secure collab on premise

61
Secure Collaboration for On- Premise VoIP Deployments (CUCM and CUBE/SBC) Hikmat El Ajaltouni Systems Engineer Jan.26, 2017

Upload: cisco-canada

Post on 26-Jan-2017

17 views

Category:

Technology


0 download

TRANSCRIPT

Secure Collaboration for On-Premise VoIP Deployments (CUCM and CUBE/SBC)

Hikmat El Ajaltouni

Systems Engineer

Jan.26, 2017

• Secure Network, Secure Endpoints, Secure Call Control

• Collaboration System Release 11.5 Security Update

• Deploying and Handling Certificates & PKI in CUCM

• CUBE/SBC

• Cisco Product Security

Agenda

Secure Network, Secure Endpoints, Secure Call Control

BRKUCC-2501

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Infrastructure Security Measures

Segregation

• Virtual LANs (VLANs) separate voice and data traffic

• VLAN Access Control Lists (VACLs) limit traffic between devices on the voice VLAN

• QoS Packet Marking ensures UC traffic receives appropriate priority over other traffic

Layer 3

• IP Source Guard examines physical port, VLAN, IP, & MAC for inconsistencies

Layer 2

• DHCP Snooping creates binding table

• Dynamic ARP Inspection examines ARP & GARP for violations

• Port Security limits the number of MAC addresses allowed per port

• 802.1x limits network access to authentic devices on assigned VLANs

BRKUCC-2501 5

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

IP Phone Security Features • Cryptographically assured device identity

• Manufacture Installed Certificate(MIC)

• Locally Significant Certificates (LSC)

• Signed firmware images

• Signed & encrypted configuration files

• Mutually authenticated & encrypted signaling & media

• Embedded 802.1x Supplicant

• Positive disconnect for handset & speakerphone

• Positive off-hook indicator for speakerphone

• Disable or block access to voice VLAN for downstream port

• Disable web interface

• Disable “settings” button

• Disable SSH access

• FIPS mode (select models)

• Gratuitous ARP rejection

BRKUCC-2501 6

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Unified Communications Manager Security

• Disallow trivial passwords

• Require minimum length

• Prevent reuse with configurable depth

• Lockout on failed attempts with configurable depth, time span, & duration

• Lockout on inactivity with configurable time span

• Expire after configurable time span

• Expiry warning with configurable time span

User Credential Policies

• Control frequency of credential modifications with configurable time span

• Force credential modification on next attempt

• Prevent credential modification by user

• Lockout by administrator

• Configurable session timeouts

• SAML Single-Sign-On (SSO)

BRKUCC-2501 7

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Unified Communications Manager Security

Encrypted Signaling & Media

• SIP & SCCP Phones

• SIP Video Endpoints

• MGCP, H.323, & SIP Trunks

• TAPI & JTAPI Applications

• Meet-me, ad-hoc, & barge Conferences

• Extension Mobility Cross-Cluster

• Intercluster Lookup Service (ILS)

• Location Bandwidth Manager (LBM)

Secure Interfaces & Protocols

• Web, CLI, CTI, & LDAP

• HTTPS, TLS, SRTP, SSH, SFTP, SLDAP, IPSec, TFTP

BRKUCC-2501 8

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

UCM Cluster Security Mode

• Non-Secure or Mixed

• NOT On/Off

• Mixed Mode Requirements:

• Export Restricted version of UCM

• CTL File

• Configured via Windows CTL Client or ‘utils ctl set-cluster’ CLI

Mixed

Non-Secure

BRKUCC-2501 9

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Unified Communications Manager Security

Encrypted Signaling & Media

• SIP & SCCP Phones

• SIP Video Endpoints

• MGCP, H.323, & SIP Trunks

• TAPI & JTAPI Applications

• Meet-me, ad-hoc, & barge Conferences

• Extension Mobility Cross-Cluster

• Intercluster Lookup Service (ILS)

• Location Bandwidth Manager (LBM)

Secure Interfaces & Protocols

• Web, CLI, CTI, & LDAP

• HTTPS, TLS, SRTP, SSH, SFTP, SLDAP, IPSec, TFTP

Require Mixed Mode

BRKUCC-2501 10

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cluster Security Mode: Feature Tradeoffs

Feature Non Secure Cluster Mixed Mode Cluster

Auto-registration*

Signed & Encrypted Phone Configs

Signed Phone Firmware

Secure Phone Services (HTTPS)

CAPF + LSC

IP VPN Phone

Secure Endpoints (TLS & SRTP) BRKUCC-2501

New

in 11.5

11

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Hardened Appliance Model

• SELinux enforcing mode provides host based intrusion protection

• iptables provides host based firewall

• Third party software installations NOT allowed

• Root account disabled, no other uid=0 accounts

• OS and applications are installed with a single package

• All software updates must be signed packages from Cisco

• Secure Management (HTTPS, SSH, SFTP)

• Audit logging

• Active & Inactive partition architecture – easy to fallback if needed

Why is CUCM considered a hardened platform?

BRKUCC-2501 12

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Balancing Risk

Low

Easy or Default

Medium

Moderate and Reasonable

High

Advanced or Not Integrated

Hardened Platform IP VPN Phone UC-Aware Firewall (Inspection)

SELinux – Host Based Intrusion

Protection Secure Directory Integration (SLDAP) Phone Proxy

iptables - Integrated Host Firewall Encrypted Configuration Ipsec

Signed Firmware & Configuration TLS & SRTP for Phones & Gateways Rate Limiting

HTTPS Trusted Relay Points (TRP) Managed VPN (Remote Worker)

Separate Voice & Data VLANs QoS Packet Marking Network Anomaly Detection

STP, BPDU Guard, SmartPorts DHCP Snooping Scavenger Class QoS

Basic Layer 3 ACL’s (Stateless) Dynamic ARP Inspection 802.1x & NAC

Phone Security Settings IP Source Guard, Port Security

Cost - Complexity - Resources - Performance - Manpower - Overhead

BRKUCC-2501 13

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Eliminate Toll Fraud

• Deny network access to unauthorized users

• Partitions and Calling search spaces provide dial plan segmentation and access control

• Device Pool “Calling Search Space for Auto-registration” to limit access to dial plan

• Employ Time of day routing to deactivate segments of the dial plan after hours

How Do Our Customers Prevent Toll Fraud?

• Require Forced Authentication Codes on route patterns to restrict access on long distance or internal calls.

• “Drop Ad hoc Conferences” (CallManager Service Parameter)

• “Block OffNet to OffNet transfer” (CallManager Service Parameter)

• Monitor Call Detail Records

• Employ Multilevel Administration

• Voice Gateways: Call Source Authentication (IOS 15.1(2) feature)

BRKUCC-2501 14

• Secure Network, Secure Endpoints, Secure Call Control

• Collaboration System Release 11.5 Security Update

• Deploying and Handling Certificates & PKI in CUCM

• Securing the Edge with CUBE/SBC

• Cisco Product Security

Agenda

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

CSR 11.5 – The Federal Space

Federal Certifications Testing Agencies

Common Criteria NIAP (NSA)

DoD Unified Capability

Approved Products List JITC

Commercial Solutions

for Classified NSA / CSS

FedRAMP 3PAO

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Common Criteria Support CUCM 11.0 Enhancement

• Accepted and supported by 26 Countries Worldwide via Common Criteria Recognition Arrangement (CCRA)

• The following features have been added/modified in CUCM to meet certification requirement for SIP Signaling and Media:

• Support for ECC(Elliptical Curve Cryptography) for CUCM certificates*. Software features that required modification to support ECC: • Self-signed certificates, certificate signing requests (CSR), certificate import and bulk certificate management

• Certificate Trust List (CTL) and ITL (Initial Trust List).

• SIP connections.

• CAPF (Certificate Authority Proxy Function)

• CTI (Computer Telephony Integration)

• Support configuration download over secure channel– HTTPS

• New entropy source and entropy management

• Audit logging as outlined in Network Device Protection Profile

Data Protection

https://www.nsa.gov/business/programs/elliptic_curve.shtml *

The certificate manager

will support generating

ECC certificates that

have an EC Key Pair of

256, 384 or 521 bits

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

CSR 11.5 – FIPS 140-2

FIPS 186-4 Digital Signature Standards:

DSA, RSA, ECDSA

FIPS 180-4 Secure Hash Standards:

SHA-1, SHA-256, SHA-384

FIPS 197 Advanced Encryption

Standards: AES-128, AES-256

NIST SP 800-

38(A-F)

AES Block Cipher Modes:

CBC, CCM, GCM

NIST SP 800-52 Selection, Config and Use of

TLS Implementations

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

CSR 11.5 – Encryption Strengths

11.5

11.0

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

CSR 11.5 – Encryption Strengths

NSA Top Secret

NSA Secret

11.5

11.0

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

CSR 11.5 – Robust Security

TOP SECRET

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Enhancements in 11.5

• Auto-registration allowed in mixed mode

• New ECDSA certificates for Tomcat and XMPP

• RSA key sizes increased to 4096 bits

• Configurable SHA2 (512) signed files from TFTP

• Authenticated UDS search

• Configurable form-based authentication for web applications

BRKUCC-2501 22

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

LSC Enhancements in 11.5

• Certificate Monitoring service monitors LSCs for expiry

• CCMAdmin / BAT “Find & List Phone” page allows search by

• LSC expiration

• LSC issued by

• LSC issuer expires by

• Configurable LSC certificate expiry (CAPF Service Parameter)

• CAPF signs LSCs with SHA2 hash algorithm

BRKUCC-2501

For LSCs installed on 11.5 or later only

23

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

LSC Expiration Visibility in UCM 11.5 Search & Reporting

BRKUCC-2501 24

• Secure Network, Secure Endpoints, Secure Call Control

• Collaboration System Release 11.5 Security Update

• Deploying and Handling Certificates & PKI in CUCM

• Securing the Edge with CUBE/SBC

• Cisco Product Security

Agenda

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

PKI – Public Key Infrastructure

Consists Of…

Public + Private keypair

• Private Key remains secret

• Public Key widely distributed

Allows For…

• Asymmetric key encryption

• one-way encryption and decryption

• Symmetric key encryption

• Public Key exchange used to establish shared-secret between two parties

• Message encryption and authentication protocols

BRKUCC-2501 26

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Types of Certificates

Self-Signed certificates used by Certificate Authorities to sign other

certificates.

Certificates issued to a specific entity (a device) and signed or

issued by a root CA and sometimes also by intermediate

CAs.

Certificates signed by a Root CA and in turn can sign other identity

certificates.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Lorem ipsum dolor sit amet, consectetur

adipiscing elit.

John Doe

CCIE# 63542

Certificate

What’s a Digital Certificate?

X.509 Certificate

Version

Serial Number

Signature Algorithm

Signature Hash Algorithm

Issuer

Valid From

Valid To

Subject Name

Public Key

Serial Number: 63542

Issued By: Cisco Systems

Issued To: John Doe

5/4/20

Validity: May 4th, 2020

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Digital Certificates

• Digital passport

• Self-signed or CA-Signed

• Contains the owner’s public key

• Proves the identity of a public key’s owner

BRKUCC-2501 29

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 30

Pubic Key Infrastructure

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Certificate File Formats

-----BEGIN CERTIFICATE----- MIIE2TCCA8GgAwIBAgIKamlnswAAAAAAAzANBgkqhkiG9w0BAQUFADA1MRYwFAYD

VQQKEw1DaXNjbyBTeXN0ZW1zMRswGQYDVQQDExJDaXNjbyBSb290IENBIDIwNDgw

HhcNMDUwNjEwMjIxNjAxWhcNMjkwNTE0MjAyNTQyWjA5MRYwFAYDVQQKEw1DaXNj

byBTeXN0ZW1zMR8wHQYDVQQDExZDaXNjbyBNYW51ZmFjdHVyaW5nIENBMIIBIDAN

BgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAoMX33JaUNRXx9JlOu5tB4X3beRaR

u/NU8kFKlDJiYskj95rnu5t56AcpTjD1rhvFIVZGsPj05o6BuBbMqJuF0kKB23zL

lKkRYRIcXOozIByaFqd925kGauI2r+z4Cv+YZwf0MO6l+IgaqujHPBzO7kj9zVw3

8YaTnj1xdX007ksUqcApewUQ74eeaTEw9Ug2P9irzhXi6FifPmJxBIcmpBViASWq

1d/JyVu4yaEHe75okpOTIKhsvRV100RdRUvsqNpgx9jI1cjtQeH1X1eOUzKTSdXZ

D/g2qgfEMkHFp68dGf/2c5k5WnNnYhM0DR9elXBSZBcG7FNcXNtq6jUAQQIBA6OC

AecwggHjMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFNDFIiarT0Zg7K4F

kcfcWtGwR/dsMAsGA1UdDwQEAwIBhjAQBgkrBgEEAYI3FQEEAwIBADAZBgkrBgEE

AYI3FAIEDB4KAFMAdQBiAEMAQTAfBgNVHSMEGDAWgBQn88gVHm6aAgkWrSugiWBf

2nsvqjBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vd3d3LmNpc2NvLmNvbS9zZWN1

cml0eS9wa2kvY3JsL2NyY2EyMDQ4LmNybDBQBggrBgEFBQcBAQREMEIwQAYIKwYB

BQUHMAKGNGh0dHA6Ly93d3cuY2lzY28uY29tL3NlY3VyaXR5L3BraS9jZXJ0cy9j

cmNhMjA0OC5jZXIwXAYDVR0gBFUwUzBRBgorBgEEAQkVAQIAMEMwQQYIKwYBBQUH

AgEWNWh0dHA6Ly93d3cuY2lzY28uY29tL3NlY3VyaXR5L3BraS9wb2xpY2llcy9p

bmRleC5odG1sMF4GA1UdJQRXMFUGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUH

AwUGCCsGAQUFBwMGBggrBgEFBQcDBwYKKwYBBAGCNwoDAQYKKwYBBAGCNxQCAQYJ

KwYBBAGCNxUGMA0GCSqGSIb3DQEBBQUAA4IBAQAw8zAtjPLKN0pkmSQpCvKGqkLV

I+ii6itvaSN6go4cTAnPpE+rhC836WVg0ZrG2PML9d7QJwBcbx2RvdFOWFEdyeP3

OOfTC9Fovo4ipUsG4eakqjN9GnW6JvNwxmEApcN5JlunGdGTjaubEBEpH6GC/f08

S25l3JNFBemvM2tnIwcGhiLa69yHz1khQhrpz3B1iOAkPV19TpY4gJfVb/Cbcdi6

YBmlsGGGrd1lZva5J6LuL2GbuqEwYf2+rDUU+bgtlwavw+9tzD0865XpgdOKXrbO

+nmka9eiV2TEP0zJ2+iC7AFm1BCIolblPFft6QKoSJFjB6thJksaE5/k3Npf

-----END CERTIFICATE-----

Base-64 encoding

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

CUCM Certificate Types

• Used for TLS connections to CallManager service (TCP port 5061 for SIP or 2002 for SCCP)

• Signs TFTP files like configuration files, localization files, etc.

CallManager

CallManager-EC

• Use for TLS connections to CAPF service (TCP port 3804)

• Signer of the phones Locally Signed Certificates (LSC) CAPF

• Used for HTTPS connections from Web services (TCP port 8443) Tomcat

• For TLS connections to the TVS service (TCP port 2445) TVS

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

CallManager Service

•CallManager

•CallManager-trust

Tomcat Service

• tomcat

• tomcat-trust

CAPF Service

•CAPF

•CAPF-trust

Certificate Trust Stores

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

CUCM Trust Certificate Management

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Do I trust this device?

High Level View of a Secure Connection Establishment

?

Yes

Trust it? Yes

Trust-store

CUCM CUBE

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Transport Layer Security (TLS)

Client Server

TLS Record Protocol

TLS Handshake Client/Server model

Application protocol independent

• Uses asymmetric cryptography to authenticate peer identity

• Shared secret negotiation is secure and reliable

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

TLS connections in Wireshark

• Client: Entity initiating the connection

• Server: Entity receiving the connection

• Wireshark filters:

• ‘ssl’ – Only packets with SSL data

• ‘tcp.port == nnn’ – All TCP packets for the connection including SYN, ACK with no data

BRKUCC-2501 37

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Certificates in Wireshark

BRKUCC-2501 38

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

• New option to share a single CA signed certificate across all nodes in a cluster

• Each cluster node’s FQDN included as Subject Alternative Name (SAN) in a single certificate, custom SANs can also be included

• Available for Unified CM (UCM + IM&P) and Unity Connection clusters

• Specifically for Tomcat, CallManager, CallManager-ECDSA, CUP-XMPP & CUP-XMPP-S2S certificate types

Multi-Server Certificate Support Simplify Certificate Management In Clustered Environments Of UCM 10.5 And Later

Unified CM Cluster

UCM nodes IM&P nodes

One CA signed Multi-Server Tomcat certificate for the entire Unified CM cluster

BRKUCC-2501 39

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKUCC-2501

Endpoint Certificates

• Manufacturing Installed Certificate (MIC)

• Installed in the factory for Cisco IP Phones

• Valid for 10 years

• No certificate revocation support

• Locally Significant Certificates (LSC)

• Preferred certificate for endpoint identity

• Endpoint support includes IP Phones, TelePresence, Jabber clients, CIPC

• LSC signed by CAPF Service running on UCM Publisher

• LSC supports the same RSA and EC key sizes as Unified CM

• LSC can be installed, re-issued, deleted in bulk with UCM Bulk Admin Tool

• LSC signed by CAPF is valid for 5 years, configurable in UCM 11.5

• Paper process required to track certificate expiration prior to UCM 11.5

Cryptographically assured device identity

40

8811, 8841, 8851, 8861

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

LSC Revocation Catered for in CUCM 10.X

• Historic Elephant in the room

• Prior to release 10 what happened if a phone was lost or stolen?

• Offline CA Mode

• CUCM still can’t revoke LSC but the CA can!

CA

CAPF

(Offline CA Mode) (1) LSC CSR

(2) CA Signed LSC

CA LSC:XXXX

LSC Serial No. XXXX Revoked!

ISE

Certificate Trust List (CTL) & Initial Trust List (ITL)

BRKUCC-2501

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Certificate Trust List (CTL)

• Enabling Mixed Mode to support encrypted signaling and media requires CTL

• Minimum of 2 USB secure tokens required, KEY-CCM-ADMIN-K9= or new KEY-CCM-ADMIN2-K9=

• CTL client produces Certificate Trust List (CTL) file and uploads to CUCM TFTP

• Download the CTL Client from CUCM Admin, install on Windows workstation

• CTL file is downloaded by endpoints and is the basis for endpoint certificate trust

CTL provides a trust mechanism for Cisco endpoints

BRKUCC-2501 43

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Certificate Trust List (CTL)

• Unified CM 10.0 supports two different methods of building the CTL

• Classic CTL client, minimum 2 USB tokens required

• New token-less CTL

• Token-less CTL is activated with admin cli command (publisher only),

• utils ctl set-cluster mixed-mode

• CallManager certificate private key is used to sign the CTL, rather than the USB token

• DRS backup !!!

• Other CTL cli commands include

• utils ctl update CTLFile

• utils ctl set-cluster non-secure-mode

New token-less CTL option

BRKUCC-2501 44

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Initial Trust List (ITL)

• Unlike the CTL file, the ITL file is built automatically when the cluster is installed or upgraded to 8.0+

• Downloaded by phones at boot or reset, after CTL file

• Has the same format as the CTL File

• Does not require eTokens; uses a soft eToken (the CallManager cert private key)

• Static and Dynamic ITL Files are built

• ITLFile.tlv ITLSEPMAC.tlv

Security by Default component

BRKUCC-2501 45

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Trust Verification Service

• Trust Verification Service (TVS) runs on each CUCM server and authenticates certificates on behalf of the phone

• Provides endpoint trusted certificates scale

• Instead of downloading all the trusted certificates, phones need only to trust TVS

• Up to 3 TVS per phone (primary, secondary and tertiary from CallManager Group)

• No support when failover to SRST by phone

• TVS function relies on SBD enabled and correct TVS certificate in the endpoint’s ITL file

Security by Default Component

BRKUCC-2501 46

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

• ITL file is built by the TFTP service in UCM 8.6+

• TVS service built the ITL file in UCM 8.0 & 8.5

• Each node running TFTP creates a unique ITL

• ITL file is rebuilt when:

• TFTP Service Restarts

• Any certificate inside the ITL changes

• CallManager Group Changes

• IP Phones automatically reset on certificate change (8.6+)

• ITL Signature should always match on endpoint and TFTP server

Managing Security by Default (SBD) ITL File Awareness

BRKUCC-2501 47

• Secure Network, Secure Endpoints, Secure Call Control

• Collaboration System Release 11.5 Security Update

• Deploying and Handling Certificates & PKI in CUCM

• Securing the Edge with CUBE/SBC

• Cisco Product Security

Agenda

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Why does an Enterprise need an SBC ?

SESSION

CONTROL

Call Admissions

Control

Trunk Routing

Ensuring QoS

Statistics and Billing

Redundancy/

Scalability

INTERWORKING

SIP - SIP

H.323 - SIP

SIP Normalization

DTMF Interworking

Transcoding

Codec Filtering

DEMARCATION

Fault Isolation

Topology Hiding

Network Borders

L5/L7 Protocol

Demarcation

SECURITY

Encryption

Authentication

Registration

SIP Protection

Voice Policy

Firewall Placement

Toll Fraud

Enterprise 1

IP SIP

CUBE

IP Enterprise 2

IP CUBE

SIP

Rich Media (Real time Voice, Video, Screenshare etc.. ) Rich Media

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

VXML

SRST

Cisco Unified Border Element

Address Hiding

H.323 and SIP interworking

DTMF interworking

SIP security

Transcoding

Note: An SBC appliance would have only these features

Unified CM Conferencing and

Transcoding

IP Routing & MPLS

WAN & LAN Physical

Interfaces

CUBE

Voice Policy

TDM Gateway

PSTN Backup

FW, IPS, QoS

Note: Some features/components may require additional licensing

An Integrated Network Infrastructure Service

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

CUBE Call Processing

Actively involved in the call treatment, signaling and media streams

SIP B2B User Agent

Signaling is terminated, interpreted and re-originated

Provides full inspection of signaling, and protection against malformed and malicious packets

Media is handled in two different modes: Media Flow-Through

Media Flow-Around

Digital Signal Processors (DSPs) are required for transcoding (calls with dissimilar codecs)

IP

CUBE

CUBE

IP

Media Flow-Around

Signaling and media terminated by the Cisco Unified Border Element

Media bypasses the Cisco Unified Border Element

Media Flow-Through

Signaling and media terminated by the Cisco Unified Border Element

Transcoding and complete IP address hiding require this model

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

High-density Dedicated

Gateways

Transitioning to SIP Trunking...

52

Re-purpose your existing Cisco voice gateway’s as Session Border Controllers

SIP/H323/MGCP

Media

TDM PBX

SRST CME

A Enterprise Campus

Enterprise

Branch Offices

MPLS

BEFORE Media

SIP Trunks

SRST

Enterprise

Campus

IP PSTN A

TDM PBX

CME

MPLS

CUBE with High

Availability

Active

Standby

CUBE

CUBE

PSTN is now

used only for

emergency

calls over FXO

lines

AFTER

52

Enterprise

Branch Offices

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

• Step 1 – Configure IP PBX to route all calls (HQ and branch offices) to the edge SBC

• Step 2 – Get SIP Trunk details from the provider

• Step 3 – Enable CUBE application on Cisco routers

• Step 4 – Configure call routing on CUBE (Incoming & Outgoing dial-peers)

• Step 5 – Normalize SIP messages to meet SIP Trunk provider’s requirements

• Step 6 – Execute the test plan

Steps to transitioning...

53

Media

SRST

Enterprise

Campus

IP PSTN A

TDM PBX

CME

MPLS

Enterprise Branch

Offices

CUBE with High

Availability

Active

Standby

CUBE

CUBE

PSTN is now

used only for

emergency

calls over FXO

lines

SIP Trunk

SIP Trunking and Design Deployment Reference Slides

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Session Management & CUBE: Essential Elements for Collaboration

• CUBE provides session border control between IP networks

• Demarcation

• Interworking

• Session control

• Security

• Cisco SME centralizes network control

• Centralizes dial plan

• Centralized applications

• Aggregates PBXs

55

Video

Mobile

SIP TRUNK TO CUBE

3rd Party IP

PBX

TDM PBX

CUBE

Cisco Session Management IM, Presence,

Voicemail

Cisco B2B

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

CUBE Deployment Scenarios

SIP Trunks for PSTN Access

Network-based Media

Recording Solution

SIP

H.323

SP VOIP

Services SBC

TDM

SIP Trunk

Partner API MediaSense

CUBE

SIP

RTP

SIP

Active

Standby

SP IP

Network SBC

Extending to Video and High Availability for Audio Calls

IVR Integration for Contact

Centers SIP

CVP vXML Server

Media Server

SP IP

Network SBC

Business to Business

Telepresence

SP IP

Network

SIP SIP

SBC

CUBE

CUBE

CUBE CUBE

CUBE

56

• Secure Network, Secure Endpoints, Secure Call Control

• Collaboration System Release 11.5 Security Update

• Deploying and Handling Certificates & PKI in CUCM

• Securing the Edge with CUBE/SBC

• Cisco Product Security

Agenda

Cisco Product Security Awareness

BRKUCC-2501

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco PSIRT Has Your Back

• Dedicated, global team managing security vulnerability information related to Cisco products and networks

• Responsible for Cisco Security Advisories, Responses and Notices

• Interface with security researchers and hackers

• Assist Cisco product teams in securing products

• Subscribe (RSS or email) to Cisco notification service

Product Security Incident Response Team (PSIRT) - www.cisco.com/go/psirt

BRKUCC-2501 59

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Product Security Awareness

• Subscribe/Monitor PSIRT security advisories, responses and notices

• Consult advisory details to understand impact, workarounds, and other details

• Reference linked Cisco Applied Mitigation Bulletins (AMB) when available

• Make preparations to patch systems via upgrade or COP files

• Verify DRS backups available before patching critical systems

BRKUCC-2501 60

Thank you

BRKUCC-2501