Security Best Practices for Cisco UE

You should consider various additional aspects of network security to protect against unauthorized access to Cisco UE. This section covers Cisco UE security best practices related to system access, remote access, and other security parameters applicable to the application environment.

System and Remote Access

Cisco UE hardware does not have external interfaces (physically, there is a Fast Ethernet interface port, but it is disabled in software and unusable). All Cisco UE system access must pass through the host Cisco CME router. Cisco UE CLI access has no login access or password control in addition to that of the router that houses Cisco UE. Therefore, it is imperative that the router's configuration parameters for local access (the console port) and remote access (Telnet) are set according to your security needs.

Local Access

The only local access to a Cisco UE system is via the host Cisco CME router's console interface into the router CLI. You then open a session to the Cisco UE CLI by using the following command:

router#service-module service-Engine x/y session

Entering this command on the router requires enable mode and, therefore, is protected by the router's enable login and password settings. Although the Cisco UE CLI also has an enable mode, it has no user ID or password capability. Any network administrator who has access to enable mode on the router also has access to the Cisco UE CLI. Access is controlled via the router, so if logging is required, set up the router with AAA/RADIUS monitoring of login access.

GUI access via a browser to Cisco UE is considered remote access, because it is across an IP segment from the router.

Remote AccessTelnet

Routers typically are geographically dispersed in your network and are seldom accessed locally via the console port. Remote access via Telnet across the IP network is much more typical. Use the IP configuration shown in Example 14-29 as a reference for the discussion in this section.

Example 14-29. IP Reference Configuration

router#show running-config interface FastEthernet0/0 ip address 172.19.153.41 255.255.255.0 no ip mroute-cache duplex auto speed auto ! interface Service-Engine1/0 ip unnumbered FastEthernet0/0 service-module ip address 172.19.153.37 255.255.255.0 service-module ip default-gateway 172.19.153.41

Direct Telnet access to the Cisco UE IP address is disabled, as shown in Example 14-30.

Example 14-30. Cisco UE Telnet Access Disabled

pc>telnet 172.19.153.37 Trying 172.19.153.37... telnet: Unable to connect to remote host: Connection refused

Remote CLI access to Cisco UE is possible only by using Telnet to the router (172.19.153.41) and then using the session command to get access to the Cisco UE CLI. That way, all the security protections built into Telnet access on your router automatically also protect access to Cisco UE. Example 14-31 shows a Telnet session to the router followed by a session into Cisco UE.

Example 14-31. Telnet Access to Cisco UE

pc>telnet 172.19.153.41 Trying 172.19.153.41... Connected to 172.19.153.41. Escape character is '^]'. User Access Verification Password: lab-2691>en Password: lab-2691#service-module service-Engine 1/0 session Trying 172.19.153.41, 2033 ... Open

Although direct Telnet access to the Cisco UE IP address is blocked, you can Telnet to the router's IP address followed by the explicit tty port number allocated to Cisco UE, as shown in Example 14-32. This indirect type of Telnet access is not blocked and can provide undesirable access to Cisco UE.

Example 14-32. Telnet Access with an Explicit Port Number

pc>telnet 172.19.153.41 2033 Trying 172.19.153.41... Connected to 172.19.153.41. Escape character is '^]'.

To protect against this kind of access, insert a login/password configuration on the tty port (in this example, the port number is 2033) leading to Cisco UE, as shown in Example 14-33.

Example 14-33. Login/Password on Telnet Access

router#show running-config line 33 password 7 02050D480809 login no exec

Cisco UE CLI access via the router tty port does not time out by default. The connection stays up until it is disconnected by the user who initiated it. If an inactivity timeout on remote access to Cisco UE CLI is required, you can use the session-timeout command on the router tty configuration to disconnect the session after a configured number of minutes of inactivity. This is shown in Example 14-34.

Example 14-34. Inactivity Timeout on Cisco UE CLI Access

router#show running-config line 33 session-timeout 5 password 7 02050D480809 login

 

Remote AccessSSH

For secure CLI access to Cisco UE, enable SSH on the router and use an SSH-enabled remote-access application, such as the SSH Windows application. Cisco UE itself does not support SSH (but neither does it support Telnet access). However, communication between the router and Cisco UE is via the router backplane and, therefore, is not exposed to any external interfaces or IP segments. SSH access to the router is sufficient to protect remote access to Cisco UE.

Remote AccessHTTPS

Cisco UE does not yet support HTTPS for browser access. Although login to the GUI is password-protected, the login ID and password currently travel in clear text across the IP network.

You can protect GUI access in Cisco UE by using IPSec tunnels on the routers between the nearest router to where the browser is located and the router hosting the Cisco UE module. You can use virtual private network (VPN) technology to protect the segment between the client PC and the nearest router where IPSec is available. Alternatively, you can use VPN technology all the way from the client PC to the host router.

Application Environment

Cisco UE is an IP application and therefore communicates with its environment via various TCP and UDP protocols and ports. Open port numbers are typical security attack targets. Therefore, traffic to the open TCP and UDP port numbers should be protected by ACLs as much as possible to allow only desired traffic from known endpoints into the application.

Protocols and Port Numbers

To construct suitable ACLs and other security mechanisms that monitor traffic (and deny undesired traffic), it is important to know which ports are open and used by an application such as Cisco UE. Table 14-1 lists the protocols and port numbers that Cisco UE uses.

Table 14-1. Cisco UE Protocols and Port Numbers

Protocol

Protocol and Port Number

DNS

TCP/UDP 53

TFTP

UDP 69

FTP

TCP 20 (data), TCP 21 (control)

HTTP

TCP 80

NTP

UDP 123

Syslog

TCP 514

SIP

UDP 5060

RTP

UDP 1638432767

SMTP

TCP 25

 

Suggested ACLs

This section provides best-practice suggestions for ACLs to protect the open ports on your Cisco UE system. Use the following IP configuration information as a reference for this section. Substitute your network's configuration for these values when you customize the ACLs for your implementation.

The ACLs shown in Example 14-35 are recommended to be used with Cisco UE. You should apply these ACLs on the Cisco UE service-engine interface on the router.

Example 14-35. Recommended ACLs for Cisco UE

router#show running-config !Inbound: access-list 101 remark Filter Outbound Traffic from CUE - Apply Inbound on Interface ServiceEngine access-list 101 remark Restrict DNS to only 10.10.1.170, add additional dns servers as required access-list 101 permit udp host 172.19.153.37 host 10.10.1.170 eq domain access-list 101 permit tcp host 172.19.153.37 host 10.10.1.170 eq domain access-list 101 remark Restrict TFTP to only the host router access-list 101 permit udp host 172.19.153.37 host 172.19.153.41 eq tftp access-list 101 remark Restrict FTP traffic to only a single server access-list 101 permit tcp host 172.19.153.37 host 10.10.1.150 eq ftp access-list 101 permit tcp host 172.19.153.37 host 10.10.1.150 eq ftp-data access-list 101 remark Restrict NTP traffic to only the host router access-list 101 permit udp host 172.19.153.37 host 172.19.153.41 eq ntp access-list 101 remark Restrict Syslog traffic to single server access-list 101 permit tcp host 172.19.153.37 host 10.10.1.160 eq syslog access-list 101 remark Restrict SIP signaling to host router access-list 101 permit tcp host 172.19.153.37 host 172.19.153.41 eq 5060 access-list 101 permit udp host 172.19.153.37 host 172.19.153.41 eq 5060 access-list 101 remark Restrict RTP to IP phone and GW segment plus router access-list 101 permit udp host 172.19.153.37 10.10.1.0 0.0.0.255 range 16384 32767 access-list 101 permit udp host 172.19.153.37 host 172.19.153.41 range 16384 32767 !Outbound: access-list 102 remark Filter Traffic to CUE - Apply Outbound on Interface ServiceEngine access-list 102 remark Restrict http access to management and phone segment access-list 102 permit tcp 10.10.1.0 0.0.0.255 host 172.19.153.37 eq www access-list 102 permit tcp 10.10.2.0 0.0.0.255 host 172.19.153.37 eq www access-list 102 remark Restrict SIP signaling to host router access-list 102 permit tcp host 172.19.153.41 host 172.19.153.37 eq 5060 access-list 102 permit udp host 172.19.153.41 host 172.19.153.37 eq 5060 access-list 102 remark Restrict RTP to IP phone and GW segment plus router access-list 102 permit udp 10.10.1.0 0.0.0.255 host 172.19.153.37 range16384 32767 access-list 102 permit udp host 172.19.153.41 host 172.19.153.37 range 16384 32767

Attach the ACLs to the service-engine interface as shown in Example 14-36.

Example 14-36. Attaching ACLs to the Service-Engine Interface

interface Service-Engine1/0 ip unnumbered FastEthernet0/0 ip access-group 101 in ip access-group 102 out service-module ip address 172.19.153.37 255.255.0.0 service-module ip default-gateway 172.19.153.41

 

Cisco UE Security Best Practices

Follow the recommendations in this section to secure access to your Cisco UE system:

Configuring and Monitoring Via Network Management Systems Using the Cisco CME AXL SOAP Interface

Категории