[cisco-voip] Hardware Tokens/Secure Cluster

ROZA, Ariel Ariel.ROZA at LA.LOGICALIS.COM
Tue Aug 29 17:25:47 EDT 2017


I have done some secure clusters before (with the tokens) and I can tell you this:

While you can secure the basic cluster (CUCM and IP Phones) with ease, you have to take into account several things if you need to do a more extensive encryption:

- Conference usage: software bridges like CUCM may not support encryption, so you have to use more hardware bridges on  routers if you want encrypted conferences (some planning and more resources)
- Non CUCM applications require some additional work (CUACA, UCCX, Unity Connection, PhoneProxy, etc.). This usually involves interchanging certificates between servers.
- If you want to encrypt traffic to H.323 gateways  you´ll have to create VPNs
- SIP Trunks with TLS will also require you to deal with certificates.
- If you have a large quantity of devices to handle certificates (<10 servers+gateways), you better have a PKI infrastructure put in place and well oiled before doing anything. You will deal with certificate renew every 2 to 5 years

You will find the info to encrypt traffic to CUACA or UCCX in the CUCM Security Guide (Basically, you´ll have to encrypt CTI Ports).

And, at last, take into account that encryption adds an additional layer of complexity when troubleshooting everything.

Hope this helps. Anything else, just ask.


De: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] En nombre de Matthew Loraditch
Enviado el: martes, 29 de agosto de 2017 11:03 a.m.
Para: Brian Meade <bmeade90 at vt.edu>
CC: cisco-voip at puck.nether.net
Asunto: Re: [cisco-voip] Hardware Tokens/Secure Cluster

Ok yes, I’m starting to understand this.

I’m also looking for guidance re CUACA and UCCX.
I’m struggling trying to find where the instructions are for either of them.

Matthew G. Loraditch – CCNP-Voice, CCNA-R&S, CCDA
Network Engineer
Direct Voice: 443.541.1518
Facebook<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Fheliontech%3Fref%3Dhl&data=02%7C01%7Cariel.roza%40la.logicalis.com%7C02d56464d38248e950c008d4eee6bacf%7C2e3290cb8d404058abe502c4f58b87e3%7C0%7C0%7C636396122124647876&sdata=1tZ1nhuY04l2sIevC0Wai0uLNbeFfLsKN4Rnp0wX2X4%3D&reserved=0> | Twitter<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FHelionTech&data=02%7C01%7Cariel.roza%40la.logicalis.com%7C02d56464d38248e950c008d4eee6bacf%7C2e3290cb8d404058abe502c4f58b87e3%7C0%7C0%7C636396122124647876&sdata=cZfx2DBHSb2EckKKu%2F6ogCHN2NWXHa%2Bsicrb8IUxqhg%3D&reserved=0> | LinkedIn<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fhelion-technologies%3Ftrk%3Dtop_nav_home&data=02%7C01%7Cariel.roza%40la.logicalis.com%7C02d56464d38248e950c008d4eee6bacf%7C2e3290cb8d404058abe502c4f58b87e3%7C0%7C0%7C636396122124647876&sdata=tJUIp55bBWuwTjnG9txzRQ9m%2B836p7Vxb%2BDA1J%2BXP0A%3D&reserved=0> | G+<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fplus.google.com%2F%2BHeliontechnologies%2Fposts&data=02%7C01%7Cariel.roza%40la.logicalis.com%7C02d56464d38248e950c008d4eee6bacf%7C2e3290cb8d404058abe502c4f58b87e3%7C0%7C0%7C636396122124647876&sdata=mbC6s4%2FeJC5aa0c8CjYPYCaqedKIoKkCGCbGpU4UC4E%3D&reserved=0>

From: bmeade90 at gmail.com<mailto:bmeade90 at gmail.com> [mailto:bmeade90 at gmail.com] On Behalf Of Brian Meade
Sent: Tuesday, August 29, 2017 9:19 AM
To: Matthew Loraditch <MLoraditch at heliontechnologies.com<mailto:MLoraditch at heliontechnologies.com>>
Cc: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] Hardware Tokens/Secure Cluster

You can use self-signed certificates now instead with the command-line tools.  There's still some hardware tokens if you'd rather have something physical rather than worrying about backing up the certificates.

You can just run "utils ctl set-cluster mixed-mode" and then restart CallManager/TFTP on all nodes if you want to use self-signed certs.

Here's the 10.x security guide- https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/10_0_1/secugd/CUCM_BK_C68276B4_00_cucm-security-guide-100/CUCM_BK_C68276B4_00_cucm-security-guide-100_chapter_0100.html<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cisco.com%2Fc%2Fen%2Fus%2Ftd%2Fdocs%2Fvoice_ip_comm%2Fcucm%2Fsecurity%2F10_0_1%2Fsecugd%2FCUCM_BK_C68276B4_00_cucm-security-guide-100%2FCUCM_BK_C68276B4_00_cucm-security-guide-100_chapter_0100.html&data=02%7C01%7Cariel.roza%40la.logicalis.com%7C02d56464d38248e950c008d4eee6bacf%7C2e3290cb8d404058abe502c4f58b87e3%7C0%7C0%7C636396122124647876&sdata=WGoPWix5n9hJF9WhNh8Uo1zcCPqxDWA7LD8BbGYiO68%3D&reserved=0>

On Mon, Aug 28, 2017 at 8:25 PM, Matthew Loraditch <MLoraditch at heliontechnologies.com<mailto:MLoraditch at heliontechnologies.com>> wrote:
We have a client who is requesting a secure cluster. Never done it before. Do those hardware tokens still exist? It appears not and it’s all software based now?
Any fantastic blogs or step by step guides that folks have used? The documentation is refreshingly mind numbing.

Thanks!
-Matthew

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=02%7C01%7Cariel.roza%40la.logicalis.com%7C02d56464d38248e950c008d4eee6bacf%7C2e3290cb8d404058abe502c4f58b87e3%7C0%7C0%7C636396122124647876&sdata=zWH7TCpZYmxB3NfHROnUjT1%2BLL6Ff6650Xz%2B80SEPhI%3D&reserved=0>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20170829/f617819a/attachment.html>


More information about the cisco-voip mailing list