Ingeniero en telematica
Páginas: 38 (9391 palabras)
Publicado: 20 de agosto de 2012
C H A P T E R
10
Cisco Unified CallManager Express Security Best Practices
Revised date: August 12, 2009
Cisco Unified CallManager Express (Cisco Unified CME) provides integrated IP communications on Cisco IOS routers. Therefore, the same security best practices recommended for all Cisco IOS voice-enabled routers also apply to Cisco Unified CME. In addition, you should implement CiscoUnified CME system-specific security practices to provide additional security protection. This chapter describes how you can set up the Cisco Unified CME using the CLI to prevent users from intentionally or accidentally gaining system-level control from the GUI and local or remote CLI access. Specific sections presented in this chapter address the following Cisco Unified CME securityconsiderations:
• • • • • • •
Securing GUI Access, page 10-1 Using HTTPS for Cisco Unified CME GUI Management, page 10-2 Configuring Basic Cisco Unified CME Access Security, page 10-3 Cisco Unified CME Security for IP Telephony, page 10-8 Cisco Unified CME with NAT and Firewall, page 10-14 Secure SCCP Signaling via TLS, page 10-20 Cisco Unified CME Commonly Used Ports, page 10-25
Note
For additionalinformation, see the “Related Documents and References” section on page xii.
Securing GUI Access
A Cisco IOS router authenticates an administrator CLI login against the enable password only, and the default setting for HTTP access is ip http authentication enable. If the system administrator, customer administrator, or phone user has the same password as the router’s enable password, he or shecan gain level 15 EXEC privilege access to Cisco IOS software by HTTP. A normal IP phone user can then accidentally change the Cisco Unified CME configuration, erase Flash, or reload the router when logging on to this URL: http://cme-ip-address/
Cisco Unified CallManager Express Solution Reference Network Design Guide OL-10621-01
10-1
Chapter 10 Using HTTPS for Cisco Unified CME GUIManagement
Cisco Unified CallManager Express Security Best Practices
You should configure the following commands for Cisco Unified CME to use AAA or local authentication to prevent a normal user from gaining access to the enable password and therefore having access to the system administrator page: ip http authentication aaa or ip http authentication local
System Administrator AccountAuthentication via AAA
Cisco Unified CME allows the system administrator username/password be authenticated by AAA. Use the following configuration to use AAA for system administrator user login:
ip http authentication aaa new-model aaa authentication login default group tacacs+ local tacacs-server host 10.1.2.3
Note
Normal username/password is not authenticated by AAA.
Using HTTPS for CiscoUnified CME GUI Management
HTTP over SSL (HTTPS) provides Secure Socket Layer (SSL) version 3.0 support for the HTTP 1.1 server and HTTP 1.1 client within Cisco IOS software. SSL provides server authentication, encryption, and message integrity to allow secure HTTP communications. SSL also provides HTTP client authentication. This feature is supported only in Cisco IOS software images that includethe SSL feature. Specifically, SSL is supported in the Advanced Security, Advanced IP Services, and Advanced Enterprise Services images. Use the Advanced IP Services or Advanced Enterprise Services Cisco IOS images to get both the Cisco Unified CME and SSL features. IP phones do not serve as HTTPS clients. If HTTPS is enabled on the Cisco Unified CME router, IP phones still attempt to connect toHTTP using port 80. Because the SSL default port is 443, the phones cannot display local directory and system speed dials. IP phones using HTTP can work with a system configured for SSL by enabling both HTTP and HTTPS, as shown in the following example.
ip http server ip http secure-server ip http secure-port port_number !if https port is changed from default 443 ip http authentication AAA |...
10
Cisco Unified CallManager Express Security Best Practices
Revised date: August 12, 2009
Cisco Unified CallManager Express (Cisco Unified CME) provides integrated IP communications on Cisco IOS routers. Therefore, the same security best practices recommended for all Cisco IOS voice-enabled routers also apply to Cisco Unified CME. In addition, you should implement CiscoUnified CME system-specific security practices to provide additional security protection. This chapter describes how you can set up the Cisco Unified CME using the CLI to prevent users from intentionally or accidentally gaining system-level control from the GUI and local or remote CLI access. Specific sections presented in this chapter address the following Cisco Unified CME securityconsiderations:
• • • • • • •
Securing GUI Access, page 10-1 Using HTTPS for Cisco Unified CME GUI Management, page 10-2 Configuring Basic Cisco Unified CME Access Security, page 10-3 Cisco Unified CME Security for IP Telephony, page 10-8 Cisco Unified CME with NAT and Firewall, page 10-14 Secure SCCP Signaling via TLS, page 10-20 Cisco Unified CME Commonly Used Ports, page 10-25
Note
For additionalinformation, see the “Related Documents and References” section on page xii.
Securing GUI Access
A Cisco IOS router authenticates an administrator CLI login against the enable password only, and the default setting for HTTP access is ip http authentication enable. If the system administrator, customer administrator, or phone user has the same password as the router’s enable password, he or shecan gain level 15 EXEC privilege access to Cisco IOS software by HTTP. A normal IP phone user can then accidentally change the Cisco Unified CME configuration, erase Flash, or reload the router when logging on to this URL: http://cme-ip-address/
Cisco Unified CallManager Express Solution Reference Network Design Guide OL-10621-01
10-1
Chapter 10 Using HTTPS for Cisco Unified CME GUIManagement
Cisco Unified CallManager Express Security Best Practices
You should configure the following commands for Cisco Unified CME to use AAA or local authentication to prevent a normal user from gaining access to the enable password and therefore having access to the system administrator page: ip http authentication aaa or ip http authentication local
System Administrator AccountAuthentication via AAA
Cisco Unified CME allows the system administrator username/password be authenticated by AAA. Use the following configuration to use AAA for system administrator user login:
ip http authentication aaa new-model aaa authentication login default group tacacs+ local tacacs-server host 10.1.2.3
Note
Normal username/password is not authenticated by AAA.
Using HTTPS for CiscoUnified CME GUI Management
HTTP over SSL (HTTPS) provides Secure Socket Layer (SSL) version 3.0 support for the HTTP 1.1 server and HTTP 1.1 client within Cisco IOS software. SSL provides server authentication, encryption, and message integrity to allow secure HTTP communications. SSL also provides HTTP client authentication. This feature is supported only in Cisco IOS software images that includethe SSL feature. Specifically, SSL is supported in the Advanced Security, Advanced IP Services, and Advanced Enterprise Services images. Use the Advanced IP Services or Advanced Enterprise Services Cisco IOS images to get both the Cisco Unified CME and SSL features. IP phones do not serve as HTTPS clients. If HTTPS is enabled on the Cisco Unified CME router, IP phones still attempt to connect toHTTP using port 80. Because the SSL default port is 443, the phones cannot display local directory and system speed dials. IP phones using HTTP can work with a system configured for SSL by enabling both HTTP and HTTPS, as shown in the following example.
ip http server ip http secure-server ip http secure-port port_number !if https port is changed from default 443 ip http authentication AAA |...
Leer documento completo
Regístrate para leer el documento completo.