1 / 29

The Empowered Branch Webinar Deploying Secure Unified Communications in Branch Networks

The Empowered Branch Webinar Deploying Secure Unified Communications in Branch Networks. Christina Hattingh, Technical Marketing Engineer Shashi Kiran, Manager, Network Systems Marketing. Agenda. Changing Traffic Patterns and models The Secure UC Framework

zuzana
Télécharger la présentation

The Empowered Branch Webinar Deploying Secure Unified Communications in Branch Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Empowered Branch WebinarDeploying Secure Unified Communications in Branch Networks Christina Hattingh, Technical Marketing Engineer Shashi Kiran, Manager, Network Systems Marketing

  2. Agenda Changing Traffic Patterns and models The Secure UC Framework Securing UC in the Branch or Small Office Security Capabilities on the Cisco Integrated Services Router • Cisco Unified Communications Voice Gateways • Cisco Survivable Remote Site Telephony (SRST) • Cisco Unified Communications Manager Express (CME) Summary

  3. 1011011 001011 110110 10100 01011 IP Convergence 2. Changing Traffic Patterns a a b b c c Peer-to-Peer Traffic Voice Over Wi-Fi 40–60%Savings VoIP Calls Adoption Traditional Phone Calls t Is Traditional Data Security Good Enough for Voice? Dynamics of Converged Networks 1. Changing Traffic Types “Data” Voice Data Video VoIP growth

  4. Threats are similar – attack types vary Threat Perceptions

  5. = + Data Only Voice Network Converged Voice Network Secure Voice deployment challenges • Disparate security infrastructure (not voice ready) • Inadequate knowledge and training • Data personnel handling voice threats • Protocols, solutions, perceived complexity • Multiple voice-capable endpoint types • IM + voice + video – media streams, presence info.

  6. Secure Telephony Secure Unified Communication Secure Network Secure Unified Communications

  7. Unified Communications Building A Secure UC System Infrastructure Secure connectivity and transport Endpoints Authenticated IP phones, soft clients and other devices Call Control Secure Protocols for Call Management Features Applications Auto-attendant, Messaging, and Customer Care Network as the Platform

  8. Determining Security Policy High Banking • Don’t make security an end to itself—determine the security level needed • Rank voice with all data on the network by your business requirements • Evaluate whether your existing data security policy is sufficient for voice Oracle Trading Billing POS Voice, Video Web Traffic E-Mail Directory Low

  9. Security Levels and Dimensions • $$$ • Complexity • Manpower • Voice/Data integration • Firewall with advanced application inspection and encrypted VoIP • Encrypted phone configuration files • TLS/SRTP Advanced • Firewall with stateful inspection • Intrusion Protection (IPS) • DHCP snooping/rate limiting • Phone web access Intermediate • Basic L3 ACLs • VPNs: GET-VPN, DMVPN • Separate voice/data VLANs • Toll fraud prevention Base Infrastructure Call Processing Endpoints Applications

  10. High-Density Services Modularity with Performance Optimized for “All-in-one” Solution (HSDM, NM, EVM, AIM, WIC/VIC) Multiple Services Extended Modular Connectivity (EVM, NM, AIM, WIC/VIC) Cisco Unity Express Local Auto Attendant and Voice Mail System with 12-100 Mailboxes, 4–8 Sessions, 100 Hours of Storage Cisco Integrated Services Router (ISR) Portfolio for Unified Communications Secure Validated Designs Lowest TCO 720/240 Phones 336/168 Phones Concurrent Services and Performance 3845 3825 96 Phones 48 Phones 2851 36 Phones 2821 2811 24 Phones 2801 Small Office Small Branch Medium to Large Branch

  11. Securing UC in the Branch or Small Office

  12. Access Lists (ACLs) Network access protection Device authentication Firewall VPN URL Filtering Intrusion Protection Expanded Access Lists (ACLs) Network access for voice devices Firewall VoIP ALG Toll fraud protection Secure phone downloads Controlled phone web access Digest Authentication Secure SRST, CME, voice gateways Integrating Voice Security into a Network Branch Office Branch Office Corporate Office Corporate Office Data Only Unified Communications

  13. Infrastructure A Securing the Infrastructure Campus Network Access • Expand ACLs for voice • VoIP firewall ALG Transport • Secure LAN transport (VLAN) • Secure WAN transport • VPN, V3PN, DMVPN, GET VPN PSTN Internet WAN Devices • Authenticate voice devices • Secure phone downloads Branch Office

  14. Call Processing A Securing Call Processing Campus PSTN • Toll fraud prevention • AA, COR, transfer-patterns, CFW max-length, after-hours exempt… • Restrict outbound notifications Features • Feature access restrictions • Digest authentication • Register and Invite PSTN Internet WAN Encryption • Secure SRST • Secure CME • Secure voice gateways Branch Office

  15. Endpoints A Securing the Endpoints Campus Downloads • Signed phone firmware images • Signed configuration files Authentication • No CME auto-registration • Digest authentication Register PSTN Internet WAN Phone Applications • Restrict phone web access • Disable Settings button Encryption • Phone configuration files • TLS/SRTP Branch Office

  16. Applications A PSTN Securing the Applications Campus IP Access • Close ports not used by application • ACLs—access only from legitimate source IP addresses Administration • Secure CME CLI/GUI • Secure CUE CLI/GUI Internet WAN Application Access • Secure VXML (HTTPS) • Phone authentication with application Branch Office Operational • SFTP for CUE install/upgrade/backup

  17. Secure UC capabilities on the Cisco IntegratedServices Router

  18. Call Processing STOP STOP STOP GO STOP Toll Fraud Prevention • After-hour exempt blocks all after-hours PSTN calls except where exempt (optional override withPIN per IP phone) • Call-forward max-length restricts maximum number of digits allowed for call forward destinations onIP Phones • Transfer-pattern restricts valid transfer destinations to internal extensions • Restricting access to PSTN from Auto Attendant (AA) and message notification features prevents incoming PSTN calls to transferto other PSTN destinations Numbers Startingwith 91 or 91900 Forward to19103335555 Transfer to901191225551234 AA Valid Ext Incoming DID Call PSTN PSTN

  19. Call Processing Endpoints HQ Branch GK A Branch Branch WAN PSTN PSTN PSTN PSTN Signaling and MediaEncryption • Signaling authentication and encryption via TLS or IPSecprotect voice gateways, endpoints and applications • Media encryption using Secure RTP (SRTP) • SCCP, MGCP, H.323 and SIP support • Voice gateways, CUCM, SRST and Cisco Unity voice mail support

  20. Call Processing Endpoints GK A WAN PSTN PSTN PSTN PSTN Secure SRST HQ Branch Branch Branch: SRST TLS and SRTP • IP phone calls in SRST mode remain secure • Calls are authenticated and encrypted • Secure lock icon on IP phone gives visual confirmation • SRST 3.3: Cisco IOS 12.4 with CUCM 4.1(2) or later

  21. Call Processing Endpoints Internet PSTN Secure CME Call Processing • Toll fraud prevention • Feature access restrictions • Phone authenticationand registration Secure Internet Access • Firewall • Intrusion Protection • Secure teleworker access via VPN Secure Administration • SSH, HTTPS • SFTP • Secure phone downloads Encrypted Wireless AP Authentication and Encryption • Phone authentication • Signaling and media encryption (TLS/SRTP) • X.509 V3 certificates Secure Wireless Devices • Phone authentication • Signaling and media encryption (TLS/SRTP)

  22. Call Processing Endpoints GO STOP SIP Digest Authentication • SIP line side Digest Authentication • SIP Digest authentication between UA and SIP server • CME 4.0 no auto-reg-ephone option rejects registration attempts by IP phones with unknown MAC addresses Register (SIP) 401 w/Challenge Invite Register [Username, Password] 401 Unauthorized Invite [Username, Password] BBBB.AAAA.DDDD AAAA.BBBB.CCCC

  23. Downloads Firmware and configurationsuse TFTP to phones Signed firmware images Signed configuration files Encrypted configuration files “Services” Button Disable general web access tophones allowing only authenticated applications Phone authenticates with server Application authenticates with server Infrastructure Endpoints Secure Web Access CME TFTP Server Authentication Server Rogue TFTP Server

  24. Leverage AAA/RADIUS for router CLI login Secure CLI transport access with SSH Secure GUI transport access with HTTPS (CUE 3.0) CUE User accounts password/PIN history checking CUE Account Lockout—prevents DOS attacks SFTP for CUE install/upgradeand backup/restore Applications Securing Administrative AccessCME and CUE Authenticate IOS username/password TACACS/RADIUS Server Secure FTP FTP Server HTTPS Telnet/SSH CME CUE

  25. Cisco ISR Secure Voice Bundles V3PN Bundle Adds VPN AIM Adds Voice DSP VSEC Bundle HSEC Bundle Adds Voice DSP, Advanced IP Services Adds Advanced IP Services, VPN AIM Adds Advanced IP Services Voice Bundle SEC Bundle Adds Advanced Security Adds Voice DSP, Cisco IOS SP Services Base Router

  26. Summary Align Voice and Data Security Policies; Secure UC Requires Incremental Voice-specific Features Build a Layered, Tolerant Security Model; The Cisco Secure UC With the Cisco ISR Offers Multi-layered Protection Balance Risk Avoidance, Cost and Performance

  27. Resources Cisco.com/go/ipc Cisco.com/go/isr Cisco.com/go/ipcsecurity Cisco.com/go/cube Cisco.com/go/netpro

  28. Q&A

More Related