CIPT2 Implementing Cisco Unified CallManager Part 2 Volume 1 Version 5.0 Student Guide Editorial, Production, and Graphic Services: 10.04.06 The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual self-study. Corporate Headquarters European Headquarters Americas Headquarters Asia Pacific Headquarters Cisco Systems, Inc. Cisco Systems International BV Cisco Systems, Inc. Cisco Systems, Inc. 170 West Tasman Drive Haarlerbergpark 170 West Tasman Drive 168 Robinson Road San Jose, CA 95134-1706 Haarlerbergweg 13-19 San Jose, CA 95134-1706 #28-01 Capital Tower USA 1101 CH Amsterdam USA Singapore 068912 www.cisco.com The Netherlands www.cisco.com www.cisco.com Tel: 408 526-4000 www-europe.cisco.com Tel: 408 526-7660 Tel: +65 6317 7777 800 553-NETS (6387) Tel: 31 0 20 357 1000 Fax: 408 527-0883 Fax: +65 6317 7799 Fax: 408 526-4100 Fax: 31 0 20 357 1100 Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on the C i s c o . c o m W e b s i t e a t w w w . c i s c o . c o m / g o / o f f i c e s . Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica • Croatia • Cyprus • Czech Republic • Denmark • Dubai, UAE • Finland • France • Germany • Greece • Hong Kong SAR • Hungary • India • Indonesia • Ireland Israel • Italy • Japan • Korea • Luxembourg • Malaysia • Mexico • The Netherlands • New Zealand • Norway • Peru • Philippines Poland • Portugal • Puerto Rico • Romania • Russia • Saudi Arabia • Scotland • Singapore • Slovakia • Slovenia • South Africa Spain • Sweden • Switzerland • Taiwan • Thailand • Turkey • Ukraine • United Kingdom • United States • Venezuela • Vietnam • Zimbabwe © 2006 Cisco Systems, Inc. All rights reserved. CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0601R) DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED “AS IS.” CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may contain early release content, and while Cisco believes it to be accurate, it falls subject to the disclaimer above. The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual self-study. Students, this letter describes important course evaluation access information! Welcome to Cisco Systems Learning. Through the Cisco Learning Partner Program, Cisco Systems is committed to bringing you the highest-quality training in the industry. Cisco learning products are designed to advance your professional goals and give you the expertise you need to build and maintain strategic networks. Cisco relies on customer feedback to guide business decisions; therefore, your valuable input will help shape future Cisco course curricula, products, and training offerings. We would appreciate a few minutes of your time to complete a brief Cisco online course evaluation of your instructor and the course materials in this student kit. On the final day of class, your instructor will provide you with a URL directing you to a short post-course evaluation. If there is no Internet access in the classroom, please complete the evaluation within the next 48 hours or as soon as you can access the web. On behalf of Cisco, thank you for choosing Cisco Learning Partners for your Internet technology training. Sincerely, Cisco Systems Learning The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual self-study. The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual self-study. Table of Contents Volume 1 Course Introduction 1 Overview 1 Learner Skills and Knowledge 1 Course Goal and Objectives 3 Course Flow 4 Additional References 5 Cisco Glossary of Terms 5 Your Training Curriculum 6 Secure IP Telephony 1-1 Overview 1-1 Module Objectives 1-1 Preventing Toll Fraud 1-3 Overview 1-3 Objectives 1-3 Toll Fraud 1-4 Types of Toll Fraud 1-5 Restricting CFA and Voice Mail Using Calling Search Spaces 1-6 Voice-Mail Forwarding Exploits 1-7 Steps to Restrict Forwarding 1-8 CFA Restriction Example 1-9 CFA Restriction Example—Permitted Call 1-10 CFA Restriction Example—Denied Call 1-11 Voice-Mail Port Restrictions—Example 1-12 Blocking Common Fraudulent Area Codes 1-13 Examples of Commonly Exploited Area Codes 1-14 Example 1-14 Using Time-of-Day Routing 1-15 Time-of-Day Routing 1-16 Steps to Configure Time-of-Day Routing 1-17 Time Period Configuration 1-18 Time Schedule Configuration 1-20 Examples 1-20 Partition Configuration 1-21 Time-of-Day Routing Example 1-22 Example 1-23 Using FAC 1-24 Configure FAC 1-25 FAC Configuration 1-26 Configure Route Patterns to Use FAC 1-27 FAC Example 1-29 Understanding Call Classification 1-30 Gateways and Trunks 1-30 Route Patterns 1-31 On-Net and Off-Net Classification 1-31 Device Override Examples 1-32 Example 1 1-32 Example 2 1-32 Example 3 1-33 Restricting External Transfers 1-34 Restricting External Transfers 1-35 Configure Cisco Unified CallManager to Block Off-Net-to-Off-Net Transfers 1-36 Dropping Conference Calls 1-37 Service Parameter Set to When No On-Net Parties Remain in the Conference Example 1-38 Configuration of the Drop Ad Hoc Conference Parameter 1-39 Summary 1-40 The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual self-study. Hardening the IP Phone 1-41 Overview 1-41 Objectives 1-41 Threats Targeting Endpoints 1-42 Endpoint Infiltration and Attack 1-43 Possible Attack Paths 1-44 Stopping Rogue Images from Entering Phones 1-45 IP Phones Validate Signed Firmware Image 1-46 Phone Security Settings Overview 1-47 Disabling PC Port, Settings Button, and Web Access to the Phone 1-48 IP Phone Web Service 1-49 Ignoring GARP 1-50 GARP Attack 1-51 Block PC Access to the Voice VLAN 1-52 Disable PC Voice VLAN Access 1-53 Authentication and Encryption on Cisco Unified CallManager Administration and IP Phones 1-54 Summary 1-55 Understanding Cryptographic Fundamentals 1-57 Overview 1-57 Objectives 1-57 What Is Cryptography? 1-58 Services of Cryptography 1-59 Encryption Overview 1-61 Authentication Overview 1-62 Symmetric Encryption 1-63 Symmetric Encryption Considerations 1-64 Symmetric Encryption Example: AES 1-65 AES History 1-65 AES versus 3DES 1-65 AES in IP Telephony 1-66 Asymmetric Encryption 1-67 Asymmetric Encryption Considerations 1-68 Asymmetric Encryption Example: RSA 1-69 RSA History 1-69 RSA Applications 1-69 RSA in IP Telephony 1-70 Hash Functions 1-71 The SHA-1 Algorithm 1-72 Lack of Security in Pure Hashing 1-73 Hash-Based Message Authentication Code 1-74 Digital Signatures 1-76 Digital Signatures and RSA 1-77 Digital Signatures Using RSA in Detail 1-78 Summary 1-79 ii Implementing Cisco Unified CallManager Part 2 (CIPT2) v5.0 © 2006 Cisco Systems, Inc. The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual self-study. Understanding PKI 1-81 Overview 1-81 Objectives 1-81 The Need for a PKI 1-82 Key Exchange in Symmetric Cryptography 1-83 Manual Key Exchange 1-83 Automated Key Exchange 1-83 Key Exchange Protected by Asymmetric Encryption 1-84 Key Exchange in Asymmetric Cryptography 1-85 PKI as a Trusted Third-Party Protocol 1-86 Trusted Introducing in PKIs—Locally Generated Key Pairs 1-87 Distribution of the Public Key of the Trusted Introducer 1-88 Request for Signature of Public Keys of Entities 1-89 Signing of Public Keys 1-90 Providing Entities with Their Signed Public Keys 1-91 Public Key Exchange Between Entities Using Their Signed Public Keys 1-92 PKI Entities 1-93 CA Examples 1-94 X.509v3 Certificates 1-94 Self-Signed Certificates 1-95 End Entities and Self-Signed Certificates 1-96 PKI Enrollment 1-97 Man-in-the-Middle Attack During PKI Enrollment 1-98 Secure PKI Enrollment 1-99 Authentication of PKI Enrollment 1-100 PKI Revocation and Key Storage 1-101 PKI Revocation Methods 1-102 Key Storage 1-103 Smart Cards and Smart Tokens 1-104 Example 1-104 PKI Examples 1-105 PKIs and SSL or TLS 1-106 Browser-Embedded CA Certificates 1-107 Web Server Certificate Verification 1-108 Web Server Authentication 1-109 Exchange of Session Keys 1-110 Session Encryption 1-111 PKI and IPsec 1-112 Mutual Certificate Verification 1-113 Mutual Authentication 1-114 Protected DH Exchange and Session Key Generation 1-115 Session Encryption 1-116 Summary 1-117 © 2006 Cisco Systems, Inc. Implementing Cisco Unified CallManager Part 2 (CIPT2) v5.0 iii The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual self-study. Understanding Cisco IP Telephony Authentication and Encryption Fundamentals 1-119 Overview 1-119 Objectives 1-119 Threats Targeting the IP Telephony System 1-120 Examples of Threats Targeting the IP Telephony System 1-121 How a Cisco IP Telephony Network Protects Against Threats 1-122 Secure Signaling 1-125 Secure Signaling Using TLS 1-126 Secure Media Transfer 1-127 Secure Media Transfer Using SRTP 1-128 Authentication of IP Phone Images 1-129 Phone Image Verification 1-130 Authentication of IP Phone Configuration Files 1-131 Encryption of IP Phone Configuration Files 1-132 PKI Topologies in Cisco IP Telephony 1-133 Cisco IP Telephony Self-Signed Certificate PKI Topologies 1-134 Cisco IP Telephony MIC PKI Topology 1-135 Cisco IP Telephony LSC PKI Topology 1-136 Independent, Separated PKI Topologies 1-137 PKI Enrollment in Cisco IP Telephony 1-138 CTL Download 1-139 Cisco CTL Client Application 1-140 CTL Verification on the IP Phone 1-141 Initial Deployment Issue 1-142 PKI Enrollment in Cisco IP Telephony 1-143 CAPF Acting as a CA 1-144 CAPF Acting as a Proxy to an External CA 1-145 Keys and Certificate Storage in Cisco IP Telephony 1-146 Authentication, Integrity, and Authorization 1-147 Certificate Exchange in TLS 1-148 Server-to-Phone Authentication 1-149 Phone-to-Server Authentication 1-150 TLS SHA-1 Session Key Exchange 1-151 Authenticated Signaling Using TLS 1-152 Encryption 1-153 TLS AES Encryption 1-154 SRTP Media Encryption 1-155 SRTP Packet Format 1-156 SRTP Encryption 1-157 SRTP Authentication 1-158 Secure Call Flow Summary 1-159 Summary 1-160 iv Implementing Cisco Unified CallManager Part 2 (CIPT2) v5.0 © 2006 Cisco Systems, Inc. The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual self-study. Configuring Cisco IP Telephony Authentication and Encryption 1-161 Overview 1-161 Objectives 1-161 Authentication and Encryption Configuration Overview 1-163 Authentication and Encryption Configuration Checklist 1-165 Enabling Services Required for Cisco PKI 1-166 Installing the Cisco CTL Client 1-167 When to Use the Cisco CTL Client 1-168 Using the Cisco CTL Client 1-169 Updating the CTL 1-170 Working with LSCs 1-171 CAPF Service Configuration Parameter 1-172 CAPF—Configuration Options 1-173 Security Profiles 1-174 Default SCCP Phone Security Profiles 1-175 Configuring CAPF Authentication Mode Using Phone Security Profiles 1-176 Example: First-Time Installation of a Certificate with Manually Entered Authentication String 1-177 Example: Certificate Upgrade Using an Existing LSC 1-178 Enabling Authentication and Encryption 1-179 Actual Security Mode Depends on Configuration of Both Phones 1-180 Finding Phones with Security Features and Generating CAPF Reports 1-181 Generating a CAPF Report 1-182 CAPF Report Example 1-183 Configuring Digest Authentication for SIP Phones and Trunks 1-184 Digest Authentication versus TLS 1-185 Configuring Digest Authentication 1-186 Enabling Encrypted Phone Configuration Files 1-188 How Phones Get Encrypted Configuration Files 1-189 Configuring Encrypted Configuration Files 1-190 Configuring Secure SRST 1-191 SIP Trunk Encryption and SRTP for MGCP and H.323 1-195 Configuring SIP Trunk Encryption 1-196 SRTP to MGCP Gateways 1-197 SRTP to H323 Trunks or Gateways 1-198 H.323 SRTP Cisco Unified CallManager Configuration 1-199 H.323 SRTP Gateway Configuration 1-200 Configuring Authentication and Encryption for CTI, JTAPI, and TAPI 1-201 Authentication and Encryption for CTI, JTAPI, and TAPI 1-202 Configuring Authentication and Encryption for CTI, JTAPI, and TAPI 1-203 Security User Groups 1-204 Configuring CAPF Profiles 1-205 Configuring IPsec Options 1-206 Sample IPsec Applications 1-207 IPsec Configuration 1-208 Set Up an IPsec Association 1-209 Summary 1-210 Module Summary 1-211 References 1-211 Module Self-Check 1-213 Module Self-Check Answer Key 1-222 © 2006 Cisco Systems, Inc. Implementing Cisco Unified CallManager Part 2 (CIPT2) v5.0 v The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual self-study. Enable IP Video Telephony 2-1 Overview 2-1 Module Objectives 2-1 Introducing IP Video Telephony 2-3 Overview 2-3 Objectives 2-3 IP Video Telephony Solution Components 2-4 IP Video Telephony Solution Components 2-5 Video-Enabled IP Telephony: The Big Picture 2-7 Video Calls 2-8 Cisco Unified CallManager Video Calls 2-9 Cisco Unified CallManager Video Call Flow 2-10 Example 2-10 Cisco Unified CallManager Supported Video Codecs 2-11 Video Protocols Supported in Cisco Unified CallManager 2-13 SCCP and H.323 Endpoint Characteristics 2-14 SCCP Video Call Characteristics 2-16 H.323 Video Call Characteristics 2-17 SCCP vs. H.323 in Cisco Unified CallManager 2-19 Bandwidth Management 2-21 Video Call Bandwidth Requirement 2-22 Media Channels of a Video Call 2-22 Example 2-23 Calculating the Total Bandwidth 2-24 Actual Bandwidth Used per Video Call 2-24 CAC Settings in Cisco Unified CallManager 2-26 CAC Within a Cluster 2-27 Regions 2-29 Locations 2-30 Video Call Bandwidth Example: Locations 2-32 Retry Video Call as Audio 2-33 Video Call Bandwidth Example: Retry Video Call as Audio 2-34 CAC Between Clusters 2-36 Gatekeeper Call Admission Control Options 2-38 Gatekeeper CAC Example 2-39 Summary 2-41 vi Implementing Cisco Unified CallManager Part 2 (CIPT2) v5.0 © 2006 Cisco Systems, Inc. The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual self-study.