Secure Collaboration for On-Premise VoIP Deployments (CUCM and CUBE/SBC)
Hikmat El Ajaltouni
Systems Engineer
Jan.26, 2017
• Secure Network, Secure Endpoints, Secure Call Control
• Collaboration System Release 11.5 Security Update
• Deploying and Handling Certificates & PKI in CUCM
• CUBE/SBC
• Cisco Product Security
Agenda
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Infrastructure Security Measures
Segregation
• Virtual LANs (VLANs) separate voice and data traffic
• VLAN Access Control Lists (VACLs) limit traffic between devices on the voice VLAN
• QoS Packet Marking ensures UC traffic receives appropriate priority over other traffic
Layer 3
• IP Source Guard examines physical port, VLAN, IP, & MAC for inconsistencies
Layer 2
• DHCP Snooping creates binding table
• Dynamic ARP Inspection examines ARP & GARP for violations
• Port Security limits the number of MAC addresses allowed per port
• 802.1x limits network access to authentic devices on assigned VLANs
BRKUCC-2501 5
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IP Phone Security Features • Cryptographically assured device identity
• Manufacture Installed Certificate(MIC)
• Locally Significant Certificates (LSC)
• Signed firmware images
• Signed & encrypted configuration files
• Mutually authenticated & encrypted signaling & media
• Embedded 802.1x Supplicant
• Positive disconnect for handset & speakerphone
• Positive off-hook indicator for speakerphone
• Disable or block access to voice VLAN for downstream port
• Disable web interface
• Disable “settings” button
• Disable SSH access
• FIPS mode (select models)
• Gratuitous ARP rejection
BRKUCC-2501 6
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Unified Communications Manager Security
• Disallow trivial passwords
• Require minimum length
• Prevent reuse with configurable depth
• Lockout on failed attempts with configurable depth, time span, & duration
• Lockout on inactivity with configurable time span
• Expire after configurable time span
• Expiry warning with configurable time span
User Credential Policies
• Control frequency of credential modifications with configurable time span
• Force credential modification on next attempt
• Prevent credential modification by user
• Lockout by administrator
• Configurable session timeouts
• SAML Single-Sign-On (SSO)
BRKUCC-2501 7
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Unified Communications Manager Security
Encrypted Signaling & Media
• SIP & SCCP Phones
• SIP Video Endpoints
• MGCP, H.323, & SIP Trunks
• TAPI & JTAPI Applications
• Meet-me, ad-hoc, & barge Conferences
• Extension Mobility Cross-Cluster
• Intercluster Lookup Service (ILS)
• Location Bandwidth Manager (LBM)
Secure Interfaces & Protocols
• Web, CLI, CTI, & LDAP
• HTTPS, TLS, SRTP, SSH, SFTP, SLDAP, IPSec, TFTP
BRKUCC-2501 8
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
UCM Cluster Security Mode
• Non-Secure or Mixed
• NOT On/Off
• Mixed Mode Requirements:
• Export Restricted version of UCM
• CTL File
• Configured via Windows CTL Client or ‘utils ctl set-cluster’ CLI
Mixed
Non-Secure
BRKUCC-2501 9
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Unified Communications Manager Security
Encrypted Signaling & Media
• SIP & SCCP Phones
• SIP Video Endpoints
• MGCP, H.323, & SIP Trunks
• TAPI & JTAPI Applications
• Meet-me, ad-hoc, & barge Conferences
• Extension Mobility Cross-Cluster
• Intercluster Lookup Service (ILS)
• Location Bandwidth Manager (LBM)
Secure Interfaces & Protocols
• Web, CLI, CTI, & LDAP
• HTTPS, TLS, SRTP, SSH, SFTP, SLDAP, IPSec, TFTP
Require Mixed Mode
BRKUCC-2501 10
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cluster Security Mode: Feature Tradeoffs
Feature Non Secure Cluster Mixed Mode Cluster
Auto-registration*
Signed & Encrypted Phone Configs
Signed Phone Firmware
Secure Phone Services (HTTPS)
CAPF + LSC
IP VPN Phone
Secure Endpoints (TLS & SRTP) BRKUCC-2501
New
in 11.5
11
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hardened Appliance Model
• SELinux enforcing mode provides host based intrusion protection
• iptables provides host based firewall
• Third party software installations NOT allowed
• Root account disabled, no other uid=0 accounts
• OS and applications are installed with a single package
• All software updates must be signed packages from Cisco
• Secure Management (HTTPS, SSH, SFTP)
• Audit logging
• Active & Inactive partition architecture – easy to fallback if needed
Why is CUCM considered a hardened platform?
BRKUCC-2501 12
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Balancing Risk
Low
Easy or Default
Medium
Moderate and Reasonable
High
Advanced or Not Integrated
Hardened Platform IP VPN Phone UC-Aware Firewall (Inspection)
SELinux – Host Based Intrusion
Protection Secure Directory Integration (SLDAP) Phone Proxy
iptables - Integrated Host Firewall Encrypted Configuration Ipsec
Signed Firmware & Configuration TLS & SRTP for Phones & Gateways Rate Limiting
HTTPS Trusted Relay Points (TRP) Managed VPN (Remote Worker)
Separate Voice & Data VLANs QoS Packet Marking Network Anomaly Detection
STP, BPDU Guard, SmartPorts DHCP Snooping Scavenger Class QoS
Basic Layer 3 ACL’s (Stateless) Dynamic ARP Inspection 802.1x & NAC
Phone Security Settings IP Source Guard, Port Security
Cost - Complexity - Resources - Performance - Manpower - Overhead
BRKUCC-2501 13
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Eliminate Toll Fraud
• Deny network access to unauthorized users
• Partitions and Calling search spaces provide dial plan segmentation and access control
• Device Pool “Calling Search Space for Auto-registration” to limit access to dial plan
• Employ Time of day routing to deactivate segments of the dial plan after hours
How Do Our Customers Prevent Toll Fraud?
• Require Forced Authentication Codes on route patterns to restrict access on long distance or internal calls.
• “Drop Ad hoc Conferences” (CallManager Service Parameter)
• “Block OffNet to OffNet transfer” (CallManager Service Parameter)
• Monitor Call Detail Records
• Employ Multilevel Administration
• Voice Gateways: Call Source Authentication (IOS 15.1(2) feature)
BRKUCC-2501 14
• Secure Network, Secure Endpoints, Secure Call Control
• Collaboration System Release 11.5 Security Update
• Deploying and Handling Certificates & PKI in CUCM
• Securing the Edge with CUBE/SBC
• Cisco Product Security
Agenda
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
CSR 11.5 – The Federal Space
Federal Certifications Testing Agencies
Common Criteria NIAP (NSA)
DoD Unified Capability
Approved Products List JITC
Commercial Solutions
for Classified NSA / CSS
FedRAMP 3PAO
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Common Criteria Support CUCM 11.0 Enhancement
• Accepted and supported by 26 Countries Worldwide via Common Criteria Recognition Arrangement (CCRA)
• The following features have been added/modified in CUCM to meet certification requirement for SIP Signaling and Media:
• Support for ECC(Elliptical Curve Cryptography) for CUCM certificates*. Software features that required modification to support ECC: • Self-signed certificates, certificate signing requests (CSR), certificate import and bulk certificate management
• Certificate Trust List (CTL) and ITL (Initial Trust List).
• SIP connections.
• CAPF (Certificate Authority Proxy Function)
• CTI (Computer Telephony Integration)
• Support configuration download over secure channel– HTTPS
• New entropy source and entropy management
• Audit logging as outlined in Network Device Protection Profile
Data Protection
https://www.nsa.gov/business/programs/elliptic_curve.shtml *
The certificate manager
will support generating
ECC certificates that
have an EC Key Pair of
256, 384 or 521 bits
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
CSR 11.5 – FIPS 140-2
FIPS 186-4 Digital Signature Standards:
DSA, RSA, ECDSA
FIPS 180-4 Secure Hash Standards:
SHA-1, SHA-256, SHA-384
FIPS 197 Advanced Encryption
Standards: AES-128, AES-256
NIST SP 800-
38(A-F)
AES Block Cipher Modes:
CBC, CCM, GCM
NIST SP 800-52 Selection, Config and Use of
TLS Implementations
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
CSR 11.5 – Encryption Strengths
11.5
11.0
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
CSR 11.5 – Encryption Strengths
NSA Top Secret
NSA Secret
11.5
11.0
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
CSR 11.5 – Robust Security
TOP SECRET
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enhancements in 11.5
• Auto-registration allowed in mixed mode
• New ECDSA certificates for Tomcat and XMPP
• RSA key sizes increased to 4096 bits
• Configurable SHA2 (512) signed files from TFTP
• Authenticated UDS search
• Configurable form-based authentication for web applications
BRKUCC-2501 22
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
LSC Enhancements in 11.5
• Certificate Monitoring service monitors LSCs for expiry
• CCMAdmin / BAT “Find & List Phone” page allows search by
• LSC expiration
• LSC issued by
• LSC issuer expires by
• Configurable LSC certificate expiry (CAPF Service Parameter)
• CAPF signs LSCs with SHA2 hash algorithm
BRKUCC-2501
For LSCs installed on 11.5 or later only
23
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
LSC Expiration Visibility in UCM 11.5 Search & Reporting
BRKUCC-2501 24
• Secure Network, Secure Endpoints, Secure Call Control
• Collaboration System Release 11.5 Security Update
• Deploying and Handling Certificates & PKI in CUCM
• Securing the Edge with CUBE/SBC
• Cisco Product Security
Agenda
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
PKI – Public Key Infrastructure
Consists Of…
Public + Private keypair
• Private Key remains secret
• Public Key widely distributed
Allows For…
• Asymmetric key encryption
• one-way encryption and decryption
• Symmetric key encryption
• Public Key exchange used to establish shared-secret between two parties
• Message encryption and authentication protocols
BRKUCC-2501 26
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Types of Certificates
Self-Signed certificates used by Certificate Authorities to sign other
certificates.
Certificates issued to a specific entity (a device) and signed or
issued by a root CA and sometimes also by intermediate
CAs.
Certificates signed by a Root CA and in turn can sign other identity
certificates.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Lorem ipsum dolor sit amet, consectetur
adipiscing elit.
John Doe
CCIE# 63542
Certificate
What’s a Digital Certificate?
X.509 Certificate
Version
Serial Number
Signature Algorithm
Signature Hash Algorithm
Issuer
Valid From
Valid To
Subject Name
Public Key
Serial Number: 63542
Issued By: Cisco Systems
Issued To: John Doe
5/4/20
Validity: May 4th, 2020
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Digital Certificates
• Digital passport
• Self-signed or CA-Signed
• Contains the owner’s public key
• Proves the identity of a public key’s owner
BRKUCC-2501 29
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Certificate File Formats
-----BEGIN CERTIFICATE----- MIIE2TCCA8GgAwIBAgIKamlnswAAAAAAAzANBgkqhkiG9w0BAQUFADA1MRYwFAYD
VQQKEw1DaXNjbyBTeXN0ZW1zMRswGQYDVQQDExJDaXNjbyBSb290IENBIDIwNDgw
HhcNMDUwNjEwMjIxNjAxWhcNMjkwNTE0MjAyNTQyWjA5MRYwFAYDVQQKEw1DaXNj
byBTeXN0ZW1zMR8wHQYDVQQDExZDaXNjbyBNYW51ZmFjdHVyaW5nIENBMIIBIDAN
BgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAoMX33JaUNRXx9JlOu5tB4X3beRaR
u/NU8kFKlDJiYskj95rnu5t56AcpTjD1rhvFIVZGsPj05o6BuBbMqJuF0kKB23zL
lKkRYRIcXOozIByaFqd925kGauI2r+z4Cv+YZwf0MO6l+IgaqujHPBzO7kj9zVw3
8YaTnj1xdX007ksUqcApewUQ74eeaTEw9Ug2P9irzhXi6FifPmJxBIcmpBViASWq
1d/JyVu4yaEHe75okpOTIKhsvRV100RdRUvsqNpgx9jI1cjtQeH1X1eOUzKTSdXZ
D/g2qgfEMkHFp68dGf/2c5k5WnNnYhM0DR9elXBSZBcG7FNcXNtq6jUAQQIBA6OC
AecwggHjMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFNDFIiarT0Zg7K4F
kcfcWtGwR/dsMAsGA1UdDwQEAwIBhjAQBgkrBgEEAYI3FQEEAwIBADAZBgkrBgEE
AYI3FAIEDB4KAFMAdQBiAEMAQTAfBgNVHSMEGDAWgBQn88gVHm6aAgkWrSugiWBf
2nsvqjBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vd3d3LmNpc2NvLmNvbS9zZWN1
cml0eS9wa2kvY3JsL2NyY2EyMDQ4LmNybDBQBggrBgEFBQcBAQREMEIwQAYIKwYB
BQUHMAKGNGh0dHA6Ly93d3cuY2lzY28uY29tL3NlY3VyaXR5L3BraS9jZXJ0cy9j
cmNhMjA0OC5jZXIwXAYDVR0gBFUwUzBRBgorBgEEAQkVAQIAMEMwQQYIKwYBBQUH
AgEWNWh0dHA6Ly93d3cuY2lzY28uY29tL3NlY3VyaXR5L3BraS9wb2xpY2llcy9p
bmRleC5odG1sMF4GA1UdJQRXMFUGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUH
AwUGCCsGAQUFBwMGBggrBgEFBQcDBwYKKwYBBAGCNwoDAQYKKwYBBAGCNxQCAQYJ
KwYBBAGCNxUGMA0GCSqGSIb3DQEBBQUAA4IBAQAw8zAtjPLKN0pkmSQpCvKGqkLV
I+ii6itvaSN6go4cTAnPpE+rhC836WVg0ZrG2PML9d7QJwBcbx2RvdFOWFEdyeP3
OOfTC9Fovo4ipUsG4eakqjN9GnW6JvNwxmEApcN5JlunGdGTjaubEBEpH6GC/f08
S25l3JNFBemvM2tnIwcGhiLa69yHz1khQhrpz3B1iOAkPV19TpY4gJfVb/Cbcdi6
YBmlsGGGrd1lZva5J6LuL2GbuqEwYf2+rDUU+bgtlwavw+9tzD0865XpgdOKXrbO
+nmka9eiV2TEP0zJ2+iC7AFm1BCIolblPFft6QKoSJFjB6thJksaE5/k3Npf
-----END CERTIFICATE-----
Base-64 encoding
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
CUCM Certificate Types
• Used for TLS connections to CallManager service (TCP port 5061 for SIP or 2002 for SCCP)
• Signs TFTP files like configuration files, localization files, etc.
CallManager
CallManager-EC
• Use for TLS connections to CAPF service (TCP port 3804)
• Signer of the phones Locally Signed Certificates (LSC) CAPF
• Used for HTTPS connections from Web services (TCP port 8443) Tomcat
• For TLS connections to the TVS service (TCP port 2445) TVS
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
CallManager Service
•CallManager
•CallManager-trust
Tomcat Service
• tomcat
• tomcat-trust
CAPF Service
•CAPF
•CAPF-trust
Certificate Trust Stores
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
CUCM Trust Certificate Management
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Do I trust this device?
High Level View of a Secure Connection Establishment
?
Yes
Trust it? Yes
Trust-store
CUCM CUBE
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Transport Layer Security (TLS)
Client Server
TLS Record Protocol
TLS Handshake Client/Server model
Application protocol independent
• Uses asymmetric cryptography to authenticate peer identity
• Shared secret negotiation is secure and reliable
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
TLS connections in Wireshark
• Client: Entity initiating the connection
• Server: Entity receiving the connection
• Wireshark filters:
• ‘ssl’ – Only packets with SSL data
• ‘tcp.port == nnn’ – All TCP packets for the connection including SYN, ACK with no data
BRKUCC-2501 37
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Certificates in Wireshark
BRKUCC-2501 38
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• New option to share a single CA signed certificate across all nodes in a cluster
• Each cluster node’s FQDN included as Subject Alternative Name (SAN) in a single certificate, custom SANs can also be included
• Available for Unified CM (UCM + IM&P) and Unity Connection clusters
• Specifically for Tomcat, CallManager, CallManager-ECDSA, CUP-XMPP & CUP-XMPP-S2S certificate types
Multi-Server Certificate Support Simplify Certificate Management In Clustered Environments Of UCM 10.5 And Later
Unified CM Cluster
UCM nodes IM&P nodes
One CA signed Multi-Server Tomcat certificate for the entire Unified CM cluster
BRKUCC-2501 39
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKUCC-2501
Endpoint Certificates
• Manufacturing Installed Certificate (MIC)
• Installed in the factory for Cisco IP Phones
• Valid for 10 years
• No certificate revocation support
• Locally Significant Certificates (LSC)
• Preferred certificate for endpoint identity
• Endpoint support includes IP Phones, TelePresence, Jabber clients, CIPC
• LSC signed by CAPF Service running on UCM Publisher
• LSC supports the same RSA and EC key sizes as Unified CM
• LSC can be installed, re-issued, deleted in bulk with UCM Bulk Admin Tool
• LSC signed by CAPF is valid for 5 years, configurable in UCM 11.5
• Paper process required to track certificate expiration prior to UCM 11.5
Cryptographically assured device identity
40
8811, 8841, 8851, 8861
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
LSC Revocation Catered for in CUCM 10.X
• Historic Elephant in the room
• Prior to release 10 what happened if a phone was lost or stolen?
• Offline CA Mode
• CUCM still can’t revoke LSC but the CA can!
CA
CAPF
(Offline CA Mode) (1) LSC CSR
(2) CA Signed LSC
CA LSC:XXXX
LSC Serial No. XXXX Revoked!
ISE
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Certificate Trust List (CTL)
• Enabling Mixed Mode to support encrypted signaling and media requires CTL
• Minimum of 2 USB secure tokens required, KEY-CCM-ADMIN-K9= or new KEY-CCM-ADMIN2-K9=
• CTL client produces Certificate Trust List (CTL) file and uploads to CUCM TFTP
• Download the CTL Client from CUCM Admin, install on Windows workstation
• CTL file is downloaded by endpoints and is the basis for endpoint certificate trust
CTL provides a trust mechanism for Cisco endpoints
BRKUCC-2501 43
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Certificate Trust List (CTL)
• Unified CM 10.0 supports two different methods of building the CTL
• Classic CTL client, minimum 2 USB tokens required
• New token-less CTL
• Token-less CTL is activated with admin cli command (publisher only),
• utils ctl set-cluster mixed-mode
• CallManager certificate private key is used to sign the CTL, rather than the USB token
• DRS backup !!!
• Other CTL cli commands include
• utils ctl update CTLFile
• utils ctl set-cluster non-secure-mode
New token-less CTL option
BRKUCC-2501 44
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Initial Trust List (ITL)
• Unlike the CTL file, the ITL file is built automatically when the cluster is installed or upgraded to 8.0+
• Downloaded by phones at boot or reset, after CTL file
• Has the same format as the CTL File
• Does not require eTokens; uses a soft eToken (the CallManager cert private key)
• Static and Dynamic ITL Files are built
• ITLFile.tlv ITLSEPMAC.tlv
Security by Default component
BRKUCC-2501 45
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Trust Verification Service
• Trust Verification Service (TVS) runs on each CUCM server and authenticates certificates on behalf of the phone
• Provides endpoint trusted certificates scale
• Instead of downloading all the trusted certificates, phones need only to trust TVS
• Up to 3 TVS per phone (primary, secondary and tertiary from CallManager Group)
• No support when failover to SRST by phone
• TVS function relies on SBD enabled and correct TVS certificate in the endpoint’s ITL file
Security by Default Component
BRKUCC-2501 46
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• ITL file is built by the TFTP service in UCM 8.6+
• TVS service built the ITL file in UCM 8.0 & 8.5
• Each node running TFTP creates a unique ITL
• ITL file is rebuilt when:
• TFTP Service Restarts
• Any certificate inside the ITL changes
• CallManager Group Changes
• IP Phones automatically reset on certificate change (8.6+)
• ITL Signature should always match on endpoint and TFTP server
Managing Security by Default (SBD) ITL File Awareness
BRKUCC-2501 47
• Secure Network, Secure Endpoints, Secure Call Control
• Collaboration System Release 11.5 Security Update
• Deploying and Handling Certificates & PKI in CUCM
• Securing the Edge with CUBE/SBC
• Cisco Product Security
Agenda
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why does an Enterprise need an SBC ?
SESSION
CONTROL
Call Admissions
Control
Trunk Routing
Ensuring QoS
Statistics and Billing
Redundancy/
Scalability
INTERWORKING
SIP - SIP
H.323 - SIP
SIP Normalization
DTMF Interworking
Transcoding
Codec Filtering
DEMARCATION
Fault Isolation
Topology Hiding
Network Borders
L5/L7 Protocol
Demarcation
SECURITY
Encryption
Authentication
Registration
SIP Protection
Voice Policy
Firewall Placement
Toll Fraud
Enterprise 1
IP SIP
CUBE
IP Enterprise 2
IP CUBE
SIP
Rich Media (Real time Voice, Video, Screenshare etc.. ) Rich Media
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
VXML
SRST
Cisco Unified Border Element
Address Hiding
H.323 and SIP interworking
DTMF interworking
SIP security
Transcoding
Note: An SBC appliance would have only these features
Unified CM Conferencing and
Transcoding
IP Routing & MPLS
WAN & LAN Physical
Interfaces
CUBE
Voice Policy
TDM Gateway
PSTN Backup
FW, IPS, QoS
Note: Some features/components may require additional licensing
An Integrated Network Infrastructure Service
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
CUBE Call Processing
Actively involved in the call treatment, signaling and media streams
SIP B2B User Agent
Signaling is terminated, interpreted and re-originated
Provides full inspection of signaling, and protection against malformed and malicious packets
Media is handled in two different modes: Media Flow-Through
Media Flow-Around
Digital Signal Processors (DSPs) are required for transcoding (calls with dissimilar codecs)
IP
CUBE
CUBE
IP
Media Flow-Around
Signaling and media terminated by the Cisco Unified Border Element
Media bypasses the Cisco Unified Border Element
Media Flow-Through
Signaling and media terminated by the Cisco Unified Border Element
Transcoding and complete IP address hiding require this model
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
High-density Dedicated
Gateways
Transitioning to SIP Trunking...
52
Re-purpose your existing Cisco voice gateway’s as Session Border Controllers
SIP/H323/MGCP
Media
TDM PBX
SRST CME
A Enterprise Campus
Enterprise
Branch Offices
MPLS
BEFORE Media
SIP Trunks
SRST
Enterprise
Campus
IP PSTN A
TDM PBX
CME
MPLS
CUBE with High
Availability
Active
Standby
CUBE
CUBE
PSTN is now
used only for
emergency
calls over FXO
lines
AFTER
52
Enterprise
Branch Offices
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Step 1 – Configure IP PBX to route all calls (HQ and branch offices) to the edge SBC
• Step 2 – Get SIP Trunk details from the provider
• Step 3 – Enable CUBE application on Cisco routers
• Step 4 – Configure call routing on CUBE (Incoming & Outgoing dial-peers)
• Step 5 – Normalize SIP messages to meet SIP Trunk provider’s requirements
• Step 6 – Execute the test plan
Steps to transitioning...
53
Media
SRST
Enterprise
Campus
IP PSTN A
TDM PBX
CME
MPLS
Enterprise Branch
Offices
CUBE with High
Availability
Active
Standby
CUBE
CUBE
PSTN is now
used only for
emergency
calls over FXO
lines
SIP Trunk
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Session Management & CUBE: Essential Elements for Collaboration
• CUBE provides session border control between IP networks
• Demarcation
• Interworking
• Session control
• Security
• Cisco SME centralizes network control
• Centralizes dial plan
• Centralized applications
• Aggregates PBXs
55
Video
Mobile
SIP TRUNK TO CUBE
3rd Party IP
PBX
TDM PBX
CUBE
Cisco Session Management IM, Presence,
Voicemail
Cisco B2B
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
CUBE Deployment Scenarios
SIP Trunks for PSTN Access
Network-based Media
Recording Solution
SIP
H.323
SP VOIP
Services SBC
TDM
SIP Trunk
Partner API MediaSense
CUBE
SIP
RTP
SIP
Active
Standby
SP IP
Network SBC
Extending to Video and High Availability for Audio Calls
IVR Integration for Contact
Centers SIP
CVP vXML Server
Media Server
SP IP
Network SBC
Business to Business
Telepresence
SP IP
Network
SIP SIP
SBC
CUBE
CUBE
CUBE CUBE
CUBE
56
• Secure Network, Secure Endpoints, Secure Call Control
• Collaboration System Release 11.5 Security Update
• Deploying and Handling Certificates & PKI in CUCM
• Securing the Edge with CUBE/SBC
• Cisco Product Security
Agenda
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco PSIRT Has Your Back
• Dedicated, global team managing security vulnerability information related to Cisco products and networks
• Responsible for Cisco Security Advisories, Responses and Notices
• Interface with security researchers and hackers
• Assist Cisco product teams in securing products
• Subscribe (RSS or email) to Cisco notification service
Product Security Incident Response Team (PSIRT) - www.cisco.com/go/psirt
BRKUCC-2501 59
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Product Security Awareness
• Subscribe/Monitor PSIRT security advisories, responses and notices
• Consult advisory details to understand impact, workarounds, and other details
• Reference linked Cisco Applied Mitigation Bulletins (AMB) when available
• Make preparations to patch systems via upgrade or COP files
• Verify DRS backups available before patching critical systems
BRKUCC-2501 60