Security Best Practices for Cisco UE
You should consider various additional aspects of network security to protect against unauthorized access to Cisco UE. This section covers Cisco UE security best practices related to system access, remote access, and other security parameters applicable to the application environment.
System and Remote Access
Cisco UE hardware does not have external interfaces (physically, there is a Fast Ethernet interface port, but it is disabled in software and unusable). All Cisco UE system access must pass through the host Cisco CME router. Cisco UE CLI access has no login access or password control in addition to that of the router that houses Cisco UE. Therefore, it is imperative that the router's configuration parameters for local access (the console port) and remote access (Telnet) are set according to your security needs.
Local Access
The only local access to a Cisco UE system is via the host Cisco CME router's console interface into the router CLI. You then open a session to the Cisco UE CLI by using the following command:
router#service-module service-Engine x/y session
Entering this command on the router requires enable mode and, therefore, is protected by the router's enable login and password settings. Although the Cisco UE CLI also has an enable mode, it has no user ID or password capability. Any network administrator who has access to enable mode on the router also has access to the Cisco UE CLI. Access is controlled via the router, so if logging is required, set up the router with AAA/RADIUS monitoring of login access.
GUI access via a browser to Cisco UE is considered remote access, because it is across an IP segment from the router.
Remote AccessTelnet
Routers typically are geographically dispersed in your network and are seldom accessed locally via the console port. Remote access via Telnet across the IP network is much more typical. Use the IP configuration shown in Example 14-29 as a reference for the discussion in this section.
Example 14-29. IP Reference Configuration
router#show running-config interface FastEthernet0/0 ip address 172.19.153.41 255.255.255.0 no ip mroute-cache duplex auto speed auto ! interface Service-Engine1/0 ip unnumbered FastEthernet0/0 service-module ip address 172.19.153.37 255.255.255.0 service-module ip default-gateway 172.19.153.41
Direct Telnet access to the Cisco UE IP address is disabled, as shown in Example 14-30.
Example 14-30. Cisco UE Telnet Access Disabled
pc>telnet 172.19.153.37 Trying 172.19.153.37... telnet: Unable to connect to remote host: Connection refused
Remote CLI access to Cisco UE is possible only by using Telnet to the router (172.19.153.41) and then using the session command to get access to the Cisco UE CLI. That way, all the security protections built into Telnet access on your router automatically also protect access to Cisco UE. Example 14-31 shows a Telnet session to the router followed by a session into Cisco UE.
Example 14-31. Telnet Access to Cisco UE
pc>telnet 172.19.153.41 Trying 172.19.153.41... Connected to 172.19.153.41. Escape character is '^]'. User Access Verification Password: lab-2691>en Password: lab-2691#service-module service-Engine 1/0 session Trying 172.19.153.41, 2033 ... Open
Although direct Telnet access to the Cisco UE IP address is blocked, you can Telnet to the router's IP address followed by the explicit tty port number allocated to Cisco UE, as shown in Example 14-32. This indirect type of Telnet access is not blocked and can provide undesirable access to Cisco UE.
Example 14-32. Telnet Access with an Explicit Port Number
pc>telnet 172.19.153.41 2033 Trying 172.19.153.41... Connected to 172.19.153.41. Escape character is '^]'.
To protect against this kind of access, insert a login/password configuration on the tty port (in this example, the port number is 2033) leading to Cisco UE, as shown in Example 14-33.
Example 14-33. Login/Password on Telnet Access
router#show running-config line 33 password 7 02050D480809 login no exec
Cisco UE CLI access via the router tty port does not time out by default. The connection stays up until it is disconnected by the user who initiated it. If an inactivity timeout on remote access to Cisco UE CLI is required, you can use the session-timeout command on the router tty configuration to disconnect the session after a configured number of minutes of inactivity. This is shown in Example 14-34.
Example 14-34. Inactivity Timeout on Cisco UE CLI Access
router#show running-config line 33 session-timeout 5 password 7 02050D480809 login
Remote AccessSSH
For secure CLI access to Cisco UE, enable SSH on the router and use an SSH-enabled remote-access application, such as the SSH Windows application. Cisco UE itself does not support SSH (but neither does it support Telnet access). However, communication between the router and Cisco UE is via the router backplane and, therefore, is not exposed to any external interfaces or IP segments. SSH access to the router is sufficient to protect remote access to Cisco UE.
Remote AccessHTTPS
Cisco UE does not yet support HTTPS for browser access. Although login to the GUI is password-protected, the login ID and password currently travel in clear text across the IP network.
You can protect GUI access in Cisco UE by using IPSec tunnels on the routers between the nearest router to where the browser is located and the router hosting the Cisco UE module. You can use virtual private network (VPN) technology to protect the segment between the client PC and the nearest router where IPSec is available. Alternatively, you can use VPN technology all the way from the client PC to the host router.
Application Environment
Cisco UE is an IP application and therefore communicates with its environment via various TCP and UDP protocols and ports. Open port numbers are typical security attack targets. Therefore, traffic to the open TCP and UDP port numbers should be protected by ACLs as much as possible to allow only desired traffic from known endpoints into the application.
Protocols and Port Numbers
To construct suitable ACLs and other security mechanisms that monitor traffic (and deny undesired traffic), it is important to know which ports are open and used by an application such as Cisco UE. Table 14-1 lists the protocols and port numbers that Cisco UE uses.
Protocol |
Protocol and Port Number |
---|---|
DNS |
TCP/UDP 53 |
TFTP |
UDP 69 |
FTP |
TCP 20 (data), TCP 21 (control) |
HTTP |
TCP 80 |
NTP |
UDP 123 |
Syslog |
TCP 514 |
SIP |
UDP 5060 |
RTP |
UDP 1638432767 |
SMTP |
TCP 25 |
Suggested ACLs
This section provides best-practice suggestions for ACLs to protect the open ports on your Cisco UE system. Use the following IP configuration information as a reference for this section. Substitute your network's configuration for these values when you customize the ACLs for your implementation.
- Cisco UE service module IP default gateway172.19.153.41
- Cisco UE service module IP address172.19.153.37
- FTP server for software backup and download10.10.1.150
- Admininstration subnet10.10.1.0/24
- IP phone and PSTN gateway subnet10.10.2.0/24
- Syslog server10.10.1.160
- DNS10.10.1.170
The ACLs shown in Example 14-35 are recommended to be used with Cisco UE. You should apply these ACLs on the Cisco UE service-engine interface on the router.
Example 14-35. Recommended ACLs for Cisco UE
router#show running-config !Inbound: access-list 101 remark Filter Outbound Traffic from CUE - Apply Inbound on Interface ServiceEngine access-list 101 remark Restrict DNS to only 10.10.1.170, add additional dns servers as required access-list 101 permit udp host 172.19.153.37 host 10.10.1.170 eq domain access-list 101 permit tcp host 172.19.153.37 host 10.10.1.170 eq domain access-list 101 remark Restrict TFTP to only the host router access-list 101 permit udp host 172.19.153.37 host 172.19.153.41 eq tftp access-list 101 remark Restrict FTP traffic to only a single server access-list 101 permit tcp host 172.19.153.37 host 10.10.1.150 eq ftp access-list 101 permit tcp host 172.19.153.37 host 10.10.1.150 eq ftp-data access-list 101 remark Restrict NTP traffic to only the host router access-list 101 permit udp host 172.19.153.37 host 172.19.153.41 eq ntp access-list 101 remark Restrict Syslog traffic to single server access-list 101 permit tcp host 172.19.153.37 host 10.10.1.160 eq syslog access-list 101 remark Restrict SIP signaling to host router access-list 101 permit tcp host 172.19.153.37 host 172.19.153.41 eq 5060 access-list 101 permit udp host 172.19.153.37 host 172.19.153.41 eq 5060 access-list 101 remark Restrict RTP to IP phone and GW segment plus router access-list 101 permit udp host 172.19.153.37 10.10.1.0 0.0.0.255 range 16384 32767 access-list 101 permit udp host 172.19.153.37 host 172.19.153.41 range 16384 32767 !Outbound: access-list 102 remark Filter Traffic to CUE - Apply Outbound on Interface ServiceEngine access-list 102 remark Restrict http access to management and phone segment access-list 102 permit tcp 10.10.1.0 0.0.0.255 host 172.19.153.37 eq www access-list 102 permit tcp 10.10.2.0 0.0.0.255 host 172.19.153.37 eq www access-list 102 remark Restrict SIP signaling to host router access-list 102 permit tcp host 172.19.153.41 host 172.19.153.37 eq 5060 access-list 102 permit udp host 172.19.153.41 host 172.19.153.37 eq 5060 access-list 102 remark Restrict RTP to IP phone and GW segment plus router access-list 102 permit udp 10.10.1.0 0.0.0.255 host 172.19.153.37 range16384 32767 access-list 102 permit udp host 172.19.153.41 host 172.19.153.37 range 16384 32767
Attach the ACLs to the service-engine interface as shown in Example 14-36.
Example 14-36. Attaching ACLs to the Service-Engine Interface
interface Service-Engine1/0 ip unnumbered FastEthernet0/0 ip access-group 101 in ip access-group 102 out service-module ip address 172.19.153.37 255.255.0.0 service-module ip default-gateway 172.19.153.41
Cisco UE Security Best Practices
Follow the recommendations in this section to secure access to your Cisco UE system:
- Assign an enable password to the Cisco CME router hosting the Cisco UE module.
- Restrict Telnet access to the Cisco CME router.
- Enable login and password control on the Cisco CME router tty port connecting to Cisco UE.
- Configure an inactivity timeout on the Cisco CME router tty port connecting to Cisco UE.
- Enable SSH on the Cisco CME router to protect Telnet traffic, and use only SSH-capable Telnet client software.
- Use VPN/IPSec router technology to protect HTTP web access into Cisco UE.
- Use ACLs to restrict SIP signaling traffic into Cisco UE to be sourced only by the Cisco CME router that hosts Cisco UE. No other source in the network should be able to send SIP traffic to Cisco UE.
- Protect the FTP server used for software installation with login and password control.
- Protect the FTP server used for backup and restore with login and password control.
- During a Cisco UE software install or upgrade, do not provide the FTP password on the install command line. Let the installer prompt for it.
- Maintain the Cisco UE system with the generate random password/PIN user access policy.
- Mailbox PINs do not expire in Cisco UE releases before release 2.1. Upgrade to release 2.1 to get the ability to have passwords expire.
- Set the minimum length of Cisco UE passwords and PINs (this feature requires release 2.1 or later) to the lengths demanded by your security policies.
Configuring and Monitoring Via Network Management Systems Using the Cisco CME AXL SOAP Interface
|