cisco IOS software images that include the SSL feature. Specifically, SSL is supported in the Advanced Security, Advanced IP Services, and Advanced Enterprise Services images. Use the Advanced IP Services or Advanced Enterprise Services Cisco IOS images to get both the Cisco CME and SSL features.

Currently IP phones do not serve as HTTPS clients. If HTTPS is enabled on the Cisco CME router, IP phones still attempt to connect to HTTP using port 80. Because the SSL default port is 443, the phones cannot display local directory and system speed dials. IP phones using HTTP can work with a system configured for SSL by enabling both HTTP and HTTPS, as shown in Example 14-19.

Example 14-19. Enabling HTTP Secure Server Sample Configuration

router#show running-config
ip http server
ip http secure-server
ip http secure-port port_number
!if https port is changed from default 443
ip http authentication AAA |TACACS | local

Use the following command to generate an RSA usage key pair with a length of 1024 bits or greater:

crypto key generate rsa usage 1024

If you do not generate an RSA usage key pair manually, an RSA usage key pair with a length of 768 bits is generated automatically when you connect to the HTTPS server for the first time. These auto generated RSA keys are not saved to the startup configuration; therefore, they are lost when the device is rebooted unless you save the configuration manually. For more information on RSA, refer to Cisco IOS documentation on Cisco.com.

You should obtain an X.509 digital certificate with digital signature capabilities for the device from a certification authority (CA). If you do not obtain a digital certificate in advance, the device creates a self-signed digital certificate to authenticate itself.

If you change the device host name after obtaining a device digital certificate, HTTPS connections to the device fail because the host name does not match the host name specified in the digital certificate. Obtain a new device digital certificate using the new host name to fix this problem.

The ip http secure-server command prevents clear-text passwords from traveling across the network when a Cisco CME administrator logs into the Cisco CME GUI. However, communications between the phone and router remain in clear text.

The following are the suggested best practices for using HTTP interactive access to the Cisco CME router:

• Use the ip http access-class command to allow only specified IP addresses to access the Cisco CME GUI, thus restricting unwanted IP packets from connecting to Cisco CME.
• Use the ip http authentication command with a central TACACS+ or RADIUS server for authentication purposes. Configuring authentication for the HTTP and HTTPS servers adds security to communication between clients and the HTTP and HTTPS servers on the device.
• Do not use the router enable password as a Cisco CME login password (to prevent a regular user from gaining administrator privileges).

Setting Local and Remote System Access

When in EXEC mode, the configure terminal and telephony-service commands take a user into Cisco CME configuration mode. The show running-config and show telephony-service commands show all registered phones and users, extension numbers, usernames, and passwords for Cisco CME GUI access. So the first step to security control is at the system access level. Password encryption, user authentication, and command auditing are all critical to prevent security breaches.

Using the enable secret Command

The enable password is shown in clear text by default. To provide access control to EXEC mode on the router, use the enable secret command to encrypt the enable password, as shown in Example 14-20.

Example 14-20. Enable Secret

router#show running-config
service password-encryption
enable secret 
no enable password

 

Restricting Access to tty

You can allow only certain users and locations to Telnet to the router by using its terminal (tty) or virtual terminal (vty) lines. Define and apply an access list for permitting or denying remote Telnet sessions to your Cisco CME router as shown in Example 14-21.

Example 14-21. Restricting Access to vty

router#show running-config
line vty 0 4
 access-class 10 in
 access-list 10 permit 10.1.1.0 0.0.0.255

 

Using AAA to Secure Access

Example 14-22 shows how to use AAA for login and command auditing.

Example 14-22. Using AAA for Login and Command Auditing

router#show running-config
aaa new-model
aaa authentication login default tacacs+ enable
aaa authentication enable default tacacs+ enable
aaa accounting exec start-stop tacacs+
aaa accounting exec start-stop tacacs+
!
ip tacacs source-interface Loopback0
tacacs-server host 215.17.1.2
tacacs-server host 215.17.34.10
tacacs-server key CKr3t#

Sample command log:
Wed Jun 25 03:46:47 1997 172.16.25.15 fgeorge tty3 5622329430/4327528 stop
task_id=3 service=shell priv-lvl=1 cmd=show version 
Wed Jun 25 03:46:58 1997 172.16.25.15 fgeorge tty3 5622329430/4327528 stop
task_id=4 service=shell priv-lvl=1 cmd=show interfaces Ethernet 0 
Wed Jun 25 03:47:03 1997 172.16.25.15 fgeorge tty3 5622329430/4327528 stop
task_id=5 service=shell priv-lvl=1 cmd=show ip route 

When the AAA server cannot be reached in the network, the router should always require login, as shown in Example 14-23.

Example 14-23. Using a User Account on the Router

router#show running-config
username joe password 7 045802150C2E
username jim password 7 0317B21895FE
!
line vty 0 4
 login local

 

Configuring SSH Access

Example 14-24 shows you how to configure secure shell (SSH) access on your Cisco CME router.

Example 14-24. Configuring SSH

router(config)#crypto key generate rsa
line vty 0 4
transport input telnet ssh

 

Using ACLs for SNMP Access

You might use access control lists (ACLs) to permit or deny SNMP access, as shown in Example 14-25.

Example 14-25. Using ACLs for SNMP Access

router#show running-config
access-list 10 remark SNMP filter
access-list 10 permit 10.1.1.0 0.0.0.255
snmp-server community changeme-rw RW 10
snmp-server community changeme-ro RO 10

Change the community strings to words different from read and write, because these are two common community strings for read and write access, respectively.

Disabling CDP

Cisco Discovery Protocol (CDP) automatically discovers the neighboring network devices that also support CDP. In an untrusted domain, disable CDP so that Cisco CME routers do not automatically show up in the CDP tables of other devices. This is shown in Example 14-26.

Example 14-26. Disabling CDP

router#show running-config
no cdp run
!If cdp is needed then consider disabling cdp on a per interface basis.
interface FastEthernet0/0
 no cdp enable

 

Configuring COR for Incoming and Outgoing Calls

One of the ways to restrict unauthorized incoming and outgoing calls is to use the COR commands. The configuration shown in Example 14-27 defines two groups of users: user and superuser. Superuser is allowed to make any calls, including local, long-distance, 411 directory lookup, and 911 calls. User is restricted from making 900, 411, and international calls.

Example 14-27. Configuring COR for Toll Fraud

router#show running-config
dial-peer cor custom
 name 911
 name 1800
 name local-call
 name ld-call
 name 411
 name int-call
 name 1900
!
dial-peer cor list call911
 member 911
!
dial-peer cor list call1800
 member 1800
!
dial-peer cor list calllocal
 member local-call
!
dial-peer cor list callint
 member int-call
!
dial-peer cor list callld
 member ld-call
!
dial-peer cor list call411
 member 411
!
dial-peer cor list call1900
 member 1900
!
dial-peer cor list user
 member 911
 member 1800
 member local-call
 member ld-call
!
dial-peer cor list superuser
 member 911
 member 1800
 member local-call
 member ld-call
 member 411
 member int-call
 member 1900
!
dial-peer voice 9 pots
 corlist outgoing callld
 destination-pattern 91..........
 port 1/0
 prefix 1
!
dial-peer voice 911 pots
 corlist outgoing call911
 destination-pattern 9911
 port 1/0
 prefix 911
!
dial-peer voice 11 pots
 corlist outgoing callint
 destination-pattern 9011T
 port 2/0
 prefix 011
!
dial-peer voice 732 pots
 corlist outgoing calllocal
 destination-pattern 9732.......
 port 1/0
 prefix 732
!
dial-peer voice 800 pots
 corlist outgoing call1800
 destination-pattern 91800.......
 port 1/0
 prefix 1800
!
dial-peer voice 802 pots
 corlist outgoing call1800
 destination-pattern 91877.......
 port 1/0
 prefix 1877
!
dial-peer voice 805 pots
 corlist outgoing call1800
 destination-pattern 91888.......
 port 1/0
 prefix 1888
!
dial-peer voice 411 pots
 corlist outgoing call411
 destination-pattern 9411
 port 1/0
 prefix 411
!
dial-peer voice 806 pots
 corlist outgoing call1800
 destination-pattern 91866.......
 port 1/0
 prefix 1866

ephone-dn 1
 number 2000
 cor incoming user

ephone-dv 2
 number 2001
 cor incoming superuser

 

Restricting Outgoing Calling Patterns

You might use the after-hours block command to restrict incoming or outgoing calls after certain hours. You can also use after-hours blocking to restrict calls to numbers or area codes known to be fraudulent calling patterns. The commands shown in Example 14-28 block all calls at all times for patterns 2 to 6. Pattern 7 is blocked only during the configured after-hours period.

Example 14-28. Using After-Hours Blocking to Restrict Outgoing Calling Patterns

router#show running-config
telephony-service
after-hours block pattern 2 .1264 7-24
after-hours block pattern 3 .1268 7-24
after-hours block pattern 4 .1246 7-24
after-hours block pattern 5 .1441 7-24
after-hours block pattern 6 .1284 7-24
after-hours block pattern 7 9011
after-hours day Sun 19:00 07:00
after-hours day Mon 19:00 07:00
after-hours day Tue 19:00 07:00
after-hours day Wed 19:00 07:00
after-hours day Thu 19:00 07:00
after-hours day Fri 19:00 07:00
after-hours day Sat 19:00 07:00

 

Configuring IP Phone Registration Control

You should configure Cisco CME to allow IP phones in a trusted domain for registration. Assuming that the local LAN segment is a trusted domain, use the strict-match option on the ip source-address command so that only locally attached IP phones can register to the Cisco CME router and get IP telephony-services:

router(config-telephony)#ip source-address 1.1.1.1 port 2000 strict-match

Block port TCP 2000 access from the WAN or Internet side to prevent external SCCP phones from registering with the Cisco CME system. Use the following ACL to block TCP port 2000 access from WAN or Internet interfaces:

router(config-t)#access-list 101 deny tcp any any eq 2000

Note

Unknown phones or phones that are not configured in Cisco CME are allowed to register with Cisco CME by default for ease of management, but they do not get dial tone until you configure them by associating the buttons with ephone-dns or by configuring auto assign dns under telephony-service.

Security Best Practices for Cisco UE