#CLUS
Introduction to
Cisco UC Security
Michael Mendoza – Technical Leader Services
Laurent Pham – Technical Marketing Engineer
BRKCOL-2014
#CLUS
Agenda
•
UC Security Overview
•
PKI and Certificate Fundamentals
•
Transport Layer Security and Ciphers
•
Certificates in CUCM, Phones and CUBE
•
Secure to Non-Secure Interoperability
•
Expressway and Mobile and Remote Access
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
6
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
Webex Teams will be moderated
by the speaker until June 18, 2018.
cs.co/ciscolivebot#BRKCOL-2014
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
7
Why Having UC Security?
Threats specific to UC
•
•
•
•
•
Toll Fraud
Denial of Service
Eavesdropping
Stealing private and sensitive information
Impersonation, session replay, media
tampering, SPAM…
Organization Security Requirements
• Compliance and certifications, network access
control, encryption policy, password policy,
audit logs, vendor security processes…
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
8
Cisco Secure Development Lifecycle
www.cisco.com/go/csdl
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
9
Multi-Layered Security
Secure Servers
Secure Endpoints
Secure Network
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
10
Secure Physical Access
•
First line of defense
•
Once a user or attacker has physical access to one of the devices
in a network, all kinds of problems could occur…
•
Action:
Secure access to the building
• Secure access to the Data Center / servers / network devices
•
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
11
Secure VMware access
•
Most Cisco Collaboration applications are running on top of
VMware ESXi.
•
VMware administrator could have elevated permissions.
Mount CD/DVD and recover password
• Access to VMDK
•
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
12
Network Security
•
Layer 2/3 Security
•
•
•
•
•
•
•
•
Separate VLAN for voice and data
DHCP Snooping creates binding table
Dynamic ARP Inspection (DAI) examines ARP & GARP for violations
(against ARP spoofing)
IP Source Guard against spoofed IP addresses
Port Security limits the number of MAC addresses allowed per port
802.1x limits network access to authenticate devices on assigned VLANs
QoS helps during Denial of Service attacks
Perimeter Security
•
Firewalls/IPS, ASA with FirePOWER Services
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
13
IP Phone Security Features
Signed
config
(.xml.sgn)
Security Features
•
Signed firmware images (.snb extension)
•
Secure boot (select model)
•
Signed config files (<devicename>.cnf.xml.sgn)
•
Encrypted config files*
•
Endpoint certificates:
MIC (Manufacture Installed Certificate)
LSC (Locally Significant Certificates)*
•
FIPS mode
* To configure for better security
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
14
IP Phone Security Features
Security Features
•
Encrypted signaling (mutually authenticated) and media*
•
HTTPS web services*
•
Hardening. Disable settings if not used:
•
PC port, PC Voice VLAN Access, Gratuitous ARP,
Web Access (or at least, disable HTTP), Settings button, SSH, console…
•
802.1X* supplicant
•
Positive off-hook indicator
•
Lock icon
* To configure for better security
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
15
Unified Communications Manager Security
Hardened Platform
•
Host Based Intrusion Protection (SELinux)
•
Host based firewall (IPTables)
•
No 3rd party software allowed
•
OS and applications are installed with a single package
•
Root account disabled
•
Signed upgrade software
•
Secure management protocols
•
FIPS, Enhanced Security, Common Criteria modes available
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
16
Unified Communications Manager Security
Security Features
•
Certificate Management Features (notification of certificate
expiration, multi-SAN certificates)
•
TLS version control, cipher strength control for SIP and SRTP
•
Passwords not stored in clear
•
Encrypted Backups
•
Built-in CA (CAPF)
•
Audit Logging
Authentication Failure
16:10:32.908 |LogMessage UserID : administrator ClientAddress : 10.10.10.100 Severity : 4
EventType : UserLogging ResourceAccessed: Cisco CallManager Administration EventStatus :
Failure CompulsoryEvent : No AuditCategory : AdministrativeEvent ComponentID : Cisco
CCM Application AuditDetails : Failed to Log into Cisco CCM Webpages App ID: Cisco
Tomcat Cluster ID: Node ID: cucm-pub
Phone Added
16:13:48.823 |LogMessage UserID : administrator ClientAddress : 10.10.10.100 Severity : 5
EventType : DeviceUpdate ResourceAccessed: CUCMAdmin EventStatus : Success
CompulsoryEvent : No AuditCategory : AdministrativeEvent ComponentID : Cisco CUCM
Administration AuditDetails : New Phone added with MAC address=AAAABBBBCCCC , CAL
mode=< None > and CAL value=< None > App ID: Cisco Tomcat Cluster ID: Node ID: cucmpub
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
17
Unified Communications Manager Security
Secure Protocols
SIP
Trunks
SIP &
SCCP
With IPSec
MGCP
Registration
H.323
SLDAP
With IPSec
TAPI &
JTAPI
Media
Resources
LBM
ILS
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
18
Cluster Security Modes
Feature
Non Secure Cluster
Mixed Mode Cluster
New in
11.5
Auto-registration
Signed & Encrypted Phone Configs
Signed Phone Firmware
Secure Phone Services (HTTPS)
CAPF + LSC
IP VPN Phone
Encrypted SIP Trunk
Secure Endpoints (TLS & SRTP)
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
19
CUCM Cluster Security Mode
Mixed
Non-Secure or Mixed
•
NOT On/Off
Mixed Mode Requirements:
•
•
Export Restricted version of UCM
11.5(1)SU3+: Encryption License
12.0: Export-controlled Functionality
allowed
#CLUS
Non-Secure
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
20
Expressway Security
Hardened Platform
•
Host based firewall (IPTables)
•
Host Based Intrusion Protection (disabled by default)
•
3rd party software installation NOT allowed
•
OS and applications are installed with a single package
•
Secure management protocols
•
FIPS mode
•
Audit logging
•
Hardening: Disable unnecessary protocols, Configure host-based
firewall rules and host-based Intrusion Protection, monitor events
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
21
Expressway Security
Security Features
Traversal Zone
Authenticated
Expressway-C
Expressway-E
non-authenticated
Internet
• Call Policy (CPL) Rules
• Granular TLS version control and cipher control
• Media encryption policy
• TLS certificate verification policy (TLS verify)
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
22
CUBE / IOS Security
voice service voip
ip address trusted list
ipv4 10.1.1.10
ipv4 66.66.66.66
Security Features
•
IP Trust List: Don’t respond to any SIP INVITEs if not originated from an IP address
•
Call Threshold: Protect against CPU, Memory & Total Call spike
•
Call Spike Protection: Protect against spike of INVITE messages within a sliding
•
Bandwidth Based CAC: Protect against excessive media
•
Media Policing: Protect against negotiated Bandwidth overruns and RTP Floods
•
NBAR policies: Protect against overall SIP, RTP flood attacks from otherwise
•
Voice Policies: Identify patterns of valid phone calls that might suggest potential
specified in this trust list
window
“trusted” sources
abuse
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
23
Toll Fraud Prevention - CUCM
•
Partitions and Calling search spaces provide dial plan segmentation and access
control
•
“Block offnet to offnet transfer” (CallManager service parameter)
•
“Drop Ad hoc Conferences” (CallManager service parameter)
•
Device Pool “Calling Search Space for Auto-registration” to limit access to dial plan
•
Employ Time of day routing to deactivate segments of the dial plan after hours
•
Require Forced Authentication Codes on route patterns to restrict access on long
distance or international calls.
•
Monitor Call Detail Records
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
24
Toll Fraud Prevention
•
Unity Connection could be used to transfer a call
•
Use restriction tables to allow or block call patterns
•
Change the Rerouting CSS on the trunk in the
CUCM side
CUBE
•
Use IP Trust List
voice service voip
ip address trusted list
ipv4 10.10.1.10
ipv4 66.66.66.66
Expressway
•
Call Policy Rules (CPL)
•
Check Search History
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
25
Balancing Risk
Cost - Complexity - Resources - Performance - Manpower - Overhead
Low
Medium
High
Easy or Default
Moderate and Reasonable
Advanced or Not Integrated
Hardened Platform
IP VPN Phone
UC-Aware Firewall (Inspection)
SELinux – Host Based Intrusion
Protection
Secure Directory Integration (SLDAP)
TLS Proxy
iptables - Integrated Host Firewall
Encrypted Configuration
IPsec
Signed Firmware & Configuration
TLS & SRTP for Phones & Gateways
Rate Limiting
HTTPS
Trusted Relay Points (TRP)
Managed VPN (Remote Worker)
Separate Voice & Data VLANs
QoS Packet Marking
Network Anomaly Detection
STP, BPDU Guard, SmartPorts
DHCP Snooping
Scavenger Class QoS
Basic Layer 3 ACL’s (Stateless)
Dynamic ARP Inspection
802.1x & NAC
Phone Security Settings
IP Source Guard, Port Security
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
26
PKI and Certificate
Fundamentals
What’s a Digital Certificate?
Issued To:
X.509 Certificate
John Doe
Version
Issued By: Cisco Systems
Signature Algorithm
Serial Number: 63542
Certificate
Lorem ipsum dolor sit
amet, consectetur
adipiscing elit.
Validity:
Signature Hash
Algorithm
Issuer
May 4th, 2020
Valid From
John Doe
5/4/20
Serial Number
Valid To
CCIE# 63542
Subject Name
Public Key
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
29
Public Key Infrastructure
•
Provides a uniform way for different organizations to identify people or other
entities through X.509 identity certificates containing public keys.
•
These certificates and keys can be used through secured connections
(TLS/SSL) to positively establish the identity of the entities on the
connection.
Private Key
Public Key
Certificate
Authority
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
30
Certificate Authority and PKI
Private Key
Public Key
Certificate
Authority
Alice
abcde
fghijk
lmnop
qrstuv
Bob
01011
11001
10100
00010
abcde
fghijk
lmnop
qrstuv
Private Key
Public Key
Public Key
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
31
Digital Certificates
Certificate properties
Issuer identity
& signature
Subject identity, key
& attributes
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6 (0x6)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=root, OU=ca, O=cisco
Validity
Not Before: Mar 25 10:46:17 2013 GMT
Not After : Mar 25 10:46:17 2014 GMT
Subject: CN=router, OU=TAC, O=Cisco, C=BE
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c2:e5:4d:45:50:8b:18:86:45:ca:b6:b2:f0:f1:
[...]
36:c2:16:ca:a2:df:ac:8e:3d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Signature Algorithm: sha1WithRSAEncryption
03:65:af:30:c5:8d:e4:45:b1:00:1b:4f:e0:22:8b:ef:3b:d3:
[...]
c3:5d:37:ac
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
32
Types of Certificates
Root CA
Certificates
Self-Signed certificates used
by Certificate Authorities to sign
other certificates.
Intermediate CA
Certificates
Identity
Certificates
Certificates signed by a Root
CA and in turn can sign other
identity certificates.
Certificates issued to a specific
entity (a device) and signed or
issued by a root CA and
sometimes also by intermediate
CAs.
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
33
Certificate Trust Chain
Root CA Public Certificates
Must be stored in Clients’
Trust Store(s)
Root
Certificate
Intermediate
Certificates
Identity
Certificate
Signs
Signs
Trust Chain
Identity
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
34
Generating Certificate Signing Request (CSR)
Certificate
Authority
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
35
CA-signed Certificate Trust Chain
Trust
Chain
Certificate
Authority
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
36
Self-Signed vs. CA-Signed
if we add
another
cluster?
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
37
Self-Signed vs. CA-Signed
Certificate
Authority
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
38
Multi-Server Certificate Support
Unified CM Cluster
One CA-signed Multi-Server certificate for
the entire Unified CM cluster
• To simplify certificate management in clustered environments
• One single CA-signed certificate and private key pushed automatically across all nodes in a cluster
• Each cluster node’s FQDN included as Subject Alternative Name (SAN) in a single certificate,
custom SANs can also be included
Recommendation:
Use Multi-Server certificates wherever available:
Tomcat/Tomcat-ECDSA for Unified CM/IM&P and CUC, CallManager, CUP-XMPP, CUP-XMPPS2S
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
39
Public vs Private Certificate Authorities
Private CA
Pros:
Public CA
Pros:
•
No additional costs involved
•
Identity can be validated on the Internet
•
More scalable
•
Easier to maintain for fewer devices
•
More granular access control to resources
•
Easier key usage customization
•
Faster to get new certificates
Cons:
Cons:
•
Costs can be very high
•
Strict requirements for CSR
•
More difficult to install and maintain trust
relationships between devices
•
Difficult to scale
•
May require an expert for large scale
environments
•
Limited and costly customization
•
•
Identity cannot be validated over the Internet
Some CAs can take days to provide new signed
certificates
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
40
Certificate Re-used on Multiple Nodes
•
Some products allow to generate a private key / certificate and
import them manually to several nodes.
•
Available with Cisco Meeting Server, Expressway,
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
41
Transport Layer Security
and Ciphers
TLS Session Establishment
Client
Server
ClientHello
ServerHello
Certificate
ServerKeyExchange
ServerHelloDone
ClientKeyExchange
[ChangeCipherSpec]
Finished
[ChangeCipherSpec]
Finished
TLS Established
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
43
TLS Session Establishment - Mutual TLS
Client
Server
ClientHello
ServerHello
Certificate
ServerKeyExchange
CertificateRequest (MTLS)
ServerHelloDone
Certificate (MTLS)
ClientKeyExchange
CertificateVerify (MTLS)
[ChangeCipherSpec]
Finished
[ChangeCipherSpec]
Finished
TLS Established
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
44
Deconstructing the Cipher Suite
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Message Authentication Code
• SHA2 with key size
Key Exchange
• ECDHE: Elliptic Curve DiffieHellman Ephemeral
Bulk Encryption
• AES GCM: Advanced Encryption
Standard Galois Counter Mode
Signature Algorithm
• RSA: Rivest-Shamir-Adleman
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
45
Cipher Suites Support
•
CUCM 10.5(2): Added SIP support of
•
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and
•
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
And SRTP support of AEAD_AES_256_GCM and AEAD_AES_128_GCM
•
CUCM 11.0: Added SIP support on CUCM for
•
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 and
•
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
•
CUCM 11.5: Added HTTPS support for ECDSA based cipher suites
•
3DES being removed in CUCM 11.5(1)SU4+ and CUCM 12.0(1)SU2+ (for
TLS and SSH)
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
46
TLS v1.2
•
More secure version
•
Supports Stronger Ciphers
•
May be required for Security or Compliance reasons
•
Requirements:
Ability to disable TLS 1.1, 1.0, SSL 3.0
and lower protocols
TLS 1.2 support
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
47
TLS v1.2 Support
Product
Support
Supports
TLS 1.2
Disable
TLS 1.0
Disable
TLS 1.1
CUCM/IM&P, UCxn, CER, PLM*, PCD, TMS, secure
CUBE (G2/G3)



System Release 12 and earlier (e.g.
backport to 11.5)
Other infrastructure (CMS, Conductor, TP Server,
Expressway, Contact Center, PCP, secure SIP PSTN
GW/CUBE/MTP/CFB G2/G3, secure SRST G3, secure
analog VG)



System Release 12
CE Endpoints (DX70/80, MX 200/300 G2, MX 700/800,
SX, IX 5000



9.1.3
78xx/88xx



12.1(1)
Newer TC endpoints (can run CE)
(MX 200/300 G2, MX 700/800, SX)



Can SW upgrade to CE
Legacy TC endpoints
(C-series, EX, MX 200/300 G1, Profile)



End of Sale
Legacy Immersive
(TX 9000 series, CTS)



End of Sale
Older IP phones (e.g., 79xx series, 69xx, 99xx, 89xx,
DX on Android, IP Communicator)



No support or partial support

#CLUS
BRKCOL-2014
Notes
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
48
CUCM Certificates
and Trust Stores
CUCM Certificate Trust Stores
Identity Certificate
Trusted Certificates
Type
Type-trust
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
CUCM Certificate Types
CallManager
Tomcat
CAPF
Identity Certificates for
different Services and
Functions
IPSec
TVS
ITLRECOVERY
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
CUCM Certificate Truststores
CallManager-Trust
Tomcat-Trust
CAPF-Trust
Truststores for
Services and Functions
IPSec-Trust
TVS-Trust
Phone-VPN-Trust
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
CUCM Certificate Truststores
Identity
Trust
CallManager
CallManager-Trust
CallManager-ECDSA
Tomcat-Trust
Tomcat
CAPF-Trust
CAPF
TVS-Trust
TVS
IPSec-Trust
IPSec
Phone-Trust
authz (12.0+)
Phone-VPN-Trust
ITLRecovery
Phone-CTL-Trust
Phone-CTL-ASA-Trust (12.0+)
Phone-SAST-Trust
Userlicensing-Trust
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Phone Certificates and Trust Lists
Phone Certificate Types
Manufacture-Installed Certificate (MIC)
• Signed by Cisco Manufacturing CA
• Automatically installed in supported phone models
• Used to authenticate with CAPF for LSC installation or
downloading an encrypted configuration file
• Cannot be overwritten or deleted or revoked
Locally Significant Certificate (LSC)
• Used for authentication and encryption
• Signed by CAPF certificate
• Takes precedence over MIC
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
56
Phone Certificate Trust Chains
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
57
Phone Certificate Trust Chains
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
58
How Do Endpoints Trust Servers?
CTL / ITL
• CTL and ITL are signed files that contains a list of
certificates that the endpoint can trust
• When an endpoint boots/resets, it requests:
1. Certificate Trust List (CTL) file
2. Initial Trust List (ITL) file (no support on Jabber)
Signature
• Endpoints verify the signature of the CTL/ITL
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
59
CUCM Non-Secure Mode
Security by Default
ITLFile.tlv
Trust Verification Service
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
61
ITLRecovery Trust Anchor change in 12.0
•
Benefits for the following scenarios.
•
Renewing CallManager certificate does not lead to issues anymore.
•
No need to connect to TVS when renewing CallManager certificate.
•
Easier certificate exchange for EMCC when migrating a phone from
one CUCM cluster to another (less certificate to exchange, no need
to exchange certificate when renewing CallManager certificate).
•
Easier certificate exchange for EMCC
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
62
UCM non-secure
Endpoint not supporting ITL (e.g. older phone or Jabber)
TFTP Server
Unsigned
config
(.xml)
1
2
Validate with
existing
firmware
#CLUS
Signed
Firmware
(.sbn)
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
63
UCM non-secure
Endpoint supporting ITL
CTLFile.tlv
CTL not
found and
not on file
1
Trust ITL if
none on file.
Otherwise
validate ITL
signature
ITLFile.tlv
2
Validate
with ITL
Signed
config
(.xml.sgn)
3
ITLFile.tlv
Validate
with
existing
firmware
Signed
config
4
Signed
Firmware
(.sbn)
Signed
Firmware
#CLUS
TFTP Server
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
64
Contents of the ITL and Trust Anchor
ITLFile.tlv
Certificate
Role
Publisher CallManager Certificate
System Administrator Security Token
Publisher and Subscriber(s) CallManager
Certificates
CCM+TFTP
Publisher and Subscriber(s) CallManager EC
Certificates
CCM+TFTP
Publisher and Subscriber(s) TVS Certificates
TVS
Publisher CAPF Certificate
CAPF
ITLRECOVERY Certificate
System Administrator Security Token
#CLUS
BRKCOL-2014
Before 12.0
As of 12.0
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
65
Loss of Trust
Before CUCM version 12.0
TFTP
ITLFile
Check ITL
signature
Unable to
verify config
file
signature
1
Signed
config
3
TVS
2
ITLFile
Unable to
establish
TLS
connection
with TVS
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
66
CUCM Mixed Mode
CUCM Mixed Mode and Generating CTL
OR
utils ctl set-cluster mixed-mode
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
68
USB Security Tokens vs. Tokenless
USB Security Tokens
Pros:
Tokenless CTL
Pros:
•
Less situations where endpoints loose trust
relationship with Unified CM and easier to
recover from this scenario
•
Easier to manage: No need to purchase USB
security tokens, no need to install CTL client,
easier to update CTL file
•
Can be used across multiple Unified CM
clusters and facilitates migration between
clusters
•
No need to worry about losing your USB tokens or
where to store without compromising them.
•
Easier to update the CTL records
•
Easy to migrate from eTokens to Tokenless
Cons:
•
Must purchase 2+ USB Security tokens
Cons:
•
Not manufactured in the US
•
Requires CTL Client installation on a desktop
•
Easier for endpoints to loose trust relationship and
complex to recover for versions earlier than 12.0
•
Requires more steps when migrating clusters
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
69
Phone Trust List and Verification
CTLFile.tlv
ITLFile.tlv
#CLUS
Trust Verification Service
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
70
UCM in mixed mode
Initial bootstrap
Trust CTL if
not present.
Otherwise
check CTL
signature
CTLFile.tlv
1
ITLFile.tlv
2
Validate
with CTL
Validate
with
CTL
TFTP Server
Signed
config
3
CTLFile.tlv
ITLFile.tlv
Validate with
existing
firmware
Signed
config
4
Signed
Firmware
Signed
Firmware
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
71
Contents of the CTL if using USB eTokens
CTLFile.tlv
Certificates
Roles
System Administrator Security Token(s)
Before 12.0
Publisher and Subscriber(s) CallManager
Certificate
CCM+TFTP
Publisher CAPF Certificate
CAPF
ITLRECOVERY Certificate
System Administrator Security Token
#CLUS
BRKCOL-2014
As of 12.0
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
72
Contents of the CTL if using Tokenless
CTLFile.tlv
Certificates
Roles
Publisher CallManager Certificate
System Administrator Security Token
Publisher and Subscriber(s) CallManager
Certificate
CCM+TFTP
Publisher CAPF Certificate
CAPF
ITLRECOVERY Certificate
System Administrator Security Token
ITLRECOVERY Certificate
System Administrator Security Token
#CLUS
BRKCOL-2014
Before 12.0
As of 12.0
Phone-SAST-trust
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
73
Phone Security Modes
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
74
High Level View of a Secure Phone Registration
Phone with security profile set to Authenticated or Encrypted mode
Client Hello
Truststore
Do I trust this
Yes
device?
?
Trust
Yes
it?
ITLFile.tlv
TLS
#CLUS
BRKCOL-2014
CTLFile.tlv
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
End-to-End Phone Signaling Encryption
Phones with security profile set to Encrypted mode
ITLFile
ITLFile
SRTP
CTLFile
CTLFile
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Signaling Secure to Non-Secure Interworking
ITLFile
ITLFile
RTP
CTLFile
CTLFile
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Phone Security Status Icons
Media and Device Types In the Call
Phones That Display Both
Shield and Lock Icons
Phones That Display
Only the Lock Icon
Secure audio only
Secure audio with non-secure video
None
Secure audio with secure video
Authenticated device with
non-secure audio only
None
Authenticated device with
non-secure audio and video
None
Unauthenticated device with
non-secure audio only
None
None
Unauthenticated device with
non-secure audio and video
None
None
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
78
Monitoring Certificate Expiration
Handled by
the Cisco Certificate Expiry Monitor
service
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
79
CUBE Certificates and Trustpoints
Trustpoint and Generating CSR
crypto pki trustpoint <trustpoint_name>
crypto pki enroll <trustpoint_name>
<trustpoint_name>
CUBE
Certificate
Authority
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
81
Importing Trustchain and Identity Certificate
crypto pki authenticate <trustpoint_name>
crypto pki import <trustpoint_name> certificate
<trustpoint_names>
CUBE
Certificate
Authority
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
82
Associating Trustpoint to SIP Trunk
sip-ua
crypto signaling remote-addr 10.1.1.100 255.255.255.255 trustpoint <trustpoint_name>
<trustpoint_name>
SIP Trunk
CUBE
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
83
High Level View of a Secure Connection
CUCM
Client Hello
CUBE
Truststore
Do I trust this
Yes
device?
?
Trust
Yes
it?
Trustpoint (s)
TLS
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure to Non-Secure
Interoperability
TLS to TCP/UDP Interworking
ITSP
SIP TLS
SIP Unsecure
Mixed-Mode
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
86
What’s Secure RTP?
•
As per RFC 3711: SRTP is a profile of the Real-time Transport Protocol (RTP), which can
provide confidentiality, message authentication, and replay protection to the RTP traffic“
•
It uses AES (Advanced Encryption Standard) as the default cipher for stream encryption
•
HMAC (Hash-based Message Authentication Code) is used to authenticate the message and
protect its integrity
a=crypto:<tag> <crypto-suite> <key-params> [<session-params>]
SDP for RTP
SDP for SRTP
m=audio 8256 RTP/AVP 0
m=audio 8264 RTP/SAVP 0
c=IN IP4 14.50.248.31
c=IN IP4 14.50.248.31
a=rtpmap:0 PCMU/8000
a=rtpmap:0 PCMU/8000
Detailed information
a=crypto:1 AES_CM_128_HMAC_SHA1_32 inline:
L5+zq2AXJxLk+058lu/XRQWJZiK0c0D0
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
87
CUBE-based SRTP-RTP Interworking
Signaling
Media
SIP
ISR 4000 - 4400/4300-series routers
•
•
Uses built-in crypto-engine
No additional configuration required
ISR G2 - 2900/3900-series routers
•
•
#CLUS
DSP required
Leverages DSPfarm configuration
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
88
SRTP Fallback
Enables a SIP device to fall back from SRTP to RTP by accepting or sending an
RTP/AVP (Audio-Video Profile) in response to an RTP/SAVP (Secure Audio Video
Profile) by offering support of the cisco proprietary x-cisco-srtp-fallback tag
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
89
SRTP to RTP offer without Fallback
SDP: RTP/SAVP
488 Not Acceptable Media
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
90
SRTP Fallback
SDP: RTP/SAVP
Supported: x-cisco-srtp-fallback
SDP: RTP/AVP
RTP
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
91
Expressway and
Mobile and Remote
Access (MRA)
MRA Media and Signaling Encryption
•
SIP TLS always enforced between MRA clients & Exp-E, Exp-C &
Exp-E
•
Voice/Video streams always SRTP encrypted between Exp-C and
MRA client
•
* UCM mixed mode required to achieve SRTP on internal network
and SIP TLS between Exp-C and UCM
Media and Signaling always encrypted
SIP TLS*
SIP TLS
SIP TLS
SIP TCP
SRTP
Expressway-C
DMZ
Firewall
#CLUS
Expressway-E
BRKCOL-2014
External
Firewall
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
94
MRA Authentication
•
MRA endpoints verify the Expressway-E Server Certificate
Jabber Clients rely on the underlying platform trusted CA list
• Hardware endpoints rely on a trusted CA list included in firmware
=> One reason why a public CA must be used with Expressway-E
•
•
Expressway-E does not verify the MRA endpoint certificate
SIP TLS
SIP TLS*
SIP TLS
SIP TCP
SRTP
Expressway-C
DMZ
Firewall
#CLUS
Expressway-E
BRKCOL-2014
External
Firewall
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
95
MRA Encrypted Endpoints
•
Endpoints/Jabber that connect only via MRA (not directly to CUCM)
can achieve SIP TLS and SRTP without MIC/LSC
SIP TLS
SIP TLS*
SIP TLS
SRTP
Expressway-C
DMZ
Firewall
#CLUS
Expressway-E
BRKCOL-2014
External
Firewall
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
96
Conclusion
Addressing UC Security Requirements
Threats specific to UC
Countermeasures
•
•
•
•
•
• Network security, endpoint security,
server security, certificates,
encryption (IP Phone Services,
signaling, media), mutual TLS,
signed software, signed and
encrypted config file, secure boot,
encrypted backups, QoS…
Toll Fraud
Denial of Service
Eavesdropping
Stealing private and sensitive information
Impersonation, session replay, media
tampering, SPAM…
Organization Security Requirements
Meeting the requirements
• Compliance and certifications, network access
control, encryption policy, password policy,
audit logs, vendor security processes…
• FIPS/CC modes, 802.1x supplicant,
complex password policy, audit logs,
CSDL, Encryption, NGE, TLS 1.2…
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
98
Call to Action
Secure Network,
Secure Endpoints,
Secure Servers
•
Further harden the platform
•
Configure Toll-Fraud protection
•
Manage your certificates carefully and simplify it
•
Embrace security by default (especially with 12.0)
•
Configure encryption for critical services (IP Phone services)
•
Consider enabling CUCM mixed-mode
•
Consider starting configuring endpoints in encrypted mode
•
Establish a good security policy. Keep software updated, monitor
logs/audit logs/CDR, backup your system, etc…
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
99
Security is a Journey, Not a Destination
•
Stay up-to-date on the latest security news and upgrade / install
security updates when applicable
•
Product Security Incident Response Team (PSIRT)
www.cisco.com/go/psirt
• Latest Threats
• Security advisories and
responses
• Get Notifications
•
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
100
Additional UC Security Sessions
•
BRKCOL-3224: Implementing and Troubleshooting Secure Voice
on Network Edge Devices
•
•
Tuesday 12th at 4pm
BRKCOL-3501: Implementing and Troubleshooting Secure IP
Phones and Endpoints
•
Wednesday 13th at 1:30pm
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
102
Complete your online session evaluation
Give us your feedback to be entered
into a Daily Survey Drawing.
Complete your session surveys through
the Cisco Live mobile app or on
www.CiscoLive.com/us.
Don’t forget: Cisco Live sessions will be available for viewing
on demand after the event at www.CiscoLive.com/Online.
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
103
Continue
your
education
Demos in
the Cisco
campus
Walk-in
self-paced
labs
#CLUS
BRKCOL-2014
Meet the
engineer
1:1
meetings
Related
sessions
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
104
Thank you
#CLUS
#CLUS
Appendix
Identity Certificates used by Communications
Manager
CallManager-EC
• Used for TLS connections to CallManager service (TCP port 5061
for SIP or 2443 for SCCP)
• Signs TFTP files: configuration files, localization files, etc
CAPF
• Use for TLS connections to CAPF service (TCP port 3804)
• Signer of the phones Locally Significant Certificates (LSC)
CallManager
Tomcat
Tomcat-EC
TVS
For your reference
• Used for HTTPS connections to Web services (TCP port 8443)
• Used to sign SSO SAML Requests (if required by IdP)
• For TLS connections to the TVS service (TCP port 2445)
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
108
Identity Certificates used by Communications
Manager
IPSec
ITLRecovery
For your reference
• Used for IPSec connections and inter-cluster
communication by DRS during backup operations
• Included in ITL file beginning with 10.0, CTL in 11.0
• Used by TFTP to sign TL files in certain scenarios
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
109
Certificate Trust Stores used with Client
Connections
CallManager-trust
• Used to Validate Certificates when CallManager is the Client side
• IE: Outbound SIP TLS Connections
CAPF-trust
• Used for CAPF Service to Validate Client side Certificate (mutualauthentication) when Authenticating Phones using MIC while
installing their Locally Significant Certificates (LSC)
Tomcat-trust
• Used to Validate Certificates for all Web Applications’ Client requests
as well as LDAPS (DirSync + Ldap Authentication)
• IE: EMCC, CTI Manager LDAPS Authentication
TVS-trust
• Used for Intermediate and Root certificates that are issuers to CAsigned TVS certificates
#CLUS
BRKCOL-2014
For your reference
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
110
Certificate Trust Stores used with Client
Connections
Userlicensing-trust
• Used by ELM and PLM
Phone-trust
• Allows TVS to authenticate certificates used by IP Phone
Services
Phone-vpn-trust
• Holds server certificates for the Phone VPN feature
Phone-sast-trust
• Allows TVS to authenticate certificates used by TFTP to
sign files
Phone-ctl-trust
• Used to include a certificate in a CTL file.
• Only works for tokenless-CTL after version 11.5
#CLUS
BRKCOL-2014
For your reference
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
111
Certificate Verification with TVS
Phone being migrated to a new cluster
NEW Cluster TFTP
CTLFile.tlv
Check CTL
signature
1
Start secure
connection
to TVS
2
Old Cluster TVS
Verify new
CTL
signature
ITLFile
3
CTLFile
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
112
Certificate Verification with TVS
Phone being migrated to a new cluster
NEW Cluster TFTP
CTLFile.tlv
Download all
remaining
new files
ITLFile.tlv
4
Signed
config
ITLFile
CTLFile
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
113
TLS versioning support,
Ciphers
References
• TLS 1.2 Compatibility Matrix
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/uc_system/unified/commun
ications/system/Compatibility/TLS/TLS1-2-Compatibility-Matrix.html
• TLS 1.2 White Paper
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/uc_system/TLS/TLS-1-2for-On-Premises-Cisco-Collaboration-Deployments.html
• TLS 1.2 Configuration Overview
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/uc_system/TLS/TLS-1-2Configuration-Overview-Guide.html
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
115
IOS Configuration – crypto signaling
Enabling Secure Signaling
Associate CUBE trustpoint with voice process
sip-ua
crypto signaling remote-addr 14.50.248.100 255.255.255.255 trustpoint caServer
Base command
Peer IP address/network association
trustpoint
association
cipher selection
crypto signaling
default
trustpoint <name>
<enter> (default)
ecdsa-cipher
strict-cipher
crypto signaling
remote-addr <ip.address> <mask>
All
ECDSA-Only
RSA-Only
trustpoint <name>
<enter> (default)
ecdsa-cipher
strict-cipher
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
116
IOS Signaling Cipher Suites
Configuration
Default Cipher
Strict Cipher
ECDSA Cipher
Cipher Suites
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA1
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA1
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
117
CUCM Cipher Suites for TLS
Versions
Max Certificate Key Length
Before 10.5.2 (TLS 1.0)
1024 (RSA)
As of 10.5.2 (TLS 1.2)
2048 (RSA)
As of 11.0
Cipher Suites
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
2048 (RSA)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
521 (EC)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
118
Secure Media – IOS Configuration
Enabling Secure Media
1. Enables SRTP
1. Enable SRTP on Dial-peer
Pre16.5.1
2. Configure SRTP cipher suite support
dial-peer voice 1 voip
description to CUCM Sub – Secure Signaling
preference 1
destination-pattern 418110....
session protocol sipv2
session target ipv4:14.50.248.103
srtp
voice-class sip srtp-auth sha1-80 sha1-32
voice-class sip srtp pass-thru
In 15.4(1), support for sha1-80
AES_CM_128_HMAC_SHA1_80 was
added
3. (Optional) Configure NGE cipher
suite support.
Introduced in 15.6(1)
Allows for unsupported SRTP cipher
suites to be negotiated,
or
1. Enable SRTP Globally
•
•
•
•
voice service voip
srtp
srtp pass-thru
sip
srtp-auth sha1-80 sha1-32
#CLUS
AEAD_AES_128_GCM
AEAD_AES_256_GCM
AEAD_AES_128_CCM
AEAD_AES_256_CCM
CUBE will pass-thru offered cipher
suites and keys from one call-leg to the
other
call-leg.
119
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Media – IOS-XE Configuration
Enabling Secure Media
16.5.1+
Define SRTP crypto suite support
2. Enable SRTP and apply voice-class crypto-suite on Dial-peer
voice class srtp-crypto 1
crypto 1 AEAD_AES_256_GCM
crypto 2 AEAD_AES_128_GCM
crypto 3
AES_CM_128_HMAC_SHA1_80
crypto 4
AES_CM_128_HMAC_SHA1_32
dial-peer voice 1 voip
description to CUCM Sub – Secure Signaling
preference 1
destination-pattern 418110....
session protocol sipv2
session target ipv4:14.50.248.103
srtp
voice-class sip srtp-crypto 1
1. Create a voice class to define
supported SRTP cipher suites.
2. Apply the defined voice-class either
under the dial-peer or globally
3. Enables SRTP
or
2. Enable SRTP and apply voice-class crypto-suite Globally
voice service voip
srtp
sip
srtp-crypto 1
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
120
IOS Cipher Suite Support for Media
Version
Prior to 15.4(1)T/S
Starting with 15.4(1)T/S
Starting with 15.6(1)T/S*
Cipher Suites
AES_CM_128_HMAC_SHA1_32 (default)
AES_CM_128_HMAC_SHA1_80
AEAD_AES_128_GCM
AEAD_AES_256_GCM
AEAD_AES_128_CCM
AEAD_AES_256_CCM
* With SRTP Passthru feature
Starting with 16.5.1*
AEAD_AES_128_GCM
AEAD_AES_256_GCM
* Native support only in IOS-XE
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
121
CUCM Cipher Suites for Media
Versions
Before 10.5.2:
Cipher Suites
F8_128_HMAC_SHA1_80
AES_CM_128_HMAC_SHA1_32
AES_CM_128_HMAC_SHA1_80
As of 10.5.2
AEAD AES256 GCM-based ciphers
AEAD AES128 GCM-based ciphers
* SHA1 cipher compatibility for non-SIP devices
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
122
Data to Collect
Phone Registration
Type of Problem
CUCM
LSC Installation
CAPF traces
Secure Phone Registration
CCM traces
Other
Phone console logs
TFTP traces
CTL Installation
Packet capture
show ctl
Media Establishment
Type of
Problem
SRTP-RTP
Interworking
ISR-G2 only
IOS Debugs
IOS Command Output
debug voip ipipgw
show dspfarm profile active
debug voip hpi
show voip rtp connection
debug ccsip
CUCM
Other
error
info
Media
debug ccsip
media
show call active|history voice brief
show sip-ua call
#CLUS
BRKCOL-2014
CCM traces
Packet
capture
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
123
Data to Collect
Signaling and Call Establishment
Type of Problem
TCP connection
failure
IOS Debugs
debug ip tcp
transaction
packet
IOS command output
CUCM
Other
show tcp brief
messages
transactions
debug crypto
pki
validation
api
TLS connection
failure
callback
show sip-ua connection tcp tls detail
CCM traces
errors
debug ssl
openssl
Packet
capture
msg
states
message
SIP call
establishment
debug ccsip
error
show call active|history voice brief
transport
Call Routing
debug voip ccapi inout
show dial-peer voice summary
#CLUS
BRKCOL-2014
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
124