Securing the Connection between Cisco Unity Connection, Cisco Unified Communications Manager, and IP Phones
Introduction
This chapter provides descriptions of potential security issues related to connections between Cisco Unity Connection, Cisco Unified Communications Manager, and IP phones. It offers information on necessary actions, recommendations for decision-making, discussion of decision ramifications, and best practices.
Security Issues for Connections between Unity Connection, Cisco Unified Communications Manager, and IP Phones
A potential point of vulnerability for a Cisco Unity Connection system lies in the connection between Unity Connection voice messaging ports (for an SCCP integration) or port groups (for a SIP integration), Cisco Unified Communications Manager, and the IP phones.
Possible threats include:
- Man-in-the-middle attacks (when the information flow between Cisco Unified CM and Unity Connection is observed and modified)
- Network traffic sniffing (when software is used to capture phone conversations and signaling information that flow between Cisco Unified CM, Unity Connection, and IP phones managed by Cisco Unified CM)
- Modification of call signaling between Unity Connection and Cisco Unified CM
- Modification of the media stream between Unity Connection and the endpoint (e.g., an IP phone or a gateway)
- Identity theft of Unity Connection (when a non-Unity Connection device presents itself to Cisco Unified CM as a Unity Connection server)
- Identity theft of the Cisco Unified CM server (when a non-Cisco Unified CM server presents itself to Unity Connection as a Cisco Unified CM server)
Cisco Unified Communications Manager Security Features for Unity Connection Voice Messaging Ports
Cisco Unified CM can secure the connection with Unity Connection against the threats listed in the "Security Issues for Connections between Unity Connection, Cisco Unified Communications Manager, and IP Phones." The Cisco Unified CM security features that Unity Connection can leverage are detailed in Table 1: Cisco Unified CM Security Features Used by Cisco Unity Connection.
| Security Feature | Description |
|---|---|
| Signaling authentication | The process that uses the Transport Layer Security (TLS) protocol to validate that no tampering has occurred to signaling packets during transmission. Signaling authentication relies on the creation of the Cisco Certificate Trust List (CTL) file. This feature protects against:
|
| Device authentication | The process that validates the identity of the device and ensures that the entity is what it claims to be. This process occurs between Cisco Unified CM and either Unity Connection voice messaging ports (for an SCCP integration) or Unity Connection port groups (for a SIP integration) when each device accepts the certificate of the other device. When certificates are accepted, a secure connection is established. Device authentication relies on the creation of the Cisco Certificate Trust List (CTL) file. This feature protects against:
|
| Signaling encryption | The process that uses cryptographic methods to protect (through encryption) the confidentiality of all SCCP or SIP signaling messages sent between Unity Connection and Cisco Unified CM. Signaling encryption ensures that information pertaining to parties, DTMF digits, call status, media encryption keys, etc., are protected against unintended or unauthorized access. This feature protects against:
|
| Media encryption | The process whereby the confidentiality of the media occurs through cryptographic procedures, using Secure Real Time Protocol (SRTP) as defined in IETF RFC 3711. It ensures only the intended recipient can interpret media streams between Unity Connection and the endpoint (e.g., a phone or gateway). Support includes audio streams only. Media encryption involves creating a Media Player key pair for devices, delivering keys to Unity Connection and the endpoint, and securing key delivery during transport. Unity Connection and the endpoint use the keys to encrypt and decrypt the media stream. This feature protects against:
Authentication and signaling encryption are minimum requirements for media encryption; if devices do not support them, media encryption cannot occur. Cisco Unified CM security (authentication and encryption) protects only calls to Unity Connection. Messages recorded on the message store are not protected by these features but can be protected by the Unity Connection private secure messaging feature. For details, see "Handling Messages Marked Private and Secure." |
Self-encrypting drive
Cisco Unity Connection also supports self-encrypting drives (SED), also known as Full Disk Encryption (FDE). FDE is a cryptographic method used to encrypt all data on the hard drive, including files, operating system, and software programs. The disk's hardware encrypts incoming data and decrypts outgoing data. When the drive is locked, an encryption key is created and stored internally. All stored data is encrypted using this key and kept in encrypted form. FDE comprises a key ID and a security key.
For more information, see Cisco UCS C-Series GUI Configuration Guide 2.0.
Security Mode Settings for Cisco Unified Communications Manager and Unity Connection
Cisco Unified Communications Manager and Cisco Unity Connection offer the security mode options shown in Table 2: Security Mode Options for voice messaging ports (for SCCP integrations) or port groups (for SIP integrations).
⚠️ The Cluster Security Mode setting for Unity Connection voice messaging ports (for SCCP integrations) or port groups (for SIP integrations) must match the security mode setting for the Cisco Unified CM ports. Otherwise, Cisco Unified CM authentication and encryption fails.
| Setting | Effect |
|---|---|
| Non-secure | The integrity and privacy of call-signaling messages are not ensured because call-signaling messages are sent as clear (unencrypted) text connected to Cisco Unified CM through a non-authenticated port rather than an authenticated TLS port. In addition, the media stream cannot be encrypted. |
| Authenticated | The integrity of call-signaling messages is ensured because they are connected to Cisco Unified CM through an authenticated TLS port. However, the privacy of call-signaling messages is not ensured because they are sent as clear (unencrypted) text. In addition, the media stream is not encrypted. |
| Encrypted | The integrity and privacy of call-signaling messages are ensured because they are connected to Cisco Unified CM through an authenticated TLS port, and the call-signaling messages are encrypted. In addition, the media stream can be encrypted. Both endpoints must be registered in encrypted mode for the media stream to be encrypted. However, when one endpoint is set for non-secure or authenticated mode and the other endpoint is set for encrypted mode, the media stream is not encrypted. Also, if an intervening device (such as a transcoder or gateway) is not enabled for encryption, the media stream is not encrypted. |
Best Practices for Securing the Connection between Unity Connection, Cisco Unified Communications Manager, and IP Phones
To enable authentication and encryption for the voice messaging ports on both Cisco Unity Connection and Cisco Unified Communications Manager, refer to the Cisco Unified Communications Manager SCCP Integration Guide for Unity Connection Release 14, available at Cisco Unified Communications Manager SCCP Integration Guide for Unity Connection Release 14.
Cisco UCS C-Series Servers Integrated Management Controller GUI Configuration Guide, Release 2.0 - Managing Storage Adapters [Cisco Integrated Management Controller] - Cisco
