Security Best Practices for Cisco UE

You should consider various additional aspects of network security to protect against unauthorized access to Cisco UE. This section covers Cisco UE security best practices related to system access, remote access, and other security parameters applicable to the application environment.

System and Remote Access

Cisco UE hardware does not have external interfaces (physically, there is a Fast Ethernet interface port, but it is disabled in software and unusable). All Cisco UE system access must pass through the host Cisco CME router. Cisco UE CLI access has no login access or password control in addition to that of the router that houses Cisco UE. Therefore, it is imperative that the router's configuration parameters for local access (the console port) and remote access (Telnet) are set according to your security needs.

Local Access

The only local access to a Cisco UE system is via the host Cisco CME router's console interface into the router CLI. You then open a session to the Cisco UE CLI by using the following command:

router#service-module service-Engine x/y session

Entering this command on the router requires enable mode and, therefore, is protected by the router's enable login and password settings. Although the Cisco UE CLI also has an enable mode, it has no user ID or password capability. Any network administrator who has access to enable mode on the router also has access to the Cisco UE CLI. Access is controlled via the router, so if logging is required, set up the router with AAA/RADIUS monitoring of login access.

GUI access via a browser to Cisco UE is considered remote access, because it is across an IP segment from the router.

Remote AccessTelnet

Routers typically are geographically dispersed in your network and are seldom accessed locally via the console port. Remote access via Telnet across the IP network is much more typical. Use the IP configuration shown in Example 14-29 as a reference for the discussion in this section.

Example 14-29. IP Reference Configuration

router#show running-config
interface FastEthernet0/0
 ip address 172.19.153.41 255.255.255.0
 no ip mroute-cache
 duplex auto
 speed auto
!
interface Service-Engine1/0
 ip unnumbered FastEthernet0/0
 service-module ip address 172.19.153.37 255.255.255.0
 service-module ip default-gateway 172.19.153.41

Direct Telnet access to the Cisco UE IP address is disabled, as shown in Example 14-30.

Example 14-30. Cisco UE Telnet Access Disabled

pc>telnet 172.19.153.37
Trying 172.19.153.37...
telnet: Unable to connect to remote host: Connection refused

Remote CLI access to Cisco UE is possible only by using Telnet to the router (172.19.153.41) and then using the session command to get access to the Cisco UE CLI. That way, all the security protections built into Telnet access on your router automatically also protect access to Cisco UE. Example 14-31 shows a Telnet session to the router followed by a session into Cisco UE.

Example 14-31. Telnet Access to Cisco UE

pc>telnet 172.19.153.41
Trying 172.19.153.41...
Connected to 172.19.153.41.
Escape character is '^]'.
User Access Verification
Password:
lab-2691>en
Password:
lab-2691#service-module service-Engine 1/0 session
Trying 172.19.153.41, 2033 ... Open

Although direct Telnet access to the Cisco UE IP address is blocked, you can Telnet to the router's IP address followed by the explicit tty port number allocated to Cisco UE, as shown in Example 14-32. This indirect type of Telnet access is not blocked and can provide undesirable access to Cisco UE.

Example 14-32. Telnet Access with an Explicit Port Number

pc>telnet 172.19.153.41 2033
Trying 172.19.153.41...
Connected to 172.19.153.41.
Escape character is '^]'.

To protect against this kind of access, insert a login/password configuration on the tty port (in this example, the port number is 2033) leading to Cisco UE, as shown in Example 14-33.

Example 14-33. Login/Password on Telnet Access

router#show running-config
line 33
 password 7 02050D480809 
 login 
 no exec

Cisco UE CLI access via the router tty port does not time out by default. The connection stays up until it is disconnected by the user who initiated it. If an inactivity timeout on remote access to Cisco UE CLI is required, you can use the session-timeout command on the router tty configuration to disconnect the session after a configured number of minutes of inactivity. This is shown in Example 14-34.

Example 14-34. Inactivity Timeout on Cisco UE CLI Access

router#show running-config
line 33
 session-timeout 5 
 password 7 02050D480809
 login

 

Remote AccessSSH

For secure CLI access to Cisco UE, enable SSH on the router and use an SSH-enabled remote-access application, such as the SSH Windows application. Cisco UE itself does not support SSH (but neither does it support Telnet access). However, communication between the router and Cisco UE is via the router backplane and, therefore, is not exposed to any external interfaces or IP segments. SSH access to the router is sufficient to protect remote access to Cisco UE.

Remote AccessHTTPS

Cisco UE does not yet support HTTPS for browser access. Although login to the GUI is password-protected, the login ID and password currently travel in clear text across the IP network.

You can protect GUI access in Cisco UE by using IPSec tunnels on the routers between the nearest router to where the browser is located and the router hosting the Cisco UE module. You can use virtual private network (VPN) technology to protect the segment between the client PC and the nearest router where IPSec is available. Alternatively, you can use VPN technology all the way from the client PC to the host router.

Application Environment

Cisco UE is an IP application and therefore communicates with its environment via various TCP and UDP protocols and ports. Open port numbers are typical security attack targets. Therefore, traffic to the open TCP and UDP port numbers should be protected by ACLs as much as possible to allow only desired traffic from known endpoints into the application.

Protocols and Port Numbers

To construct suitable ACLs and other security mechanisms that monitor traffic (and deny undesired traffic), it is important to know which ports are open and used by an application such as Cisco UE. Table 14-1 lists the protocols and port numbers that Cisco UE uses.

Table 14-1. Cisco UE Protocols and Port Numbers

Protocol

Protocol and Port Number

DNS

TCP/UDP 53

TFTP

UDP 69

FTP

TCP 20 (data), TCP 21 (control)

HTTP

TCP 80

NTP

UDP 123

Syslog

TCP 514

SIP

UDP 5060

RTP

UDP 1638432767

SMTP

TCP 25

 

Suggested ACLs

This section provides best-practice suggestions for ACLs to protect the open ports on your Cisco UE system. Use the following IP configuration information as a reference for this section. Substitute your network's configuration for these values when you customize the ACLs for your implementation.

  • Cisco UE service module IP default gateway172.19.153.41
  • Cisco UE service module IP address172.19.153.37
  • FTP server for software backup and download10.10.1.150
  • Admininstration subnet10.10.1.0/24
  • IP phone and PSTN gateway subnet10.10.2.0/24
  • Syslog server10.10.1.160
  • DNS10.10.1.170

The ACLs shown in Example 14-35 are recommended to be used with Cisco UE. You should apply these ACLs on the Cisco UE service-engine interface on the router.

Example 14-35. Recommended ACLs for Cisco UE

router#show running-config
!Inbound: 
access-list 101 remark Filter Outbound Traffic from CUE - Apply Inbound on
 Interface ServiceEngine
access-list 101 remark Restrict DNS to only 10.10.1.170, add additional dns
 servers as required
access-list 101 permit udp host 172.19.153.37 host 10.10.1.170 eq domain
access-list 101 permit tcp host 172.19.153.37 host 10.10.1.170 eq domain
access-list 101 remark Restrict TFTP to only the host router
access-list 101 permit udp host 172.19.153.37 host 172.19.153.41 eq tftp
access-list 101 remark Restrict FTP traffic to only a single server
access-list 101 permit tcp host 172.19.153.37 host 10.10.1.150 eq ftp
access-list 101 permit tcp host 172.19.153.37 host 10.10.1.150 eq ftp-data
access-list 101 remark Restrict NTP traffic to only the host router
access-list 101 permit udp host 172.19.153.37 host 172.19.153.41 eq ntp
access-list 101 remark Restrict Syslog traffic to single server
access-list 101 permit tcp host 172.19.153.37 host 10.10.1.160 eq syslog
access-list 101 remark Restrict SIP signaling to host router
access-list 101 permit tcp host 172.19.153.37 host 172.19.153.41 eq 5060
access-list 101 permit udp host 172.19.153.37 host 172.19.153.41 eq 5060
access-list 101 remark Restrict RTP to IP phone and GW segment plus router
access-list 101 permit udp host 172.19.153.37 10.10.1.0 0.0.0.255 range 16384
 32767
access-list 101 permit udp host 172.19.153.37 host 172.19.153.41 range 16384
 32767
!Outbound: 
access-list 102 remark Filter Traffic to CUE - Apply Outbound on Interface
 ServiceEngine
access-list 102 remark Restrict http access to management and phone segment
access-list 102 permit tcp 10.10.1.0 0.0.0.255 host 172.19.153.37 eq www
access-list 102 permit tcp 10.10.2.0 0.0.0.255 host 172.19.153.37 eq www
access-list 102 remark Restrict SIP signaling to host router
access-list 102 permit tcp host 172.19.153.41 host 172.19.153.37 eq 5060
access-list 102 permit udp host 172.19.153.41 host 172.19.153.37 eq 5060
access-list 102 remark Restrict RTP to IP phone and GW segment plus router
access-list 102 permit udp 10.10.1.0 0.0.0.255 host 172.19.153.37 range16384
 32767
access-list 102 permit udp host 172.19.153.41 host 172.19.153.37 range 16384
 32767

Attach the ACLs to the service-engine interface as shown in Example 14-36.

Example 14-36. Attaching ACLs to the Service-Engine Interface

interface Service-Engine1/0
 ip unnumbered FastEthernet0/0
 ip access-group 101 in 
 ip access-group 102 out 
 service-module ip address 172.19.153.37 255.255.0.0
 service-module ip default-gateway 172.19.153.41

 

Cisco UE Security Best Practices

Follow the recommendations in this section to secure access to your Cisco UE system:

  • Assign an enable password to the Cisco CME router hosting the Cisco UE module.
  • Restrict Telnet access to the Cisco CME router.
  • Enable login and password control on the Cisco CME router tty port connecting to Cisco UE.
  • Configure an inactivity timeout on the Cisco CME router tty port connecting to Cisco UE.
  • Enable SSH on the Cisco CME router to protect Telnet traffic, and use only SSH-capable Telnet client software.
  • Use VPN/IPSec router technology to protect HTTP web access into Cisco UE.
  • Use ACLs to restrict SIP signaling traffic into Cisco UE to be sourced only by the Cisco CME router that hosts Cisco UE. No other source in the network should be able to send SIP traffic to Cisco UE.
  • Protect the FTP server used for software installation with login and password control.
  • Protect the FTP server used for backup and restore with login and password control.
  • During a Cisco UE software install or upgrade, do not provide the FTP password on the install command line. Let the installer prompt for it.
  • Maintain the Cisco UE system with the generate random password/PIN user access policy.
  • Mailbox PINs do not expire in Cisco UE releases before release 2.1. Upgrade to release 2.1 to get the ability to have passwords expire.
  • Set the minimum length of Cisco UE passwords and PINs (this feature requires release 2.1 or later) to the lengths demanded by your security policies.

Configuring and Monitoring Via Network Management Systems Using the Cisco CME AXL SOAP Interface

Part I: Cisco IP Communications Express Overview

Introducing Cisco IPC Express

Building a Cisco IPC Express Network

Cisco IPC Express Architecture Overview

Part II: Feature Operation and Applications

Cisco IP Phone Options

Cisco CME Call Processing Features

Cisco CME PSTN Connectivity Options

Connecting Multiple Cisco CMEs with VoIP

Integrating Cisco CME with Cisco CallManager

Cisco IPC Express Automated Attendant Options

Cisco IPC Express Integrated Voice Mail

Cisco CME External Voice Mail Options

Additional External Applications with Cisco CME

Part III: Administration and Management

Cisco IPC Express General Administration and Initial System Setup

Configuring and Managing Cisco IPC Express Systems

Cisco IPC Express System Configuration Example

Part IV: Maintenance and Troubleshooting

Troubleshooting Basic Cisco IPC Express Features

Troubleshooting Advanced Cisco CME Features

Troubleshooting Cisco CME Network Integration

Troubleshooting Cisco UE System Features

Troubleshooting Cisco UE Automated Attendant

Troubleshooting Cisco UE Integrated Voice Mail Features

Part V: Appendixes

Appendix A. Cisco IPC Express Features, Releases, and Ordering Information

Appendix B. Sample Cisco UE AA Scripts

Appendix C. Cisco Unity Express Database Schema

Index

show all menu



Cisco IP Communications Express(c) CallManager Express with Cisco Unity Express
Cisco IP Communications Express: CallManager Express with Cisco Unity Express
ISBN: 158705180X
EAN: 2147483647
Year: 2006
Pages: 236
Similar book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net