Cisco Unified CallManager and IP Phone Security [Webcast]

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome everyone to save programs see you cm in IP phone security we're glad to have you with us few housekeeping notes to begin as you entered the WebEx console either joined us by audio broadcast or by phone which is automatically muted because of our large audience in attendance today you will main you throughout the event when you have a question please feel free to enter it into the WebEx Q&A panel as you think of them you can find the Q&A panel in the bottom right hand corner of the console please leave the WebEx chat window for communication to our WebEx facilitator for any problems or issues you may be experiencing today we would also appreciate your input regarding today's webcast the short survey will appear when you close your browser at the end of the event at this time I'd like to pass it over to our moderator Satish Chandra Satish Thank You RIA hello everyone and welcome to the Cisco Support Committee today represent the live cisco support community expertise webcast during our even today our topic will be cisco unified call manager and IP phone security my name is Satish Gendron and I am the business operations manager for the cisco support committee here at cisco our experts joining me today is Amit Singh and Ray shake both customer support engineers based in India with broad experience in voice technologies welcome Amit and Ray's thanks addition Thank You Satish our exposure to be on this sell webcast and we also have with us our technical panel Chirag and he's a walk out of our software engineer working with the security team great thank you and I'd like to briefly outline the format for today's expert series webcast Amit and race we'll start with a short presentation on Cisco Unified called manager and IP phone security for the first 60 minutes of the program and then we will dive into the live question submissions for the remainder of the event during our live presentation you may submit a question to be answered by Amit and raised and the technical panelists using the Q&A panel on the right hand side of the console the team of technical experts is well versed with voice technologies so please begin posting your questions now to give us the best chance of answering them and if you experience any technical issues please post your question in the chat window that is also on the right hand side of the window so we'll be asking polling question during this webcast and we encourage you to participate by answering them you may download a PDF copy of today's presentation using the link in the chat window so now let's get started with today's event let's get started with a polling question for the audience so the question is what is your level of experience with Cu cm or phone security the options are a I know basic security but no idea of a Cu cm security B I theoretically know Cu cm security but no practical experience and see I'm playing with it in the lab and option D I am running it in the production so please take a moment to answer the poll is open on the right hand side of the console thank you all right well you answer that we'll be reading the results of it later so make sure you submit your questions as we will be answering them later in the webcast now I'd like to hand over the mic to Amit and rays so we'll give you an expert look into the topic hi everyone so today's agenda is going to be a brief overview of us you see and security recently what we have seen is in recently the amount of cases which we get around are majorly being your safe phones not registering after we have greater the cluster or other phone or 30 figure issues so that's a reason we decided that we should try to give a brief overview of CUC and security and how we incorporate or how we implement into on today's UCM or the phones to make everyone aware of the basic terminology what is the CTL what is a CPF to get familiar with all these jargons or the words or the keywords which we use so that we have a basic familiarity we know that we have is using security guard being available which is like a good source and most of the information which we are going to present into the presentation comes from there that's like the Bible for you see and security for IP phones and for the CCM itself so we will just continue without terminology first so here's a brief agenda water and cover so first of all we will cover some basic terminology followed by a sneak preview of security fundamental what like what is a PKI structure then we will go to some new feature which is being introduced security by default we are going to cover it a bit in detail then we don't discuss few of the scenarios or the best practices of what we have done here is we have taken some common scenarios which we usually face or as attack we get cases upon then we will cover a bit of troubleshoot it's not going to be a troubleshooting in detail for this particular session it's going to be an overview of what all information we can collect or can be looked at while troubleshooting a security issue finally we are going to wrap it up with a summary of all the key points being covered so now I'll handle what to race and the race will start with the terminology description hello everyone so in terminology as a missing said I will discuss a few keywords that we will be using later on or in the slides to discuss the concepts so we will build upon these keywords and then try and understand the key concepts of the new features that we have in communication manager 8.6 starting with public key infrastructure what is a PKI I'm sure many people must have heard about PGI so PGI is actually a framework that is used for encryption decryption and authentication by means of a certificate which binds the public key with respective identities next we have CTL file now CTL file is actually created using a CTL client this file consists of certificates from all the nodes that is signed using the private key from the e token phones in seven dot X and six dot X cluster use the CTL file for all sorts of security needs in communication manager a six dot X and seven dot X and even in eight dot X for some reasons which we will be discussing later in the slides identity trust list idea files were introduced in common Communication Manager a dot X onwards it consists of a minimum list of certificates that are required by the phone for authentication decryption of the phone configuration file that was encrypted by the TFTP server and authentication against the PDS service now unlike the idea CTS file which consists of certificates for all the nodes it needs to talk to the ITF v only consist of certain certificates which it can accommodate in its small memory or the screenshot that we have is the CTL ideal file from my phone which you can check even our you know on a 79 this screenshot is from a 7975 phone but the procedure is mainly the same you can go to settings security configuration and Trust list to check the CTL file fingerprint in IPL five finger print next we have the CTL client a CTL client is a plugin which you can download from your communication manager and install it onto your Windows desktop the CTL funds the CTL client is used to create a CTL file which it does by contacting the CTL server and it will download all the certificates from all the nodes in the cluster and sign it using the private key which is it obtains from the Edo c'n alright so next comes the C APF that's the Cisco certificate authority proxy function CA ps4 server primarily runs only on the publisher in the cluster and its main job is to provide or act as a certificate authority for endpoint and it issues the locally significant certificates to the endpoint coming on to a token so as we know the e tokens are if we have to order these eat oaken's we use the keyword or the product code key - CCM - admin - canine and these eat oaken's usually contain the public like the x.509 certificate from the cisco certificate authority and these are the ones which we use while along with the plugin to encrypt it or create a CTL file now one thing I would like to add is we should be keeping them like really in a safe place or at least have a backup eat Oken the reason we say we should have to eat oaken's as just in case if one is lost you still have one more and at any one of time even if we have one CTL token available or Ito canned available you can always use the CTL client by a new CTO client and you can add it to the list so that you have a backup being available to add on to work anything has just said we require this our Ito can need to be kept in a safe place because even if you want to move from a mixed mode or a secure mode to a non secure mode you will still need the e token but next comes they be make or what we known as manufacture install certificates so what we have seen is before a bit of I want the confusion but like a lack of clarity between make and the lscs so Mick or the manufacturer install certificates are the one which got installed on the phone when they were being manufactured or and they are being like signed by Cisco see a main function of these manufacturer installed certificates is to authenticate itself to see a PF service so that once the authentication is being done once the phone is being authenticated to the cATF CA PF is going to issue a LS see what is it local significant certificate to the phone coming down to locally significant certificate self this particular certificate is being required for a secured connection between Communication Manager and the phone now this certificate will get downloaded only after a successful authentication between make and the LLC and that makes other one which you can't remove or delete from the phone so here we come to the security fundamentals which race is going to continue and explain the PKI further yeah so this presentation is actually under the assumption that the engineers who join know a bit of security but for the benefit of a few individuals who might not have come across the security basics with us just have an overview of how things work when it comes to security and how authentication and encryption is done so the first method was symmetric encryption now the user a on the left hand side wants to transfer data which is the small briefcase that you see the user B on the right hand side now this data has to travel over public network now you know anybody in the public network can sniff the data and see what is being transferred so what user a does is it generates a secret key and this secret key is it will transfer it to user B or the public network now user a will encrypt its data using the secret key and send it on to user B so since user B has a secret key it will be able to decrypt the information that was sent by user a likewise when a user B wants to send data it will use the same secret key to and keep encrypted data and it's incentives sends it across the user a so now the data is being encrypted and it is being transferred over the public networks since it is encrypted nobody can actually sniff the data and see what is being transferred but there is a limitation to it what is the secret key which is being sent across to the other remote user where public network is being snipped then that user then the man in the middle can actually use that secret key to decrypt all the data and check what information was being communicated across to overcome this limitation we came up with the concept of a symmetric encryption an asymmetric encryption each user will generate a pair of private key and public key so the private key is something that it will keep it with itself whereas the public key will be communicated across the public network to the remote user one point to note here is that anything that is encrypted using the private key can only be decrypted using the public key what it means is if you are able to decrypt information using the public key then that must have encrypted using the private key so user in generates a pair of private and public key likewise the user we will also generate a pair of its own private and public key and they will keep the private key with secret with themselves and exchange the public key over the public network now using the public key of the remote user each user will encrypt its data and send it across the public network since the user has its own private key since the user has a public key of the remote user it will be able to decrypt this information and as the data is travel traveling the public network in an encrypted format nobody will actually be able to sneak the data and extract the information that is being communicated however there is a limitation even to a symmetric encryption how do you know that the public key are you received and the communication that you are doing is from a valid user with whom you wanted to establish communication with to overcome this asymmetric encryption limitation we came up with something called public key infrastructure in public-key infrastructure we have a certificate authority which will issue certificate but even before certificate authority issues certificate the user has to contact the certificate authority and provide its details like its identity is public key and all the other parameters that is required in its certificate the certificate authority will verify and authenticate if the public key belongs to the proper user and after the authentication is successful it will sign the certificate with its own private key and put a signature on the certificate and issue that certificate to the users now both the users have their have the certificate as authorized by a central certificate authority and they will are the certificate consists of its identity and the public key they will exchange the certificate over the public network now since they have the public key of the remote user they will encrypt their data with the public key of that particular user with whom they want to establish communication and exchange the encrypted data or public network the user will use its private key which it kept with itself to decrypt the data and you know generate the information and extract all the information that was communicated from the remote user so this is a small summary of how PGI and security actually works in today's environment Thanks rates for setting up that base for our further discussion so right now we will discuss about phone security in 38.0 CCM service which essentially are like 4 X 5 X 6 or X + 7 X or cesium clusters so before if we have to secure a cluster we have other than the authentication and the encryption purpose we have to run the CTL files and the older cluster certificates as we as a race explained before we use the serial client to bundle all the certificates in a CTL file and that senior fellow has been downloaded by the phones but I think we have really progressed a lot further in our technology as well as the the way our phones can operate now you can run a lot of midlet on our phone you can do internet browsing on your phone you can run a lot many applications over the phone now most of these applications they may they may be on internet so what brings along a que is the need of security and when security comes in ok there are certificates but our phones they are limited by the amount of memory or the resources they can have so say for example I have to trust a lot of applications or a lot of certificates then my CTL file size is going to grow big because my phone has to trust a lot of certificates now so in this case my phone will be limited by the limited memory it has so that's what that was one of the a scalability issue with the CTL which we had then coming down to the flexible part every time we help generate a new certificate we have to remove a certificate the file that we helped to read under CTL client every time the CTO client needs to be run because it's going to you know like after we rebuild the file then see to try needs to be run we need to restart the FTP services so that the FTP server is aware of the CTL file then we have to reset the phone's so that the cetyl file is being downloaded so those were the two major issues we we encountered and we try to fix it in our coming or future releases so here we have something which are a she is going to talk about the newer security by default so coming down to the security by default first I would like to discuss why security because this why question is always more important than how and walk why we need security when we are communicating using IP phones and call manager for example enterprises like you know bank or Stock Exchange or even military organization they want your signaling and the media and whatever authentication they have they want to make sure that there is there are no attack or vulnerabilities left in their environment of communication they want secure communication occurring between the our endpoints their servers and between two IP phones as well so why we came up with this security by default the reason of Cisco came up with this feature is because we believe that apart even from the bigger enterprises to even smaller enterprises in today's world they need secure communication they need some sort of security in their enterprise so that is why we have come up with this concept which is called security by default which means security is by default available in your once you install or upgrade your call manager to a dot X version and above what is what this feature allows is default authentication of TFTP downloaded configuration files so whatever configuration file an IP phone receive from the TFTP server the phone will check whether it received it from a valid TFTP server or not optional encryption of T FTP configuration file now this feature is optional and what it does is it will encrypt the configuration file so that nobody can sniff the configuration file and see the contents of that file also we have a new feature called draft verification service and the phone will have the certificate installed in its file called ITIL file to communicate with the TVA service now these are the phone models that support security by default and older models like the 79 oh 579 12 do not support security by default but then the communication manager will provide them with a configuration file which is not signed so that these phones will still work with government with Communication Manager version a dot X and above right and end to add what we can do is the best way or if you would like to say ok what phones are supported the column and diversions which have unified reporting in them you can always run a unified report for the phone feature and that will show you a list of phones which supports security or any kind of feature thanks Amit so coming down to IDL file why IPL file now compared to CTL there were some limitations which and challenges which I will discuss so compared to a CTL file IDL file is leaner and smaller which means that it only consists of a minimum list of certificates like the TFTP or call manager certificate the TV is certificate to authenticate against the TVA service of Col Manager and the cap of certificate in case it needs to download the LSC certificates unlike the CPL the ITIL file is automatically generated once you install the call manager and start the TFTP service there is no need for hardware tokens because it because it uses a sake token which is already present in the call manager the new members of the phone will actually ask for a CTL as well as it will ask for an IPL file which we will see in the next slide so this is a sniffer output from one of my phones I upgraded my Communication Manager from 7.6 to a dot X the first thing that the phone will do is upgrade its firmware because on 7 dot X maybe it was running for example a dot 5.2 once the Communication Manager got upgraded to a dot X it delivers the phone with a higher version firmware Mika's it was 9.2 dot 3s load so the first thing one will do is upgrade its firmware and it will reset itself after it boots up with the new firmware based on the fur based on the logic in that form there it will first ask for a CTL file right but my communication manager seven dot X was not running any sort of security so there was no CTA limit so the TFTP returned a file not found error next yeah phones will request for an IPL file the ITL file was automatically generated when we move to communication manager version eight dot X and perform the reboot of the server so the TFTP server will deliver the phone with its IDL file it will consist of the Communication Manager certificate the cap a certificate and the TV a certificate to attenti gate and once the phone receives the IPS file it will request for a signed configuration file in Communication Manager seven dot X if you would request for SCP MAC address dot CNF dot XML whereas in communication manager eight objects it will request for SCP MAC address dot C and F dot XML dot s TN which will be delivered by the TFTP server now how does the TFTP actually should read the signed configuration file what it does is it will take the configuration file SCP dot C n F dot XML and it will run through a hash algorithm either md5 or sha-1 and it will generate a hash output for that configuration file this hash output will be signed using the TFTP private key to form the signature and it will attach the signature to the configuration file and deliver it to the form once the phone receives the configuration file it has to now verify the signature is from the property FTP server it wants to communicate with in the IDL file it will already have the certificate of the TFTP server and its public key so once the phone receives its this file it will separate the configuration file and the signature so the signature are since the phone already has the public key it will use the public key to decrypt the signature and get the hash output also simultaneously it will put that configuration file so the same hash algorithm and generate the hash output and now if both the hash output match each other which means that the verification is a success and it will install the configuration file and move on with contacting the communication manager for its registration we have a question from their phones we get the new father before me the port will get a new firmware from the TFTP server itself so first the phones will boot up as a CP the one cell phone boots up and contact the communication manager and the TFTP server the TFTP server will give it a non signed confession file which is dot C and F dot XML which has information about the new phone where the phone will come type is phone where in the under forward that it received in the configuration file since the one in the configuration file is of a you know higher version it will contact the TFTP server to receive that higher version firmware and install it thanks race I think that was like it really explained pretty well how the phone verifies the configuration file and how exactly the IDL file works now now we'll cover the T vs so this is the new service which is being introduced in the call manager 8rx and above so that we can take the load off from the phone or the resources being consumed on the phone so the TVA service ok it gets installed and the CCTV certificate gets generated automatically when we install this UCM cluster coming on to the scalability part at this point of time forms resources are not impacted by the number of certificates to trust reason being we are downloading the IDL files now in IDL files never so whenever phone is being presented with a certificate that it has to trust it will check in its ideal file okay do I have it in my certificate or not in my list or not if it doesn't have their certificate it will contact the the tedious server and the tedious server is going to look up into the trust store I'll explain a bit later on the interest or part so at this point of time T vs L will look at look up okay is this certificate present in my trust or not if it is there it will say to the phone okay go ahead and trust this application or the certificate which is being presented to you now the flexibility part unlike a CTL where we always had to rerun the CTL client every time we did an addition or deletion of the certificate that's not the case here so every time we do any kind of certificate upload or removal that is automatically reflected in the system so whenever we have a service called or change notifications of certificate change notification so whenever we face any change being done to the certificate or being added or removed uploaded TVs will be notified and then later on it will notify the TFTP like say in CCM 8.6 and above TFTP server is the one responsible to build and sign the ITIL files right and one thing to note here is that we still need the CTL file or the CTL client in case you want to encrypt your communication like signaling and media now using IDL we can authenticate but if you if you want to go a step ahead in terms of features and encrypt your signaling and media or the RTP stream you will still need CTL in Communication Manager a dot X right now the question comes okay how do I know or the how the phone knows okay like who is my TV a server and like contact or talk to so as we know the TBS server names or the IP addresses will be same as of your cm group which is being assigned to the phone so the way we have like a primary secondary and tertiary call manager same way we are going to have a primary secondary and tertiary TV as a service also so what happens like if one of the TVs goes down one of the servo goes down phone will try to contact it if it's not able to set up a connection with the TV s it will try the second server and afterwards the third server if the second not available given the condition okay the IDL file is same on all the servers so any of the TVA server at any point can authenticate a certificate for the phone one thing to note here is again the key vs runs on four two four four five so you need to have this port open in your security firewall and in your setup basically so instead of downloading all the certificates and forming a huge CTL file what the ideas will do is for any certificate that it does not have in its ITL file it will contact the PBS service on four two four four five now that certificate needs to be initially installed in the trust store of Cole manager and PDS is every time you start the call manager service like you have a fresh install and you activate call manager the TVA service is also activated so the phone will contact the previous service and it will authenticate and move on and tell us the phone to trust that and move on with the rest of the things right so here we comes to a bigger picture and this diagram is just to elaborate how do we go about or the how do how does the phone things okay so it's such more of a visual representation of what we just explained before so for example we have a CTL file in the IDL file on the on the phone now phone tries to contact a midlet server so midlet server applications always going to present the phone with a certificate now phone is going to look into which CTL NIT and file case I have this certificate or not so as you can see here at this point of time signaling ok uses the CTL file and if you look at the third yellow box that says HTTP so that will use the ITM file so in this case phone is going to request phone looks up ok I don't have this certificate so it will send out a request to the see you cm or we can say in our case our CVS server in the background TV a server is going to look into the trust store and see ok if I have this certificate in my repository or not and do I trust it or not devious looks up finds paquius you're good for authentication go ahead and talk for them so the TVA server will respond back you're okay to communicate with this application who has presented you with this particular certificate and that's how we and that's how we reduce the load on the phone by not keeping the bigger ideal file there one thing I would like to mention is you just have to upload the third party certificate that you want to trust on on the publisher or on one node of your of your cluster right and that certificate will be replicated based on DVD application to all the other servers in the cluster and there is a change notification mechanism once we receive the new service no certificate in the repository it is going to in it is what the change notification is going to inform the TVA service about it right so I think one one one quick question Kay is usually don't need to have a internet connection available in you in your system so once you have the certificates being installed what I mean is say I want to go for a specific application it can be in-house or it can be something hosted on the Internet now I'm going to have a certificate from that particular fixed again thority given to me I'm going to install that certificate in my trust her on the call manager that way I don't have to go out all the way back to the certificate authority to identify that certificate because I already have a root CA or a root certificate on my call manager to identify okay so before we get back to the presentation I'd like to take a moment to ask another polling question the question is what advanced the UCM topic are you interested in future webcast option a follow-up session having live demo of co CM security and troubleshooting option b cisco action extension mobility cross cluster option c co CM troubleshooting and trace reading please take a moment the poll is open on the right hand side of the window thank you you now coming down to the troubleshooting section in this section we're going to discuss about what information is required you know to troubleshoot any TBS issues or you know phones not trusting a particular certificate so what logs that the customer needs to provide that or what you can do to resolve this issue mainly we need a you know if the for example the phone is not trusting a particular certificate right and some services are not working in your phone which uses HTTP connectivity so in that case you need to set the previous service log details mode and restart the tedious service reproduce this issue and collect the TBS loss from our TMT the show ideals and show CDL output and the phone control logs you can gather the phone control logs from you know typing in the IP address of the phone into your web browser and going to console log to the left hand side of the web page the show idea and show CTL output will be given in the CLI you can go to the CLI of your communication manager and I give the command show ideal and show CTL noted down copied down in a notepad files and send it across also we need all the console logs from the phone right and just to add show ITIL and show CTL file commands they're like really useful command and you can always run on your SSH access to the server to verify if it's a valid file or not because at the bottom of the output of show I tell or show CTL it does give you an output ok if this file is valid or not so if you see that it is output is not valid or it says the certificate or the file is not valid then definitely you know like okay we have an issue so that's one quick way to identify moving on we will also along with the information that we discuss in the previous slide we will also need the configuration file which you can download either using or services like free FTP D or the TFTP so a service from your desktop also if the issue is with a specific certificate for example many services are running but you have added another certificate to the cross store but the phones are unable to attend ticketed so in that case along with the CTL logs we will also need the TDS loss who will also need the certificate management log which you can set to details from the communication manager service ability page and the change notification logs as we discussed before you know when once we add the new certificate to the server it will likely be the application it will replicate the sir certificate to all the other nodes in the cluster and the change notification will inform the previous service about the new certificate that needs to be trusted so if that is not working we definitely need the certificate management logs and the change notification logs right and I would like to add one thing here and I think you know like most probably it might be a misconception ok or maybe we're not aware of it that's how the configuration files are being stored on the server so most of the time the conception is that the configuration files ok they will be stored on the TFTP and you can get them from there but actually what happens ok these configuration files they are being generated on the fly what I mean is whenever a phone or like say even if you will execute this TFTP command saying ok I want to request to this STP MAC address start seeing about XML file TFTP server is going to generate that fly on the fly okay considering please look into the database that ok what all parameters or what all settings are being configured for this phone and and then it will just put all this information in an XML file and send it across to the phone right so so right now we're going to cover the some of the common issues and what are the most probable remedies we can use to come over these issues so one thing which can know which we might have seen is ok I moved my phones to another cluster and it doesn't register so there are a few steps which we have to take before and there are some steps which we can not take later on as well so the most popular parameter and adding the most useful in the newer scenario is the rollback enterprise parameter so if you go to your system menu okay then you can have this Enterprise parameter prepare cluster for rollback - 38.0 by default it's being set to false and once you help - once you enable this feature what you ought to do is you have to reset the service you have to reset the phones in the background while it will do is it's going to create a ITL file and in that ideal file the TBS and the d ftp certificate sections will be empty so even though the certificates are there but they will be empty they will not have any signature that will make the phone to accept any unsigned configuration file so this thing needs to be done before you are moving your cluster or your forms to a different cluster which will have a different set of IDL files so the moment you say on one cluster a you set this parameter phones download the Mt ideal files with empty DVS and TFTP certificate sections the moment you point those phones to cluster B which has a different set of certificates or ITL files the phone will simply download the new IDF file it will believe it and it will trust it and it will download it and for the further or the future changes it's going to keep using that same IDL file second method which we have okay is when we have connectivity between the two clusters in this case we have bulk so we have we can migrate the certificates from one cluster to the another cluster so and then the ITIL file will be regenerated on the second the migrated cluster and over there we can as the ITIL file will have the entries of the new certificates from the old cluster it will trust and it will believe okay that ok it is a cluster or the server to which I can and the k2 and I can trust and the phones will register right now the most popular method which works without a frame you know like unless we lose the subcircuit or we you know the certificate tokens oke tokens they go they are corrupted so simplest way if we had a cluster which was being secured by running a CTL client the only thing you have to do is you just have to move the phone as when that c2 client again phones will download the PDF file and we are good to go now here comes the most horror part we can say okay or the most difficult part say if the things go bad okay or we get a strata changes say for example we deleted both the cucm and SD ftp certificates in this in this one in this cluster or for so that the IQ files can be regenerated and downloaded again in that case we will help to go for a manual deletion of the ITN files now yeah one thing I would like to mention here is that never regenerate or delete your CCM or TFTP which is the caesium and the TMT piece of certificates are the same certificates called managers or ppm or call manager BER and so what I mean is never regenerate your call managers or team certificate and your PVS certificate at the same time so what will happen is the phone once the phone receives the new ITL file it will look into it ideal ideal file and try to authenticate it if if the certificate does not exist it will try to authenticate against the TVA service first to check with the DVS service or will be able to authenticate but since it's a new tedious certificate as well the tedious connectivity between the phone and you know the Communication Manager will be refused so the only option at that point in time which will be left is like manually delete the IPL file which I'm sure most of y'all don't want to go ahead with it we have a question is it possible to ssh into phone and check for security problems well it depends on the problem but you know it depends if the problem is with the phone then we can you know the phone view will actually give us a set of debug commands that we can run into the phone and see if it is why it is not able to download the IDF file or why it is not able to trust the sir certificate even though the TV s is service is asking the phone to authenticate and I'm sorry to trust the certificate so in some scenarios we can definitely ssh into the phones and run some debug and see what is happening but that is not a normal condition so again we have certain issues we hear a lot of time that you move to a dot fiber for some reason you have to go back to seven dot X or six or Tex Communication Manager version and once you move from a dot X - 7 dot X or six dot X the phones are not able to register this is a common problem that we have received and the reason is because the phones have an IPL file so once you move back to Communication Manager seven dot X for example the phones will not be able to authenticate the configuration file that it received from the TFTP server in seven dot x cluster and it will not accept any new configuration file and it will not register to call manager now in order to overcome this what you need to first do before you move on from a dot X - 7 dot X you need to use the option of prepare cluster for rollback - 38.0 from enterprise parameters set it to true so that it downloads the empty IPS file and then restart the ta TDS PFD 3 and the Col manager service the reason because once you restart the PHP FTP service it will generate a new IPL file and restart of Col manager service is required so that approach reset and are able to download the new IDL files you can then go ahead with the downgrade of the server once they have the empty idea file with them right and so going forward what we have seen is okay I have regenerated my CFDs devious or you see em certificate and now my phone don't register so at this point of time if any of the cATF TFTP or TVA certificate is generated the ideal file needs to be updated on the phones and as you can see where we have the procedure here so restart the TC APs if I see only if the g AP f certificate was regenerated in ideal scenarios if we are not regenerating the CAPM certificate there is no need to restart the apfr service when it definitely restart the TFTP the reason being it has to refresh its cachet with a new ideal file for the default can download we can do a reset of the phones or at least sort of see UCM service on all the nodes to 4th phones to download the new iTunes file and I'm sure that we will be carrying out these procedures in a maintenance window when we know because these are some changes which you don't don't fly and we definitely know that ok this is a time frame or this is my maintenance window when I am going to you know regenerate my certificates so proper care like in arranging and maintenance or a downtime window is very much required then again as we say TVs does not need to be restarted as well and no user intervention is required to rebuild the IPL file reasonably due to the certificate to change our notification service so whenever there are any changes which are being done to the certificate the thievius is being automatically notified and the ITL is being regenerated and we have a question which two certificates we shouldn't be regenerating at same time it's the call manager or the TFTP certificate and the DBS certificate never reached out or regenerate what the certificate at the same time right so the cesium certificate okay it's the same as TFTP certificate and we use the same as to sign the same private keys being used to sign the any kind of authentication or the signature folder so that's why this you see MIT skp certificate is same so as raised version we should not be we should not try to generate both the Cu CM or the tht P plus the TBS certificate at the same time now as a precaution if you plan to regenerate multiple certificates okay first definitely you need to have a downtime or a maintenance window you know just in case there is something unexpected second regenerate a dhcp certificate in the end that should be the last certificate you should be regenerating and definitely by rule of thumb whenever the TFTP certificate gets regenerated you should definitely take a new system back up with going forward with the UCM a dot X and above the TFTP certificates and the private keys they're also being backed up and not to worry about it's all secured like you might be thinking that my certificate is going out or my keys going out it's all secured it's all encrypted and it's not available outside so now you have a call manager seven dot X in secure mode and you want to upgrade it to eight dot X and once you upgrade your Communication Manager to eight dot X and then you restart your call manager the phones are unable to register now this is one of the most common issues that we face are we heard about from the customer so what you need to do is just rerun the CTO client and update the CTL file and restart the TFTP service okay so once you move to a dot X and running the CTL plant it will log you know download the latest call manager certificate and the TFTP certificate form a CTL file and after restarting the TFTP and call manager service it will push that CTL file on to the phone so that they can trust them auto registration will auto registration work with security by default in call manager in dot x yes the koto registration will work with security by default but the default configuration file that will be given is a signed file because the phones first requests for an IDF file and then for a configuration file and a few phone models the older phone models that do not support security by default will be given a non signed default configuration file however please note that auto registration will not be supported in mixed mode what I mean by mixed mode is that you know mixed mode is that you have a call manager seven dot X and which is in secure mode by running the CTL client but even after running the serial client you have the option of having some phones in secure mode and other phones in non secure communication for example you want the communication between the the CTO and the CEO to be secure so you can assign these foods with a security profile that has security enabled but for example if you don't want a lobby phone to be secured you can assign a non secure security profile to that particular phone so right now in your classroom you have both secure communication with some phones and a non secure communication used by the other phones that that is why we call it a mixed mode right so the only two modes which we have are non secured and the mixed mode so what happens if you have to reimage your server one thing that you can do is even before you actually go ahead and dream in your server it will be nice if you use the prepared for rollback parameter and you know deliver the empty ITL file to the ports where restarting TFTP and call manager service and then go ahead with your the image of the server so you know any new IDL file that will be downloaded by the phone it will accept it and install it however if if this parameter was not set then the only option that will be left once you re image is that since it has new call manager and new TBS certificate the only option left will be to manually delete the IDL files from every phone right so you might ask your question you know like say if I have a DRS backup Wi-Fi icon just simply restore my DRS backup when I'm going to reimage my server that's very true you can if you have to redo the server if you have a latest backup and you haven't regenerated your certificate after taking the backup so that means if you have a valid backup with all the new servers with all the new keys the DHCP key the latest backup of your region return your certificate then definitely you can go ahead and restore your backup but in real world you know like we can be into some situations or what we have seen off experience that sometimes we don't have a readily available DRS backup and we run into some situations that we have to reimage the server so what we have to do is we can have a last attempt of setting this parameter and see if the phones can download the other the empty ITIL files and I think this will be more of a peculiar situation where like say you have only one server in the cluster because if we had multiple servers phones in all even if you reimage one of the servers or one of the TV servers the phone can always go to the remaining servers for the authentication purpose so this will be like a peculiar situation which you want to recover say you have a single server in cluster and you have to go for a rebuild so this is something that prepared cluster for rollback is something which you can try so that you don't have to delete the idea on every phone manually right so here we come to the summary of our presentation we'll go a few points and again reiterate on few of the point see you see ma dot X and above they have security by default enabled that face whenever you upgrade already install a new version it's a new install on a upgrade it is going to have security by default enabled on it if you want to have a secure media and encryption then you need to run the serial client T vs or the trust verification service is something which is new and I think most of us may not be aware of it so this was like this session was mainly designed to give us a new prospect or what we are coming up with so T vs is a new service introduced and it is going to continue as far in our future releases as well whenever we a plan to move our cluster to a dot X ok installer upgrade please make sure we have the TV's port 2 4 4 5 and TLS protocol allowed in your network just in case if you have a highly secure network because if these ports are blocked phones will not be able to contact the TBS servers and in result they will fail to download the ITL files and they won't be able to register as again mentioned previously auto registration will still not be supported in mixed mode auto registration is only supported when we are running in non secure mode and once so auto registration as I discussed before is also supported and security by default feature which means that if you move to call manager a dot X and you have used in prior to moving you don't you are you were not into a secure or a mixed mode and you don't have to worry auto registration we'll still work with the geology by the Borg right and next one is the the mystery of rollback Enterprise parameter what exactly is doing in the background by default it's being set to false in any cluster the moment you set it to true the phone's a an empty ITL file will be generated which will have empty TBS and the TFTP sections by the phone phone where is being designed in such a way that if the these sections are empty it's going to download or it's going to trust the ITL file which will be given to it and again the most important part or very important part anytime we regenerate TFTP certificates do take a DRS backup because that saves you a lot of trouble a lot of time later and long effort in what later part of time and anyways you know like DRS backup is is always being recommended to take and what you can do is in a dot X and above or the TFTP certificates and as we mentioned that the FTP Keys they are being backed up as well and for the supported cisco unified IT folks not only the security features which are being supported you can just go ahead and yet any unified reporting and you can select a phone feature option it will give you a list what phone model supports what feature but and so right now we're going to discuss like so the future release enhancements okay which you might like which are on the roadmap on most of them which are already being released so one famous one okay which is being deployed by some huge enterprises are single sign-on so I'll give you a brief introduction you can read more about it on our CCO web site so single sign-on is say for example you have multiple applications running in your environment or so the moment you love or say you use IMAP connections or unity connection you CCM user page and many more applications which connect to by a different API to the poll manager or any opportunity connection or unified applications the moment you log in to your desktop or laptop using RSA token or your Windows sign-on you will not have to log in again at all to any of those applications so that's like a seamless access second point is the pkcs7 chain upload most of the see is nowadays they give you a chain certificate or a certificate chain in previous scenarios what we had to do is we had to request for individual root certificate or a the CSR sign certificate to be given separately so that we can upload them using the OS administration GUI page and the certificate page but given the enhancement okay we are going to come up you can upload a chain directly to the Cu CM GUI page on the course admin and the certificate service in the background will do the work by itself to separate the root certificate and the and you're actually signed certificate which we got from the certificate quality the other feature that we have in upcoming or communication manager which is Communication Manager version 9.5 is that there will be an option available in the callmanager webpage that can be used to delete ideal files from all the phones right now the only way is to manually delete it but we are coming up with an option so that you know you can delete it from the communication manager webpage so these are some of the reference documents that you can refer for more information on this topic right so we have very good documents being written by a Cisco tag engineers and you know like which give you like very precise information about elected a detailed process okay so we decided not to indulge into a lot of details on this particular session you wanted to give a brief overview and what Cisco is doing from the Cisco well Ike security perspective on the sea you see Amanda phones please do refer to the cesium security guide that's like a Bible and we have taken all the piece of information whatever information we have in slide it comes from our security guide it's our like all will section and you can get all the information there and do refer to the documents which we have nation here we have a question here of in which the call manager customer has problem with CTL and ITL files without jumping too much into the problem if the call manager had upgraded to a dot X and then move down to 7.1 I'm not sure if CTL was running in that cluster if you know under the assumption that CTL was not running he moved to a dot X and then he wants to move to seven topics all he has to do is set that parameter for roll back so that the poles download the empty IPL files and once you moved to seven dot X you know it will accept the other configuration file that seventh or Tech server is going to provide right we have like one more interesting question what other ports that needs to be open so for tedious to work we need to four four five port to be open and if you have any good applications you can always look up the CCM documentation guide which talks about the important ports which needs to be open for different protocols and functionality there's one more question which says are there any drawbacks to using rollback parameter I would say no the only thing only time that you would want to use it is that you are moving from one version to another or from one cluster to another so that the phone download the empty ITL files and are able to register once once they register you need to change this parameter to false and restart your TFTP and your call manager service so that they download our files IDL files with exact certificates all right so it's kind of a trade off so if you wish you know what you want to see folks will register even if it's an MT I kill file the only thing it's not doing is okay is the authentication part it's just believing everyone by default because there is nothing you know like if the phone is being told not to trust it doesn't have any certificates so you can continue to run it but again we suggest like once your purpose is done with a rollback feature or the conditions you can always set this parameter back to false so that the phones can download a a fully loaded or a populated T vs or an IPL file and then your mate or your cell then in that case your environment or the phones okay they are like authenticating and encrypting as you desire all right so before we start with a Q&A let's go to our last polling question the question is how useful was this presentation option a this was very informative presentation and will help me in others understanding security in CU c m8 dot o plus option b this presentation needed more in-depth details option c i wanted to see some more information on configuration an option t this presentation was somewhat useful please take a moment to answer the poll is open on the right hand side and so thank you Emmett Enright for a great presentation also thank you everyone for part spitting in the even polling will wait for one more minute to see the polling result now I'd like to you know this is time to answer some of the questions our viewers have submitted today and some of them already been answered by rice and it's lovely and if you can't stay for the Q&A session please be sure to click on the evaluation link provided in the chat to let us know how this session met your business needs and expectation so let's wait for the poll polling results here and while we wait so also the first five listeners to complete the evaluation survey will receive a $20 gift card to complete the evaluation please click on the link provided in the chat window that's on the right hand side so we have a question here now it says operating a communication manager 71.5 from this inner which is already in a mix more 28.6 and also replacing the server what we would suggest is our current physical server upgraded to the 8.6 and run the detail flange using the same key tokens once the upgrade is successful and the phones are able to register take a backup of this and are you know then move to the virtual environment then you won't have to you know read out the CTO client because the DRS backup will already include the TFTP certificate that's right can reach make sure that we do a copy or we do keep a number of notes okay saying idly that sorts being desired so when you read under see tail client like after the upgrade so when you're in seventh or ex ok make sure like when you move to the a Daleks you are you have the same similar number of nodes at that one time so there's one question which I'm not sure if it was answered but do you see applications such as Cisco jabber for iPhone use ITL file so I'm sure every endpoint of which is by Cisco build support IDL file but we can check that an answer to our athletes perform later on okay so there's one more question are are the security features available for third-party food no all right now it is only supported on Cisco phones not on third-party films this feature is only available for Cisco phones okay there's one more question I think that's really more related to the PDF download from Support Forums the slides that can be downloaded so just to let the users if you open that document 2 3 6 3 7 there is an attachment and that's a PDF copy of the presentation so you have to just download that alright so I see one more question it says is the CTL file size limited and how many modes can i implement within the CTL file well the serial file needs to have certificate from all the nodes in the cluster the file size is not limited but the memory of the food is limited visual so that is why we have to be careful in which certificate it needs to have in the CDF value okay thank you so there's another question the question is what is mixed mode cluster okay as I answered before you know you run field client and you get your cluster into a mix mode right and and you have CTL already on the TFTP server but you know to make you know to have secure communication you can decide for example you have your CEO and our CTO talking over the phone and you want these phones to speak you know have encryption on their RTP stream and stake securely right nobody should be able to stick the data but on the other end you don't want us so much high security on your lobby phones so using for security profile you cannot enable security on the phones for your CEO and your CTO and they will when they speak they will speak securely that is our RTP stream will be encrypted where is the Navi phone or you know you can use a non-secure security profile and that food will just work like any other normal mode would so right now you have a few phones which are having security enabled and few phones which are non secure right and that is why we call it a mixed mode Thank You Rays there's another question that is what is phone hardening right so stick I'll take that one phone hardening is essentially disabling some of the features on on the other phone what I mean by that is say for example disabling the web access if it is able to have access most of the scripts okay so you won't able to connect to the phone using HTTP or HTTPS in that case so in some of the cases I would like to disable those web sites disabling the PC voice VLAN access settings disabling the settings access settings what that means is I don't want my end-users to change any parameter on the phone or like make any any any kind of changes at all to the phone because sometimes it can be nightmare or you might get some unwanted tickets or calls occur where the users have access to the phone settings and they did something which definitely you know like won't come to your notice unless like you are going to go and look at the phone or investigate further go to the point is are disabling the PC port setting so that's something which if you're not using the daisy chain mechanism you're not connecting a PC at the back of your phone if there is no need so let's go ahead and disable it and all these things you can do by just going to the device for which you want to do it and go to the phone and you can make all the changes if you have to do it for a number of phones like more than like five six ten phones definitely you can use the bulk administration tool or bad to do that okay Thank You Amit let me take one more question here how do we know what certificate has our ease about Glee expire right so in our call manager if you go to OS admin page we have a service called we have a feature called certificate monitor where you can define when to start giving the alarm whenever a certificate is about to reach its certificate expiry and it will also you can also define the frequency of the alarms when it can be like how many times you want to generate the alarm right so by default the certificate monitor will send out the alarms to the rtmp so you can always monitor your rtmp for the alerts and before one month okay and like for a one month period like it's going to expire it's going to generate their loads you can always watch your rtmp for the alerts and if you want them to be sent out to a specific email alias or an email address you need to configure the SMTP address and again this feature is available on the same OS administration page UI another security options certificate monitor okay so we have time to take one last question so what if I want to migrate only a set of phones to a new cluster okay you can still go ahead with the option of rollback or you know and download empty IPS files onto your phones once you move those few phones to a different cluster you can then set the rollback parameters again to false and restart your TFTP and call manager service so that the phones download the ideal files with the certificates of call manager TFTP CVS and Kappa please do fill out the evaluation service because we are in Cisco we definitely look forward to listening to our customers so any feedback or anything that you need are entertaining and future please do let us know we are listening to you guys yes it definitely is going to help us to design you know like say what the record okay if you really want to have a continuing session with more troubleshooting involved event VK where we can show you say our TMT how to check those alerts how to collect those traces and maybe we can go to one more level where we can actually show ok these are the key points you can always look up into the certificate so sometimes you know as you read you out of curiosity you might want to check those logs ok what exactly is happening it's not only the tagging Gina looking into those logs so we can have that kind of session as well as part of the continuation of this particular session ok so we have two more questions came up so how do we open the yokels I think you need to contact the account manager who will be able to provide you more information on how you get right and the IDE token right one of the key points which you mentioned before we mentioned the product ID of the key - TCM admin ok and it's there in the slide if you can you know refer the slides after the session and you can contact your account manager with that key ID and you should be able to help you get the ITO please alright so that concludes the Q&A portion for today's event Amit Andres will be hosting an algae expert even starting today that is April 3rd until April 13th Friday if you have additional questions log on to cisco support committee and click on the Express corner tab at the top amita and race will continue answering your questions through the community site over the next two weeks if you haven't explored the cisco support committee yet take a moment to check out this excellent resource at support forums Cisco comm we invite you to attend our next CSE expert series webcast which as if I'm a CC CI from RTP the topic will be Cisco smart call collector and new mobile clients it will happen on Tuesday May 8th at 8 a.m. San Francisco which is 5 p.m. Brussels time the registration URL will be available soon in the CSE homepage would like to also inform you about our first webcast in Russian with CC CI and RLS and service provider Igor took in the topic will be troubleshooting common problems of layer 3 VPN multi-protocol label switching networks and it will take place on Tuesday April 17th at 12:00 p.m. Moscow time which is 10m Brussels time the registration URL will be pasted in the chat window and we'd like to also inform you about our upcoming RC expert event in with Pete and Jim starting April 9th the topic will be Cisco prime network register you may join the discussion at expert caller community which is synthesis gossiper community another upcoming of the expert event in English with mapped starting April 9th the topic will be Cisco hosted collaboration solution and you for that also you can visit the expert corner community in this is coastal 20 so we invite you to ask questions and collaborate in the Cisco Support Committee we have various social media channels like Facebook YouTube Twitter so feel free to check out that and if you speak Polish Russian Japanese Portuguese or Spanish we invite you to ask your questions and collaborate in your language the links are provided in the chat also the slide before signing off please take a few minutes to complete your evaluation of today's session this will help us address your business needs and interest in the future thank you very much our maiden race and the technical panelists Chirag for sharing your expertise with us today thank you and have a great day bye

Info

Channel: Cisco Community

Views: 8,008

Rating: undefined out of 5

Keywords: cucm security implementation, cucm security, security by default, cucm 8.x, cisco unified call manager, upgrading cucm 7.x, rollback from cucm 8.x to 7.x, cisco unified callmanager, IP phone security, cisco, webcast

Id: LEiRzuoJ1wo

Channel Id: undefined

Length: 81min 34sec (4894 seconds)

Published: Wed Apr 25 2012