Information Technology Reference
In-Depth Information
MCS Operating System Hardening
Cisco CallManager version 4.x runs on the Windows 2000 Server OS. For this reason, it is important to ensure that the underlying
MCS operating system (Windows 2000 Server) is properly hardened so that it cannot easily be attacked and compromised.
One of the first things to ensure is that Cisco patches and updates are installed to protect against security threats. It is also important to
ensure that Cisco CallManager servers are not used for any other services other than those provided by CallManager. So, for example,
a Cisco CallManager should not be used for web browsing and should not be configured to provide file and print services.
It is important to ensure that file access is restricted, the number of Windows 2000 user accounts is kept to a minimum, accounts used
by CallManager are not deleted or modified, and a secure password policy is implemented. Furthermore, it is a good idea to disable
any services that are not required on the CallManager server.
Finally, it is recommended that only approved antivirus software and security software, such as Cisco Security Agent, is installed on a
CallManager server.
Note that CallManager/CUCM 5.x and above run on security hardened Linux appliances. It is possible to install Cisco Security Agent
(CSA) on CUCM 4.x, 5.x, 6.x, and 7.x. CSA provides intrusion detection and prevention.
Phone Authentication and Encryption
Although mechanisms such as DHCP snooping can help prevent certain types of DoS attacks, IP telephony systems are also
vulnerable to other types of attack, such as interception and eavesdropping, as well as malicious insertion of packets into a voice
signaling or media stream. Therefore, it is important to secure IP telephony networks, and Cisco CUCM and other devices can be
configured to use encryption and authentication to protect against attacks.
Cisco CUCM, Cisco IP phones, and voice gateways can be configured to authenticate and encrypt voice signaling and media traffic,
and Cisco IP phones can be configured to authenticate phone images and configuration files. These functions rely on a public key
infrastructure (PKI) and the issuance of certificates.
