Security Best Practices for Cisco UE
You should consider various additional aspects of network security to protect against unauthorized access to Cisco UE. This section covers Cisco UE security best practices related to system access, remote access, and other security parameters applicable to the application environment.
System and Remote Access
Cisco UE hardware does not have external interfaces (physically, there is a Fast Ethernet interface port, but it is disabled in software and unusable). All Cisco UE system access must pass through the host Cisco CME router. Cisco UE CLI access has no login access or password control in addition to that of the router that houses Cisco UE. Therefore, it is imperative that the router's configuration parameters for local access (the console port) and remote access (Telnet) are set according to your security needs.
Local Access
The only local access to a Cisco UE system is via the host Cisco CME router's console interface into the router CLI. You then open a session to the Cisco UE CLI by using the following command:
router#service-module service-Engine x/y session
Entering this command on the router requires enable mode and, therefore, is protected by the router's enable login and password settings. Although the Cisco UE CLI also has an enable mode, it has no user ID or password capability. Any network administrator who has access to enable mode on the router also has access to the Cisco UE CLI. Access is controlled via the router, so if logging is required, set up the router with AAA/RADIUS monitoring of login access.
GUI access via a browser to Cisco UE is considered remote access, because it is across an IP segment from the router.
Remote AccessTelnet
Routers typically are geographically dispersed in your network and are seldom accessed locally via the console port. Remote access via Telnet across the IP network is much more typical. Use the IP configuration shown in Example 14-29 as a reference for the discussion in this section.
Example 14-29. IP Reference Configuration
router#show running-config interface FastEthernet0/0 ip address 172.19.153.41 255.255.255.0 no ip mroute-cache duplex auto speed auto ! interface Service-Engine1/0 ip unnumbered FastEthernet0/0 service-module ip address 172.19.153.37 255.255.255.0 service-module ip default-gateway 172.19.153.41
Direct Telnet access to the Cisco UE IP address is disabled, as shown in Example 14-30.
Example 14-30. Cisco UE Telnet Access Disabled
pc>telnet 172.19.153.37 Trying 172.19.153.37... telnet: Unable to connect to remote host: Connection refused
Remote CLI access to Cisco UE is possible only by using Telnet to the router (172.19.153.41) and then using the session command to get access to the Cisco UE CLI. That way, all the security protections built into Telnet access on your router automatically also protect access to Cisco UE. Example 14-31 shows a Telnet session to the router followed by a session into Cisco UE.
Example 14-31. Telnet Access to Cisco UE
pc>telnet 172.19.153.41 Trying 172.19.153.41... Connected to 172.19.153.41. Escape character is '^]'. User Access Verification Password: lab-2691>en Password: lab-2691#service-module service-Engine 1/0 session Trying 172.19.153.41, 2033 ... Open
Although direct Telnet access to the Cisco UE IP address is blocked, you can Telnet to the router's IP address followed by the explicit tty port number allocated to Cisco UE, as shown in Example 14-32. This indirect type of Telnet access is not blocked and can provide undesirable access to Cisco UE.
Example 14-32. Telnet Access with an Explicit Port Number
pc>telnet 172.19.153.41 2033 Trying 172.19.153.41... Connected to 172.19.153.41. Escape character is '^]'.
To protect against this kind of access, insert a login/password configuration on the tty port (in this example, the port number is 2033) leading to Cisco UE, as shown in Example 14-33.
Example 14-33. Login/Password on Telnet Access
router#show running-config line 33 password 7 02050D480809 login no exec
Cisco UE CLI access via the router tty port does not time out by default. The connection stays up until it is disconnected by the user who initiated it. If an inactivity timeout on remote access to Cisco UE CLI is required, you can use the session-timeout command on the router tty configuration to disconnect the session after a configured number of minutes of inactivity. This is shown in Example 14-34.
Example 14-34. Inactivity Timeout on Cisco UE CLI Access
router#show running-config line 33 session-timeout 5 password 7 02050D480809 login
Remote AccessSSH
For secure CLI access to Cisco UE, enable SSH on the router and use an SSH-enabled remote-access application, such as the SSH Windows application. Cisco UE itself does not support SSH (but neither does it support Telnet access). However, communication between the router and Cisco UE is via the router backplane and, therefore, is not exposed to any external interfaces or IP segments. SSH access to the router is sufficient to protect remote access to Cisco UE.
Remote AccessHTTPS
Cisco UE does not yet support HTTPS for browser access. Although login to the GUI is password-protected, the login ID and password currently travel in clear text across the IP network.
You can protect GUI access in Cisco UE by using IPSec tunnels on the routers between the nearest router to where the browser is located and the router hosting the Cisco UE module. You can use virtual private network (VPN) technology to protect the segment between the client PC and the nearest router where IPSec is available. Alternatively, you can use VPN technology all the way from the client PC to the host router.
Application Environment
Cisco UE is an IP application and therefore communicates with its environment via various TCP and UDP protocols and ports. Open port numbers are typical security attack targets. Therefore, traffic to the open TCP and UDP port numbers should be protected by ACLs as much as possible to allow only desired traffic from known endpoints into the application.
Protocols and Port Numbers
To construct suitable ACLs and other security mechanisms that monitor traffic (and deny undesired traffic), it is important to know which ports are open and used by an application such as Cisco UE. Table 14-1 lists the protocols and port numbers that Cisco UE uses.
|
Protocol |
Protocol and Port Number |
|---|---|
|
DNS |
TCP/UDP 53 |
|
TFTP |
UDP 69 |
|
FTP |
TCP 20 (data), TCP 21 (control) |
|
HTTP |
TCP 80 |
|
NTP |
UDP 123 |
|
Syslog |
TCP 514 |
|
SIP |
UDP 5060 |
|
RTP |
UDP 1638432767 |
|
SMTP |
TCP 25 |
Suggested ACLs
This section provides best-practice suggestions for ACLs to protect the open ports on your Cisco UE system. Use the following IP configuration information as a reference for this section. Substitute your network's configuration for these values when you customize the ACLs for your implementation.
- Cisco UE service module IP default gateway172.19.153.41
- Cisco UE service module IP address172.19.153.37
- FTP server for software backup and download10.10.1.150
- Admininstration subnet10.10.1.0/24
- IP phone and PSTN gateway subnet10.10.2.0/24
- Syslog server10.10.1.160
- DNS10.10.1.170
The ACLs shown in Example 14-35 are recommended to be used with Cisco UE. You should apply these ACLs on the Cisco UE service-engine interface on the router.
Example 14-35. Recommended ACLs for Cisco UE
router#show running-config !Inbound: access-list 101 remark Filter Outbound Traffic from CUE - Apply Inbound on Interface ServiceEngine access-list 101 remark Restrict DNS to only 10.10.1.170, add additional dns servers as required access-list 101 permit udp host 172.19.153.37 host 10.10.1.170 eq domain access-list 101 permit tcp host 172.19.153.37 host 10.10.1.170 eq domain access-list 101 remark Restrict TFTP to only the host router access-list 101 permit udp host 172.19.153.37 host 172.19.153.41 eq tftp access-list 101 remark Restrict FTP traffic to only a single server access-list 101 permit tcp host 172.19.153.37 host 10.10.1.150 eq ftp access-list 101 permit tcp host 172.19.153.37 host 10.10.1.150 eq ftp-data access-list 101 remark Restrict NTP traffic to only the host router access-list 101 permit udp host 172.19.153.37 host 172.19.153.41 eq ntp access-list 101 remark Restrict Syslog traffic to single server access-list 101 permit tcp host 172.19.153.37 host 10.10.1.160 eq syslog access-list 101 remark Restrict SIP signaling to host router access-list 101 permit tcp host 172.19.153.37 host 172.19.153.41 eq 5060 access-list 101 permit udp host 172.19.153.37 host 172.19.153.41 eq 5060 access-list 101 remark Restrict RTP to IP phone and GW segment plus router access-list 101 permit udp host 172.19.153.37 10.10.1.0 0.0.0.255 range 16384 32767 access-list 101 permit udp host 172.19.153.37 host 172.19.153.41 range 16384 32767 !Outbound: access-list 102 remark Filter Traffic to CUE - Apply Outbound on Interface ServiceEngine access-list 102 remark Restrict http access to management and phone segment access-list 102 permit tcp 10.10.1.0 0.0.0.255 host 172.19.153.37 eq www access-list 102 permit tcp 10.10.2.0 0.0.0.255 host 172.19.153.37 eq www access-list 102 remark Restrict SIP signaling to host router access-list 102 permit tcp host 172.19.153.41 host 172.19.153.37 eq 5060 access-list 102 permit udp host 172.19.153.41 host 172.19.153.37 eq 5060 access-list 102 remark Restrict RTP to IP phone and GW segment plus router access-list 102 permit udp 10.10.1.0 0.0.0.255 host 172.19.153.37 range16384 32767 access-list 102 permit udp host 172.19.153.41 host 172.19.153.37 range 16384 32767
Attach the ACLs to the service-engine interface as shown in Example 14-36.
Example 14-36. Attaching ACLs to the Service-Engine Interface
interface Service-Engine1/0 ip unnumbered FastEthernet0/0 ip access-group 101 in ip access-group 102 out service-module ip address 172.19.153.37 255.255.0.0 service-module ip default-gateway 172.19.153.41
Cisco UE Security Best Practices
Follow the recommendations in this section to secure access to your Cisco UE system:
- Assign an enable password to the Cisco CME router hosting the Cisco UE module.
- Restrict Telnet access to the Cisco CME router.
- Enable login and password control on the Cisco CME router tty port connecting to Cisco UE.
- Configure an inactivity timeout on the Cisco CME router tty port connecting to Cisco UE.
- Enable SSH on the Cisco CME router to protect Telnet traffic, and use only SSH-capable Telnet client software.
- Use VPN/IPSec router technology to protect HTTP web access into Cisco UE.
- Use ACLs to restrict SIP signaling traffic into Cisco UE to be sourced only by the Cisco CME router that hosts Cisco UE. No other source in the network should be able to send SIP traffic to Cisco UE.
- Protect the FTP server used for software installation with login and password control.
- Protect the FTP server used for backup and restore with login and password control.
- During a Cisco UE software install or upgrade, do not provide the FTP password on the install command line. Let the installer prompt for it.
- Maintain the Cisco UE system with the generate random password/PIN user access policy.
- Mailbox PINs do not expire in Cisco UE releases before release 2.1. Upgrade to release 2.1 to get the ability to have passwords expire.
- Set the minimum length of Cisco UE passwords and PINs (this feature requires release 2.1 or later) to the lengths demanded by your security policies.
Configuring and Monitoring Via Network Management Systems Using the Cisco CME AXL SOAP Interface |
Part I: Cisco IP Communications Express Overview
Introducing Cisco IPC Express
- Introducing Cisco IPC Express
- The Purpose of Cisco IPC Express
- Benefits of Cisco IPC Express
- Cisco IPC Express System Components
- Using Cisco IPC Express in Retail, Financial, and Healthcare Businesses
- Other Cisco IP Telephony Solutions for the Enterprise Branch and Small and Medium Offices
- Summary
Building a Cisco IPC Express Network
- Building a Cisco IPC Express Network
- IP Telephony Network Deployment Overview
- Cisco IP Telephony System Trade-Offs
- Understanding Cisco IPC Express Deployment Models
- Summary
Cisco IPC Express Architecture Overview
- Cisco IPC Express Architecture Overview
- Cisco IPC Express System Architecture
- Cisco CME Architecture
- Cisco UE Applications Architecture
- Summary
- Recommended Reading
Part II: Feature Operation and Applications
Cisco IP Phone Options
- Cisco IP Phone Options
- The Cisco 7940G and 7960G IP Phones
- The Cisco 7914 Expansion Module
- The Cisco 7910G IP Phone
- The Cisco 7905G and 7912G IP Phones
- The Cisco 7970G IP Phone
- The Cisco 7902G IP Phone
- The Cisco 7935 and 7936 IP Conference Station
- The Cisco 7920 Wireless IP Phone
- The Cisco Analog Telephony Adaptor
- The Cisco IP Communicator Softphone
- Firmware Files for IP Phones
- Resetting and Restarting the Phones
- Erasing the Phone Configuration
- Accessing Call Parameters for an Active Call
- Summary
Cisco CME Call Processing Features
- Cisco CME Call Processing Features
- IP Phones and IP Phone Lines
- Implementing Shared Lines and Hunt Groups
- Creating an Intercom
- Using Private Lines
- Paging
- Implementing Overlays
- Invoking Call Pickup
- Customizing Softkeys
- Configuring Call Transfer and Forward
- Summary
Cisco CME PSTN Connectivity Options
- Cisco CME PSTN Connectivity Options
- Trunk Signaling Systems
- Cisco IOS PSTN Telephony Interfaces
- PSTN Call Switching
- Digit Manipulation
- PSTN Trunk Failover
- Summary
Connecting Multiple Cisco CMEs with VoIP
- Connecting Multiple Cisco CMEs with VoIP
- Considerations When Integrating Cisco CME in H.323 and SIP VoIP Networks
- Integrating Cisco CME in an H.323 Network
- DTMF Relay for H.323
- Call Transfer and Call Forwarding in an H.323 Network Using H.450 Services
- Integrating Cisco CME in a SIP Network
- Summary
Integrating Cisco CME with Cisco CallManager
- Integrating Cisco CME with Cisco CallManager
- Goals of Interoperability
- Basic Calls Between Cisco CallManager and Cisco CME
- Call Transfer
- Call Forwarding
- Connected Party Name and Number Services
- Using H.450.x Tandem IP-to-IP Gateway
- Summary
Cisco IPC Express Automated Attendant Options
- Cisco IPC Express Automated Attendant Options
- Using an Automated Attendant or a Receptionist in Your Office
- Understanding the Cisco IPC Express Integrated Automated Attendant
- The Cisco UE System AA
- Customizing the Cisco UE AA
- The Cisco UE Greeting Management System
- Setting Up a Cisco UE Automated Attendant
- TCL-Based Automated Attendant
- Summary
Cisco IPC Express Integrated Voice Mail
- Cisco IPC Express Integrated Voice Mail
- Cisco UE Voice Mail Overview
- Subscriber Features
- Caller Features
- Administrator Features
- Call Redirection into Voice Mail
- Working with Users and Names
- Dial Plan Considerations
- Voice Mail Networking
- Voice Mail Deployment Considerations
- Summary
Cisco CME External Voice Mail Options
- Cisco CME External Voice Mail Options
- Cisco Unity Voice Mail
- Stonevoice Voice Mail
- Analog Voice Mail
- PSTN-Based Voice Mail
- Summary
Additional External Applications with Cisco CME
- Additional External Applications with Cisco CME
- TAPI and XML Application Architecture
- TAPI Applications
- Extensive Markup Language Applications
- Summary
Part III: Administration and Management
Cisco IPC Express General Administration and Initial System Setup
- Cisco IPC Express General Administration and Initial System Setup
- Administrative Access Overview
- System Installation and Initial Setup
- Cisco CME GUI Customization Via XML
- Cisco Zero Touch Deployment
- Summary
Configuring and Managing Cisco IPC Express Systems
- Configuring and Managing Cisco IPC Express Systems
- Cisco IPC Express System GUI Overview
- Configuring the Router
- Configuring IP Phones and Extensions
- Configuring PSTN Interfaces
- Configuring Extensions and the Dial Plan
- Configuring Cisco CME Call Processing Features
- Configuring the Cisco UE AA
- Configuring Cisco UE Voice Mail
- Configuring the AVT
- Configuring Cisco UE Backup and Restore
- Configuring Interconnection with Other Sites
- Security Best Practices for Cisco CME
- Security Best Practices for Cisco UE
- Configuring and Monitoring Via Network Management Systems Using the Cisco CME AXL/SOAP Interface
- Monitoring Cisco IPC Express
- Managing Cisco IPC Express Systems by Managed Services and Enterprises
- Cisco Voice Network Management Solutions
- Managing Cisco IPC Express with Cisco Partner Applications
- Summary
Cisco IPC Express System Configuration Example
- Cisco IPC Express System Configuration Example
- Step 1: Planning and Offline Staging
- Step 2: Basic Router Setup
- Step 3: Initial Cisco CME System Setup
- Step 4: Configuring Extensions and Phones
- Step 5: Configuring the PSTN Interface
- Step 6: Configuring Cisco UE AA and Voice Mail
- Step 7: Configuring Cisco CME Call Processing Features
- Step 8: Interconnecting Multiple Cisco IPC Express Systems
- Sample System Configurations
- Summary
Part IV: Maintenance and Troubleshooting
Troubleshooting Basic Cisco IPC Express Features
- Troubleshooting Basic Cisco IPC Express Features
- Troubleshooting Phone Registration
- Understanding SCCP and Call Flow Debugging
- Troubleshooting the Cisco IPC Express GUI
- Summary
Troubleshooting Advanced Cisco CME Features
- Troubleshooting Advanced Cisco CME Features
- Dialplan Pattern Configuration Problems
- Missing Transfer Patterns
- Conference Failures
- Unable to Hear Music on Hold
- Missing Directory Services Option
- Working with the Class of Restriction Feature
- Summary
Troubleshooting Cisco CME Network Integration
- Troubleshooting Cisco CME Network Integration
- Integrating Cisco CME with Cisco Unity Voice Mail
- A Cisco Unity System with a Network of Cisco CMEsCentralized Voice Mail Architecture
- Troubleshooting Call Transfers and Call Forwards
- Troubleshooting Transcoding
- Troubleshooting H.323 GK Integration
- Summary
Troubleshooting Cisco UE System Features
- Troubleshooting Cisco UE System Features
- General Troubleshooting Techniques
- Troubleshooting Installation Problems
- Troubleshooting Cisco UE Startup
- Troubleshooting the Initialization Wizard
- Troubleshooting Backup and Restore
- Summary
Troubleshooting Cisco UE Automated Attendant
- Troubleshooting Cisco UE Automated Attendant
- Troubleshooting a Customized AA
- Tracing a Call Flow in the AA
- Summary
Troubleshooting Cisco UE Integrated Voice Mail Features
- Troubleshooting Cisco UE Integrated Voice Mail Features
- Common Voice Mail show Commands
- Troubleshooting Mailbox GUI Configuration Problems
- Troubleshooting Cisco CME and Cisco UE Integration
- Troubleshooting the TUI and VXML Browser
- Troubleshooting the Database, LDAP, and Mailbox Activities
- Troubleshooting the Message Waiting Indicator
- Troubleshooting Voice Mail VPIM Networking
- Summary
Part V: Appendixes
Appendix A. Cisco IPC Express Features, Releases, and Ordering Information
- Appendix A. Cisco IPC Express Features, Releases, and Ordering Information
- Cisco IPC Express Features and Releases
- Cisco IPC Express Ordering Information
Appendix B. Sample Cisco UE AA Scripts
- Appendix B. Sample Cisco UE AA Scripts
- The main.aef Script
- The dialbyname.aef Script
- The dialbyextension.aef Script
Appendix C. Cisco Unity Express Database Schema
- Appendix C. Cisco Unity Express Database Schema
- Table vm_bcst_heard
- Table vm_greeting
- Table vm_job
- Table vm_mailbox
- Table vm_mbxusers
- Table vm_message
- Table vm_usermsg
Index
EAN: 2147483647
Pages: 236
