VoIP Phone Hardening - Part 2

Abstract

Cisco Unified Communications Manager (CUCM, formally CallManager) is based on Internet Protocol (IP) and is inherently unsecure by definition. Phone hardening is only one aspect of a complete security plan. However, CUCM supports many native security features that help protect the IP-based phone system. Cryptography is used to transform readable messages into unintelligible messages, which are sent across an un-trusted network. The messages are transformed in the reverse process to make the them readable again when they reach their destination. Cryptography provides four main services within the IP network. A reliable and complete plan should include securing the data network as well as the communications the phones use to interact with other devices on the network. By using Secure Real-Time Transport Protocol (SRTP), encrypted phone loads, configurations, and signaling, the IP phone and communications manager are a significant part of the complete security picture for hardening the IP Phones.

Sample

Introduction

Cisco Unified Communications Manager (CUCM, formally CallManager) is based on Internet Protocol (IP) and is inherently unsecure by definition. However, CUCM supports many native security features that help protect the IP-based phone system. Cryptography is used to transform readable messages into unintelligible messages, which are sent across an untrusted network. These same messages are transformed in the reverse process to make the message readable again when they reach their destination. Cryptography provides four main services within the IP network.

Data Authenticity - Guarantees that the message comes from the source that it claims to come from.
Data Confidentiality - Provides privacy by ensuring that messages can be read only by the receiver.
Data Integrity - Ensures that the messages were not altered in transit.
Data Non-Repudiation - Uniquely identifies the sender in order that they cannot deny being the source of the message.

The services identified above are based on encryption and authentication methods. There are different applications that CUCM uses to enable these services such as Public Key Infrastructure (PKI) that will be discussed in this paper.

Assumptions

This paper presumes that your enterprise already has a security policy in place for the data network. In this white paper, the many different settings that are available to help secure the Cisco IP Phones from potential hacker attacks will be examined. This paper is based on Cisco Unified Communication Manager 5.x, 6.x, 7.x.

Cryptography Fundamentals

Symmetric Encryption

Symmetric Encryption is a form of encryption that is extremely fast where both the sender and receiver have the same encryption key. Confidentiality is obtained as only the sender and receiver have a copy of the encryption key; therefore, to maintain confidentiality, the keys should be changed frequently. Because of the short key lifetime and each pair of devices uses a different pair of keys, key management can be difficult.

Advanced Encryption Standard (AES) is the algorithm that provides signaling encryption between the IP phones and the CUCM, making use of Transport Layer Security (TLS) connection. AES is also used to protect media exchange with Secure Real-Time Transport Protocol (SRTP).

Asymmetric Encryption

Unlike symmetric encryption, asymmetric encryption is relatively slow. The difference in speed is due to the complexity of the algorithms used to compute asymmetric encryption. This encryption type uses one key for encryption and another key for decryption. The encryption key is often called the public key, and the decryption key is often called the private key. The public key is usually published freely and is downloaded by anyone that wishes to communicate with the publisher of the key. The private keys are private and only known by the entity that is authorized to decrypt the data encrypted by the encryption key. Public Key Infrastructure (PKI) keys are usually used for a longer period of time, as everyone has the same public key, and only the provider knows the private key. Consequently, key management is much simpler with asymmetric encryption.

Rivest, Shamir, and Adleman (RSA) is the best-known asymmetric encryption algorithm because of its resistance to attacks and its maturity in the industry.

Asymmetric Encryption can be used for the following two purposes:

Confidentiality - Sender encrypts the data with the receiver's public key, the receiver uses the private key to decrypt the data. Since the receiver is the only one with the private key the data is considered confidential.
Digital signatures - In reverse to confidentiality, the private key is used to encrypt the data, creating a signature that no one else can create. The receiver uses the sender's public key to decrypt the data to verify the signature of each sender.

Hash-Based Message Authentication Codes (HMAC)

Hash functions can be used for secure password verification as well as a base component for data authentication. Hashing is a one-way function of input data that produces a fixed-length output data called the digest (sometimes called the fingerprint). The digest uniquely identifies the input data. It is impossible to derive the input data from its digest. If the input data changes just a little, the digest changes substantially.

Pure hashing uses the message as the input of the hashing algorithm and computes a fixed-length digest. The message and the digest are sent to the receiving side in cleartext format. The receiver uses the message with the same hashing algorithm. If the hashes match, then the message has not been altered. Pure hashing does not include any kind of security or encryption on the message or the key, they are both sent cleartext. A potential attacker could intercept the message, change it, recalculate the hash and append the new hash to the new message. Hashing helps accidental changes to the data while traversing the network.