The Essentials of Endpoint Security & Compliance • Session 1: The Impact of Security by Default • Session 2: Understanding and Managing ITL & CTL Files • Session 3: Leading Practices for Endpoint Security & Compliance Copyright UnifiedFX Limited 2013 The Essentials of Endpoint Security & Compliance The Impact of Security by Default http://www.unifiedfx.com House Rules • This session IS being recorded • email [email protected] for details • Submit questions to “All Panellists” during the session using the WebEx interface. • Review of Questions and Answers will be covered at the end of the session Copyright UnifiedFX Limited 2013 Speakers • Akhil Behl • Solutions Architect with Cisco Advanced Services • Leading Cisco Unified Communications Security Expert • Author of “Securing Cisco IP Telephony Networks” • Stephen Welsh • Unified FX CTO • Original author of PhoneView Copyright UnifiedFX Limited 2013 Agenda • Security by Default • Overview • Signed Configuration Files • Secure Phone URL’s • Secure Phone Web Server • Common Issues • Recommendations • Useful Resources • Endpoint Security & Health Check Report • Demo • Questions & Answer Session Copyright UnifiedFX Limited 2013 Overview of Security by Default • Introduced with UCM 8 • Increase the security level of UCM clusters • Cannot be disabled/removed • Revert/downgrade: • Prepare Cluster for Rollback to pre 8.0 • What it doesn’t include: • Media and signalling security is only by virtue of CTL • Only applicable to Cisco Unified IP Phones Copyright UnifiedFX Limited 2013 Signed Configuration Files • Signed Configuration was optional, now mandatory with ITL • Prevents unauthorised software to be loaded onto Phone (i.e. recent Hack demo by Ang Cui) • TFTP Server’s certificate (callmanager.pem) is used to sign configurations • Phone ITL File is used to verify configuration file Note: If ITL file does not match TFTP cert then changing the phone configuration is not possible Copyright UnifiedFX Limited 2013 Phone URL’s • Introduction of HTTPS version of Phone URLs: • Used by default for secure phone models • Authentication, Directories, Idle, Information, Messages, Services • Trust Verification Service (TVS) • Verifies HTTPS certificates on behalf of phone (Cert Proxy) • Initial Trust List (ITL) is used to trust TVS service (TVS.pem) • Considerations: • Make sure the hostname in the URL matches the certificate used in the target • Temporary work around, replace HTTPS URL’s with HTTP versions in Enterprise Parameters (Port 8443 => 8080) Copyright UnifiedFX Limited 2013 Phone URL’s Trust Verification Service Operation Copyright UnifiedFX Limited 2013 Phone Web Server • Disabled by Default • Typically used for gathering phone local information: • Serial, Switch Port, QoS stats • May affect some applications: • Remote control, paging & inventory applications • Can it be re-enabled easily? • Enterprise Phone Configuration Copyright UnifiedFX Limited 2013
Description: