Security Best Practices for Cisco CME
Cisco IPC Express provides integrated IP communications on Cisco IOS routers. Therefore, the same security best practices recommended for all Cisco IOS voice-enabled routers also apply to Cisco CME. In addition, you should implement Cisco CME-specific security practices to provide additional security protection.
This section explains how you can set up the Cisco CME using the CLI to prevent users from intentionally or accidentally gaining system-level control from the GUI as well as local or remote CLI access.
Securing GUI Access
A Cisco IOS router authenticates an administrator CLI login against the enable password only, and the default setting for HTTP access is ip http authentication enable. If the system administrator, customer administrator, or phone user has the same password as the router's enable password, he or she can gain level 15 EXEC privilege access to Cisco IOS via HTTP. A normal IP phone user can then accidentally change the Cisco CME configuration, erase Flash, or reload the router when logging on to this URL:
http://cme-ip-address/
You should configure the following commands for Cisco CME to use AAA or local authentication to prevent a normal user from gaining access to the enable password and therefore having access to the system administrator page:
ip http authentication aaa or ip http authentication local
Note
Note that authentication, AAA is applied only to the system administrator login. Local authentication, which is clear-text-based, is applied to both the customer administrator and phone user logins.
Using HTTPS for Cisco CME GUI Management
HTTP over SSL (HTTPS) provides Secure Socket Layer (SSL) version 3.0 support for the HTTP 1.1 server and HTTP 1.1 client within Cisco IOS software. SSL provides server authentication, encryption, and message integrity to allow secure HTTP communications. SSL also provides HTTP client authentication. This feature is supported only in Cisco IOS software images that include the SSL feature. Specifically, SSL is supported in the Advanced Security, Advanced IP Services, and Advanced Enterprise Services images. Use the Advanced IP Services or Advanced Enterprise Services Cisco IOS images to get both the Cisco CME and SSL features.
Currently IP phones do not serve as HTTPS clients. If HTTPS is enabled on the Cisco CME router, IP phones still attempt to connect to HTTP using port 80. Because the SSL default port is 443, the phones cannot display local directory and system speed dials. IP phones using HTTP can work with a system configured for SSL by enabling both HTTP and HTTPS, as shown in Example 14-19.
Example 14-19. Enabling HTTP Secure Server Sample Configuration
router#show running-config ip http server ip http secure-server ip http secure-port port_number !if https port is changed from default 443 ip http authentication AAA |TACACS | local
Use the following command to generate an RSA usage key pair with a length of 1024 bits or greater:
crypto key generate rsa usage 1024
If you do not generate an RSA usage key pair manually, an RSA usage key pair with a length of 768 bits is generated automatically when you connect to the HTTPS server for the first time. These auto generated RSA keys are not saved to the startup configuration; therefore, they are lost when the device is rebooted unless you save the configuration manually. For more information on RSA, refer to Cisco IOS documentation on Cisco.com.
You should obtain an X.509 digital certificate with digital signature capabilities for the device from a certification authority (CA). If you do not obtain a digital certificate in advance, the device creates a self-signed digital certificate to authenticate itself.
If you change the device host name after obtaining a device digital certificate, HTTPS connections to the device fail because the host name does not match the host name specified in the digital certificate. Obtain a new device digital certificate using the new host name to fix this problem.
The ip http secure-server command prevents clear-text passwords from traveling across the network when a Cisco CME administrator logs into the Cisco CME GUI. However, communications between the phone and router remain in clear text.
The following are the suggested best practices for using HTTP interactive access to the Cisco CME router:
- Use the ip http access-class command to allow only specified IP addresses to access the Cisco CME GUI, thus restricting unwanted IP packets from connecting to Cisco CME.
- Use the ip http authentication command with a central TACACS+ or RADIUS server for authentication purposes. Configuring authentication for the HTTP and HTTPS servers adds security to communication between clients and the HTTP and HTTPS servers on the device.
- Do not use the router enable password as a Cisco CME login password (to prevent a regular user from gaining administrator privileges).
Setting Local and Remote System Access
When in EXEC mode, the configure terminal and telephony-service commands take a user into Cisco CME configuration mode. The show running-config and show telephony-service commands show all registered phones and users, extension numbers, usernames, and passwords for Cisco CME GUI access. So the first step to security control is at the system access level. Password encryption, user authentication, and command auditing are all critical to prevent security breaches.
Using the enable secret Command
The enable password is shown in clear text by default. To provide access control to EXEC mode on the router, use the enable secret command to encrypt the enable password, as shown in Example 14-20.
Example 14-20. Enable Secret
router#show running-config service password-encryption enable secret no enable password
Restricting Access to tty
You can allow only certain users and locations to Telnet to the router by using its terminal (tty) or virtual terminal (vty) lines. Define and apply an access list for permitting or denying remote Telnet sessions to your Cisco CME router as shown in Example 14-21.
Example 14-21. Restricting Access to vty
router#show running-config line vty 0 4 access-class 10 in access-list 10 permit 10.1.1.0 0.0.0.255
Using AAA to Secure Access
Example 14-22 shows how to use AAA for login and command auditing.
Example 14-22. Using AAA for Login and Command Auditing
router#show running-config aaa new-model aaa authentication login default tacacs+ enable aaa authentication enable default tacacs+ enable aaa accounting exec start-stop tacacs+ aaa accounting exec start-stop tacacs+ ! ip tacacs source-interface Loopback0 tacacs-server host 215.17.1.2 tacacs-server host 215.17.34.10 tacacs-server key CKr3t# Sample command log: Wed Jun 25 03:46:47 1997 172.16.25.15 fgeorge tty3 5622329430/4327528 stop task_id=3 service=shell priv-lvl=1 cmd=show version Wed Jun 25 03:46:58 1997 172.16.25.15 fgeorge tty3 5622329430/4327528 stop task_id=4 service=shell priv-lvl=1 cmd=show interfaces Ethernet 0 Wed Jun 25 03:47:03 1997 172.16.25.15 fgeorge tty3 5622329430/4327528 stop task_id=5 service=shell priv-lvl=1 cmd=show ip route
When the AAA server cannot be reached in the network, the router should always require login, as shown in Example 14-23.
Example 14-23. Using a User Account on the Router
router#show running-config username joe password 7 045802150C2E username jim password 7 0317B21895FE ! line vty 0 4 login local
Configuring SSH Access
Example 14-24 shows you how to configure secure shell (SSH) access on your Cisco CME router.
Example 14-24. Configuring SSH
router(config)#crypto key generate rsa line vty 0 4 transport input telnet ssh
Using ACLs for SNMP Access
You might use access control lists (ACLs) to permit or deny SNMP access, as shown in Example 14-25.
Example 14-25. Using ACLs for SNMP Access
router#show running-config access-list 10 remark SNMP filter access-list 10 permit 10.1.1.0 0.0.0.255 snmp-server community changeme-rw RW 10 snmp-server community changeme-ro RO 10
Change the community strings to words different from read and write, because these are two common community strings for read and write access, respectively.
Disabling CDP
Cisco Discovery Protocol (CDP) automatically discovers the neighboring network devices that also support CDP. In an untrusted domain, disable CDP so that Cisco CME routers do not automatically show up in the CDP tables of other devices. This is shown in Example 14-26.
Example 14-26. Disabling CDP
router#show running-config no cdp run !If cdp is needed then consider disabling cdp on a per interface basis. interface FastEthernet0/0 no cdp enable
Configuring COR for Incoming and Outgoing Calls
One of the ways to restrict unauthorized incoming and outgoing calls is to use the COR commands. The configuration shown in Example 14-27 defines two groups of users: user and superuser. Superuser is allowed to make any calls, including local, long-distance, 411 directory lookup, and 911 calls. User is restricted from making 900, 411, and international calls.
Example 14-27. Configuring COR for Toll Fraud
router#show running-config dial-peer cor custom name 911 name 1800 name local-call name ld-call name 411 name int-call name 1900 ! dial-peer cor list call911 member 911 ! dial-peer cor list call1800 member 1800 ! dial-peer cor list calllocal member local-call ! dial-peer cor list callint member int-call ! dial-peer cor list callld member ld-call ! dial-peer cor list call411 member 411 ! dial-peer cor list call1900 member 1900 ! dial-peer cor list user member 911 member 1800 member local-call member ld-call ! dial-peer cor list superuser member 911 member 1800 member local-call member ld-call member 411 member int-call member 1900 ! dial-peer voice 9 pots corlist outgoing callld destination-pattern 91.......... port 1/0 prefix 1 ! dial-peer voice 911 pots corlist outgoing call911 destination-pattern 9911 port 1/0 prefix 911 ! dial-peer voice 11 pots corlist outgoing callint destination-pattern 9011T port 2/0 prefix 011 ! dial-peer voice 732 pots corlist outgoing calllocal destination-pattern 9732....... port 1/0 prefix 732 ! dial-peer voice 800 pots corlist outgoing call1800 destination-pattern 91800....... port 1/0 prefix 1800 ! dial-peer voice 802 pots corlist outgoing call1800 destination-pattern 91877....... port 1/0 prefix 1877 ! dial-peer voice 805 pots corlist outgoing call1800 destination-pattern 91888....... port 1/0 prefix 1888 ! dial-peer voice 411 pots corlist outgoing call411 destination-pattern 9411 port 1/0 prefix 411 ! dial-peer voice 806 pots corlist outgoing call1800 destination-pattern 91866....... port 1/0 prefix 1866 ephone-dn 1 number 2000 cor incoming user ephone-dv 2 number 2001 cor incoming superuser
Restricting Outgoing Calling Patterns
You might use the after-hours block command to restrict incoming or outgoing calls after certain hours. You can also use after-hours blocking to restrict calls to numbers or area codes known to be fraudulent calling patterns. The commands shown in Example 14-28 block all calls at all times for patterns 2 to 6. Pattern 7 is blocked only during the configured after-hours period.
Example 14-28. Using After-Hours Blocking to Restrict Outgoing Calling Patterns
router#show running-config telephony-service after-hours block pattern 2 .1264 7-24 after-hours block pattern 3 .1268 7-24 after-hours block pattern 4 .1246 7-24 after-hours block pattern 5 .1441 7-24 after-hours block pattern 6 .1284 7-24 after-hours block pattern 7 9011 after-hours day Sun 19:00 07:00 after-hours day Mon 19:00 07:00 after-hours day Tue 19:00 07:00 after-hours day Wed 19:00 07:00 after-hours day Thu 19:00 07:00 after-hours day Fri 19:00 07:00 after-hours day Sat 19:00 07:00
Configuring IP Phone Registration Control
You should configure Cisco CME to allow IP phones in a trusted domain for registration. Assuming that the local LAN segment is a trusted domain, use the strict-match option on the ip source-address command so that only locally attached IP phones can register to the Cisco CME router and get IP telephony-services:
router(config-telephony)#ip source-address 1.1.1.1 port 2000 strict-match
Block port TCP 2000 access from the WAN or Internet side to prevent external SCCP phones from registering with the Cisco CME system. Use the following ACL to block TCP port 2000 access from WAN or Internet interfaces:
router(config-t)#access-list 101 deny tcp any any eq 2000
Note
Unknown phones or phones that are not configured in Cisco CME are allowed to register with Cisco CME by default for ease of management, but they do not get dial tone until you configure them by associating the buttons with ephone-dns or by configuring auto assign dns under telephony-service.
Security Best Practices for Cisco UE
|