ManualsPro Cisco CISCO Unity Connection Unified Communications Manager User Guide

CISCO Unity Connection Unified Communications Manager User Guide

June 15, 2024
Cisco

cisco logo

Securing the Connection between Cisco Unity
Connection, Cisco Unified Communications
Manager, and IP Phones

CISCO Unity Connection Unified Communications Manager

• Securing the Connection between Cisco Unity Connection, Cisco Unified Communications Manager, and IP Phones, on page 1
Securing the Connection between Cisco Unity Connection, Cisco Unified Communications Manager, and IP Phones

Introduction

In this chapter, you would find descriptions of potential security issues related to connections between Cisco Unity Connection, Cisco Unified Communications Manager, and IP phones; information on any actions you need to take; recommendations that helps you make decisions; discussion of the ramifications of the decisions you make; and best practices.

Security Issues for Connections between Unity Connection, Cisco Unified Communications Manager, and IP Phones
A potential point of vulnerability for a Cisco Unity Connection system is the connection between Unity Connection voice messaging ports (for an SCCP integration) or port groups (for a SIP integration), Cisco Unified Communications Manager, and the IP phones.

Possible threats include:

  • Man-in-the-middle attacks (when the information flow between Cisco Unified CM and Unity Connection is observed and modified)
  • Network traffic sniffing (when software is used to capture phone conversations and signaling information that flow between Cisco Unified CM, Unity Connection, and IP phones that are managed by Cisco Unified CM)
  • Modification of call signaling between Unity Connection and Cisco Unified CM
  • Modification of the media stream between Unity Connection and the endpoint (for example, an IP phone or a gateway)
  • Identity theft of Unity Connection (when a non-Unity Connection device presents itself to Cisco Unified CM as a Unity Connection server)
  • Identity theft of the Cisco Unified CM server (when a non-Cisco Unified CM server presents itself to Unity Connection as a Cisco Unified CM server)

CiscoUnifiedCommunicationsManagerSecurityFeaturesforUnity Connection Voice Messaging Ports
Cisco Unified CM can secure the connection with Unity Connection against the threats listed in the Security Issues for Connections between Unity Connection, Cisco Unified Communications Manager, and IP Phones.
The Cisco Unified CM security features that Unity Connection can take advantage of are described in Table 1: Cisco Unified CM Security Features Used by Cisco Unity Connection.

Table 1: Cisco Unified CM Security Features Used by Cisco Unity Connection

Security Feature Description
Signaling authentication The process that uses the Transport Layer Security

(TLS) protocol to validate that no tampering has occurred to signaling packets during transmission.
Signaling authentication relies on the creation of the Cisco Certificate Trust List (CTL) file.
This feature protects against:
• Man-in-the-middle attacks that modify the information flow between Cisco Unified CM and Unity Connection.
• Modification of the call signalling.
• Identity theft of the Unity Connection server.
• Identity theft of the Cisco Unified CM server.
Device authentication| The process that validates the identity of the device and ensures that the entity is what it claims to be. This process occurs between Cisco Unified CM and either Unity Connection voice messaging ports (for an SCCP integration) or Unity Connection port groups (for a SIP integration) when each device accepts the certificate of the other device. When the certificates are accepted, a secure connection between the devices is established. Device authentication relies on the creation of the Cisco Certificate Trust List (CTL) file.
This feature protects against:
• Man-in-the-middle attacks that modify the information flow between Cisco Unified CM and Unity Connection.
• Modification of the media stream.
• Identity theft of the Unity Connection server.
• Identity theft of the Cisco Unified CM server.
Signaling encryption| The process that uses cryptographic methods to protect (through encryption) the confidentiality of all SCCP or SIP signaling messages that are sent between Unity Connection and Cisco Unified CM. Signaling encryption ensures that the information that pertains to the parties, DTMF digits that are entered by the parties, call status, media encryption keys, and so on are protected against unintended or unauthorized access.
This feature protects against:
• Man-in-the-middle attacks that observe the information flow between Cisco Unified CM and Unity Connection.
• Network traffic sniffing that observes the signaling information flow between Cisco Unified CM and Unity Connection.
Media encryption| The process whereby the confidentiality of the media occurs through the use of cryptographic procedures.
This process uses Secure Real Time Protocol (SRTP) as defined in IETF RFC 3711, and ensures that only the intended recipient can interpret the media streams between Unity Connection and the endpoint (for example, a phone or gateway). Support includes audio streams only. Media encryption includes creating a Media Player key pair for the devices, delivering the keys to Unity Connection and the endpoint, and securing the delivery of the keys while the keys are in transport. Unity Connection and the endpoint use the keys to encrypt and decrypt the media stream.
This feature protects against:
• Man-in-the-middle attacks that listen to the media stream between Cisco Unified CM and Unity Connection.
• Network traffic sniffing that eavesdrops on phone conversations that flow between Cisco Unified CM, Unity Connection, and IP phones that are managed by Cisco Unified CM.

Authentication and signaling encryption serve as the minimum requirements for media encryption; that is, if the devices do not support signaling encryption and authentication, media encryption cannot occur.
Cisco Unified CM security (authentication and encryption) only protects calls to Unity Connection. Messages recorded on the message store are not protected by the Cisco Unified CM authentication and encryption features but can be protected by the Unity Connection private secure messaging feature. For details on the Unity Connection secure messaging feature, see the Handling Messages Marked Private and Secure.

Self-encrypting drive

Cisco Unity Connection also supports self-encrypting drives (SED). This is also called Full Disk Encryption (FDE). FDE is a cryptographic method that is used to encrypt all the data that is available on the hard drive.
The data include files, operating system and software programs. The hardware available on the disk encrypts all the incoming data and decrypts all the outgoing data. When the drive is locked, an encryption key is created and stored internally. All data that is stored on this drive is encrypted using that key and stored in the encrypted form. The FDE comprises a key ID and a security key.
For more information, see https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/c/sw/gui/config/guide/2-0 /b_Cisco_UCS_C-series_GUI_Configuration_Guide_201/b_Cisco_UCS_C- series_GUI_Configuration_Guide_201_chapter_010011.html#concept_E8C37FA4A71F4C8F8E1B9B94305AD844.

Security Mode Settings for Cisco Unified Communications Manager and Unity Connection
Cisco Unified Communications Manager and Cisco Unity Connection have the security mode options shown in Table 2: Security Mode Options for voice messaging ports (for SCCP integrations) or port groups (for SIP integrations).

Caution
The Cluster Security Mode setting for Unity Connection voice messaging ports (for SCCP integrations) or port groups (for SIP integrations) must match the security mode setting for the Cisco Unified CM ports.
Otherwise, Cisco Unified CM authentication and encryption fails.

Table 2: Security Mode Options

Setting Effect
Non-secure The integrity and privacy of call-signaling messages are not

ensured because call-signaling messages are sent as clear (unencrypted) text connected to Cisco Unified CM through a non-authenticated port rather than an authenticated TLS port. In addition, the media stream cannot be encrypted.
Authenticated| The integrity of call-signaling messages are ensured because they are connected to Cisco Unified CM through an authenticated TLS port. However, the
privacy of call-signaling messages are not ensured because they are sent as clear (unencrypted) text. In addition, the media stream is not encrypted.
Encrypted| The integrity and privacy of call-signaling messages are ensured because they are connected to Cisco Unified CM through an authenticated TLS port, and the call-signaling messages are encrypted. In addition, the media stream can be encrypted. Both end points must be registered in encrypted mode
for the media stream to be encrypted. However, when one end point is set for non-secure or authenticated mode and the other end point is set for encrypted mode, the media stream are not encrypted. Also, if an intervening device (such as a transcoder or gateway) is not enabled for encryption, the media stream is not encrypted.

Best Practices for Securing the Connection between Unity Connection, Cisco Unified Communications Manager, and IP Phones
If you want to enable authentication and encryption for the voice messaging ports on both Cisco Unity Connection and Cisco Unified Communications Manager, see the Cisco Unified Communications Manager SCCP Integration Guide for Unity Connection Release 12.x, available at
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/12x/integration/guide/cucm_sccp/b_12xcucintcucmskinny.html

Securing the Connection between Cisco Unity Connection, Cisco Unified Communications Manager, and IP Phones

References

Read User Manual Online (PDF format)

Read User Manual Online (PDF format)  >>

Download This Manual (PDF format)

Download this manual  >>

Cisco User Manuals

cisco Configuring Console Access Instructions
Cisco
cisco HyperFlex HX-Series Data Platform for HCI Instructions
Cisco
CISCO Meraki Cloud Monitoring for Catalyst User Guide
Cisco
CISCO Cloud-Delivered Catalyst SD-WAN Platform User Guide
Cisco
CISCO 60079011 Wi Fi 6 E Access Point User Manual
Cisco
CISCO IP Phone o Through the Normal Startup Process User Guide
Cisco
CISCO Install Enterprise NFVIS Using USB User Guide
Cisco
CISCO NCS 1014 Network Convergence System 1014 Instruction Manual
Cisco
CISCO Set Up Webex User Guide
Cisco
CISCO Webex App User Guide
Cisco
CISCO DNA Center Configure Telemetry User Guide
Cisco
802.11 Parameters for Cisco Access Points User Guide
Cisco
CISCO Nexus 3000 Series NX-OS Verified Scalability Guide Release 9.3 Instruction Manual Product Information
Cisco
CISCO P-LTE-450 Cellular Pluggable Interface Module Configuration User Guide
Cisco
CISCO Nexus 3600 Series NX-OS Verified Scalability Guide Release 9.3 User Guide
Cisco
CISCO Nexus 3000 SeriesNX-OS Verified Scalability Guide Release 9.3 User Guide
Cisco
CISCO Nexus 3000 Series NX-OS Verified Scalability Guide User Guide
Cisco
CISCO Nexus 9804 NX-OS Mode Switch Hardware Installation Guide
Cisco
CISCO Nexus 3548 Series NX-OS Verified Scalability Instructions
Cisco
CISCO 9.0SU Emergency Responder User Guide
Cisco

Related Manuals

ELVITA CTM1612V Front Loading Washing Machine User Guide
ELVITA
Bestway Swimming Pool Steel Pro 305×66 cm Instruction Manual
Bestway
tp-link KS220 Smart WiFi Dimmer Switch User Guide
tp-link
5″ 24V Max Cordless Orbital Sander COS326 User Manual
Empower
dahua L3 Managed PoE Switch User Guide
Dahua
URC LT-3100 Z-Wave Smart Dimmer Owner’s Manual
URC
childcare 036595 Nocto Bassinet Instruction Manual
childcare
Kogan KAWLMCRVLA Lockable Full Motion Caravan TV Mount User Guide
Kogan
HCP Community D22-1528871 HCP Program Assurance Community of Practice User Guide
HCP Community
BRESSER DST-0745 Microscope Instruction Manual
BRESSER
Maestri House EC312 Rechargeable Digital Coffee Scale Instruction Manual
Maestri House
ONFORU LED Smart Strip Lights User Manual
ONFORU
Acrel BM200 Isolated Safety Barrier Instruction Manual
Acrel
TT-BH22 TaoTronics Active Noise Cancelling Wireless Stereo Headphones User Guide
TaoTronics
AQUA OPTIMA AUR001 Instant Hot and Cold Filtered Water Dispenser User Manual
AQUA OPTIMA
DIRTY HAND TOOLS 100983 Counter Rotating Rear Tine Tiller Instruction Manual
DIRTY HAND TOOLS
Logitech MK550 Wireless Wave Combo Keyboard and Mouse Setup Guide
Logitech
Free One FO216 Touch Pen User Guide
Free One
FANATEC QR2 Base Side Type M User Guide
FANATEC
arva Neo BT Pro Avalanche Transceivers User Manual
arva
GE 93986LO Color Choice 300 Count 25 ft Multi Function Color Changing LED Plug In Christmas String Lights Instruction Manual
GE
little tikes 659089C3 Rescue Tales-Year of the OX-Interactive Soft Cuddly Plush Pet Toy User Manual
Little Tikes
Shenzhen Sanerzhi Chuang Technology SE-16S Wireless Earbuds User Manual
Shenzhen Sanerzhi Chuang Technology
ENERLITES 975510-C Stainless Steel Floor Box w TRWR Receptacles Instruction Manual
ENERLITES
Rowenta VR5121 Easy Steam Steam Plant User Guide
Rowenta
TLA CS250 Toasting Paint Speaker User Manual
TLA
GALLAGHER S400 Portable Solar Fence Energizer Instructions
GALLAGHER
BROWIN 340201 Distiller for a Food Processor Cooler Instruction Manual
BROWIN
LENNOX EL072XCSS Heat Pump Air Conditioner Instruction Manual
Lennox
FISHER AND PAYKEL OB60SD9PX2 60cm 9 Function Oven User Guide
FISHER and PAYKEL
Contact Us   Privacy Policy   3.470ms