Authentication and Encryption Configuration Overview

Cisco CallManager Release 4.0 and later releases support authentication and encryption in a Cisco CallManager cluster. By using these features, you can secure the following communication methods:

  • Signaling messages between a supported Cisco IP Phone and Cisco CallManager Cisco IP Phone 7970, 7960, and 7940 models can be configured to use Transport Layer Security (TLS) for authenticated and encrypted signaling.
  • Media exchange between two supported IP Phones within a Cisco CallManager cluster Cisco IP Phone 7970, 7960, and 7940 models can be configured to use Secure Real-Time Transport Protocol (SRTP) for authenticated and encrypted media exchange. Secure media exchange was introduced for the 7970 in Cisco CallManager 4.0. Support for the additional IP Phones was added in CallManager 4.1.

    Note

    Cisco CallManager-to-Cisco CallManager intercluster communication is not secured. If two Cisco IP Phones are configured to use SRTP and are registered to different Cisco CallManager servers within the cluster, there is a security risk because the SRTP session keys need to be exchanged between the Cisco CallManager nodes (in cleartext). Therefore, if the communication paths between Cisco CallManager nodes within a cluster are not trusted, the recommendation is to use IPsec between the Cisco CallManager nodes.

  • Media exchange between a supported Cisco IP Phone and a supported Media Gateway Control Protocol (MGCP) and H.323 gateways Cisco IP Phone 7970, 7960, and 7940 models and Cisco IOS MGCP gateways (running Cisco IOS Software Release 12.3(11)T2 or later) can be configured to use SRTP for authenticated and encrypted media exchange. H.323 support for SRTP was added in Cisco IOS Software Release 12.4(6T).

    Note

    When using SRTP with an MGCP gateway, the SRTP session keys by default are exchanged in cleartext between Cisco CallManager and the MGCP gateway. Therefore, if the communication path between Cisco CallManager and the MGCP gateway is not trusted, the recommendation is to use IPsec between Cisco CallManager and the MGCP gateway.

  • Signaling messages between a supported IP Phone and a supported Cisco Survivable Remote Site Telephony (SRST) device Cisco IP Phone 7970, 7960, and 7940 models and Cisco IOS SRST Version 3.3 or later devices (running Cisco IOS Software Release 12.3(14)T or later) can be configured to use TLS for authenticated and encrypted signaling.

    Note

    The Cisco SRST device can also provide SRTP session keys to the Cisco IP Phones so that the IP Phones that are in fallback mode can still use both signaling message and media exchange protection.

With the current release of Cisco CallManager, authenticated and encrypted calls are not possible in any other situation than listed, including the following:

  • Calls to other Cisco CallManager clusters using intercluster trunks Secure signaling and media exchange are supported only for calls within a Cisco CallManager cluster; intercluster trunk calls are not supported.
  • Calls that are connected to any media resources, such as conferences, transcoders, or music on hold (MoH) Secure media exchange is supported only between supported endpoints (Cisco IP Phones and Cisco IOS MGCP gateways); conference bridges, transcoders, or MOH servers are not supported endpoints.

To enable authentication and encryption support in your Cisco CallManager cluster, you need to complete these tasks:

Step 1.

Enable security services You need to enable the Cisco Certificate Trust List (CTL) Provider service and the Cisco Certificate Authority Proxy Function (CAPF) service.
 

Step 2.

Use the Cisco CTL client to activate security options You need to configure mixed mode and create a signed CTL.
 

   

Step 3.

Configure devices for security IP Phones need to have certificates (either manufacturing installed certificates [MICs] or locally significant certificates [LSCs]), they have to be configured for a security mode (authenticated or encrypted), and the CAPF parameters have to be set if LSCs are used.
 

Enabling Services Required for Security

Part I: Cisco CallManager Fundamentals

Introduction to Cisco Unified Communications and Cisco Unified CallManager

Cisco Unified CallManager Clustering and Deployment Options

Cisco Unified CallManager Installation and Upgrades

Part II: IPT Devices and Users

Cisco IP Phones and Other User Devices

Configuring Cisco Unified CallManager to Support IP Phones

Cisco IP Telephony Users

Cisco Bulk Administration Tool

Part III: IPT Network Integration and Route Plan

Cisco Catalyst Switches

Configuring Cisco Gateways and Trunks

Cisco Unified CallManager Route Plan Basics

Cisco Unified CallManager Advanced Route Plans

Configuring Hunt Groups and Call Coverage

Implementing Telephony Call Restrictions and Control

Implementing Multiple-Site Deployments

Part IV: VoIP Features

Media Resources

Configuring User Features, Part 1

Configuring User Features, Part 2

Configuring Cisco Unified CallManager Attendant Console

Configuring Cisco IP Manager Assistant

Part V: IPT Security

Securing the Windows Operating System

Securing Cisco Unified CallManager Administration

Preventing Toll Fraud

Hardening the IP Phone

Understanding Cryptographic Fundamentals

Understanding the Public Key Infrastructure

Understanding Cisco IP Telephony Authentication and Encryption Fundamentals

Configuring Cisco IP Telephony Authentication and Encryption

Part VI: IP Video

Introducing IP Video Telephony

Configuring Cisco VT Advantage

Part VII: IPT Management

Introducing Database Tools and Cisco Unified CallManager Serviceability

Monitoring Performance

Configuring Alarms and Traces

Configuring CAR

Using Additional Management and Monitoring Tools

Part VIII: Appendix

Appendix A. Answers to Review Questions

Index



Authorized Self-Study Guide Cisco IP Telephony (CIPT)
Cisco IP Telephony (CIPT) (Authorized Self-Study) (2nd Edition)
ISBN: 158705261X
EAN: 2147483647
Year: 2004
Pages: 329

Similar book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net