Cisco CallManager Release 4.0 and later releases support authentication and encryption in a Cisco CallManager cluster. By using these features, you can secure the following communication methods:
Note
Cisco CallManager-to-Cisco CallManager intercluster communication is not secured. If two Cisco IP Phones are configured to use SRTP and are registered to different Cisco CallManager servers within the cluster, there is a security risk because the SRTP session keys need to be exchanged between the Cisco CallManager nodes (in cleartext). Therefore, if the communication paths between Cisco CallManager nodes within a cluster are not trusted, the recommendation is to use IPsec between the Cisco CallManager nodes.
Note
When using SRTP with an MGCP gateway, the SRTP session keys by default are exchanged in cleartext between Cisco CallManager and the MGCP gateway. Therefore, if the communication path between Cisco CallManager and the MGCP gateway is not trusted, the recommendation is to use IPsec between Cisco CallManager and the MGCP gateway.
Note
The Cisco SRST device can also provide SRTP session keys to the Cisco IP Phones so that the IP Phones that are in fallback mode can still use both signaling message and media exchange protection.
With the current release of Cisco CallManager, authenticated and encrypted calls are not possible in any other situation than listed, including the following:
To enable authentication and encryption support in your Cisco CallManager cluster, you need to complete these tasks:
Step 1. |
Enable security services You need to enable the Cisco Certificate Trust List (CTL) Provider service and the Cisco Certificate Authority Proxy Function (CAPF) service. |
Step 2. |
Use the Cisco CTL client to activate security options You need to configure mixed mode and create a signed CTL. |
Step 3. |
Configure devices for security IP Phones need to have certificates (either manufacturing installed certificates [MICs] or locally significant certificates [LSCs]), they have to be configured for a security mode (authenticated or encrypted), and the CAPF parameters have to be set if LSCs are used. |
Enabling Services Required for Security |
Part I: Cisco CallManager Fundamentals
Introduction to Cisco Unified Communications and Cisco Unified CallManager
Cisco Unified CallManager Clustering and Deployment Options
Cisco Unified CallManager Installation and Upgrades
Part II: IPT Devices and Users
Cisco IP Phones and Other User Devices
Configuring Cisco Unified CallManager to Support IP Phones
Cisco IP Telephony Users
Cisco Bulk Administration Tool
Part III: IPT Network Integration and Route Plan
Cisco Catalyst Switches
Configuring Cisco Gateways and Trunks
Cisco Unified CallManager Route Plan Basics
Cisco Unified CallManager Advanced Route Plans
Configuring Hunt Groups and Call Coverage
Implementing Telephony Call Restrictions and Control
Implementing Multiple-Site Deployments
Part IV: VoIP Features
Media Resources
Configuring User Features, Part 1
Configuring User Features, Part 2
Configuring Cisco Unified CallManager Attendant Console
Configuring Cisco IP Manager Assistant
Part V: IPT Security
Securing the Windows Operating System
Securing Cisco Unified CallManager Administration
Preventing Toll Fraud
Hardening the IP Phone
Understanding Cryptographic Fundamentals
Understanding the Public Key Infrastructure
Understanding Cisco IP Telephony Authentication and Encryption Fundamentals
Configuring Cisco IP Telephony Authentication and Encryption
Part VI: IP Video
Introducing IP Video Telephony
Configuring Cisco VT Advantage
Part VII: IPT Management
Introducing Database Tools and Cisco Unified CallManager Serviceability
Monitoring Performance
Configuring Alarms and Traces
Configuring CAR
Using Additional Management and Monitoring Tools
Part VIII: Appendix
Appendix A. Answers to Review Questions
Index