The Need For VoIP Encryption

So what is that may be the most commonly sought after yet elusive security control which plays an indispensable role in securing a VoIP network? Your guess is as good as mine, it is encryption! Now, you are well within your rights to ask why elusive? The simple answer is – where encryption can help you succeed and protect the privacy of communications, it can also be detrimental for various functions / organizations e.g. monitoring secure calls is not a trivial task and encrypting all endpoints has an impact on platform sizing and performance.

In this article we discuss about the security of Cisco Unified Communications Manager Express (CUCME) which is an integral part of Cisco UC; and more so of Cisco Express Call processing regime.

The use of authentication and encryption helps protect confidentiality and makes it harder for malicious insiders or outsiders from tampering with the signaling and media streams, the CUCME router, and IP phones. When the CUCME security features are enabled i.e. the media streams (SRTP) and call signaling (TLS), the communication between Cisco Unified IP phones and CUCME as well as Phones is encrypted as shown in figure 1:

Figure 1 - CUCME to Cisco IP Phone SRTP and TLS

Let’s go over some of the assumptions, requirements and caveats before we dwell further into CUCME security configuration.

Assumptions for CUCME Encryption

• It is assumed that CUCME is configured and operational (without security in place); this article only serves to elucidate the process of implementing authentication and encryption on the CUCME
• It must also be understood that authentication is an integral part of overall security construct when the discussion is around encryption since; authentication provides integrity whereas encryption provides privacy. For more information on Authentication and Encryption and cryptography rudiments, refer to Appendix A of Securing Cisco IP Telephony Networks.

Requirements for CUCME Encryption

• Enabling CUCME encryption requires Cisco IOS feature set Advanced Enterprise Services (adventerprisek9) or Advanced IP Services (advipservicesk9)

• CUCME version 4.2 or later is require to provide media encryption

• Supported platforms include 2800, 2900, 3200, 3800, and 3900 series routers

• Network Time Protocol (NTP) must be enabled to ensure the certificate dates are correct and to check validity of certificates

• IOS CA to sign various certificates (on same router as that of CUCME or different router)

Caveats for CUCME Encryption

• Secure three-way software conference is not supported therefore, while in conference, the call falls back to plain RTP. However, if a party drops from a three-party conference, the call between the remaining two parties returns to a secure state (if the two endpoints are configured for encryption)

• Media and signaling encryption requires the Cisco CTL client service

• Calls to Cisco Unity Express (CUE) do not support SRTP or TLS for media and signaling respectively

• Music on Hold (MOH) does not support encryption

• Modem relay and T.3 fax relay calls not support encryption

• Secure CUCME does not support Session Initiation Protocol (SIP) trunks and only H.323 trunks are supported (with IPSec for signaling protection)

With above in mind, let’s take a deep dive into the enablement of security (Encryption, Authentication) for Cisco Unified IP Phones on CUCME.

Enabling SRTP and TLS on CUCME for Endpoints

Alike any PKI hierarchy, enabling encryption (and authentication) on CUCME requires the use of a Certificate Authority (CA) server/process. CA can be configured on the same router on which CUCME application is running or it can be a different IOS router (dedicated to CA function in an organization). The major function of CA for CUCME security is to provide certificates, duration for which certificates are valid, and trust-relationship between different entities by virtue of certificates.

Save 60% on featured video training titles with discount code SUCCEED60. Prepare for your Cisco and CompTIA exams with expert video training from LiveLessons. Explore our growing library of video training titles, and discover which videos you need to achieve your learning and career goals.

* Discount code SUCCEED60 is valid for a 60% discount off the list price of eligible titles purchased on pearsonITcertification.com. Eligible titles include featured full-course video products only. Coupon not valid on individual video lessons or book/eBook + video bundles. Discount code may not be combined with any other offer and is not redeemable for cash. Discount offer expires 11:59 p.m. EST May 10, 2013. Offer subject to change.

Why Should I Upgrade my Cisco Supervisor Engine IOS?

The Supervisor Engine is the heart of the Cisco Catalyst 4500 and 6500 series switches. It is the equivalent of an engine in a car. Every packet that enters or exits your switch passes through the Supervisor Engine and, naturally, the Cisco IOS is the software that brings this beast to life.

Cisco makes an enormous effort to bring new features to its products through new versions of its popular IOS software, especially for the enterprise-class series switches such as the 4500 and 6500 Catalyst switches. Unlike other vendor operating systems, it is always advisable to keep your Cisco Catalyst operating system up to date by fitting it with the latest IOS image.

To be eligible to download an IOS image from Cisco’s website, one must have a valid contract support with Cisco Systems. This contract not only makes you eligible for all software upgrades for the duration of your contract, but also binds Cisco in delivering Top-Class support for your covered device(s).

Note: Information on installing the Cisco 4507R-E/4507R+E Catalyst Switch, Supervisor Engines, Line cards and power supplies can be found in our following articles which, combined, contain over 30 pictures of all switch components, including the passive backplane, fantray and more:

• Cisco 4507R+E Layer 3 Installation: Redundant WS-X45-SUP7L-E Supervisor Engines & WS-X4648-RJ45V+E Line Card
  

• Installation of a Cisco Catalyst 4507R-E Layer 3 Switch
  

Are Network Services Affected During or After the Catalyst Supervisor Engine(s) Upgrade?

This is perhaps one of the most frequently asked question that troubles engineers, administrators and IT Managers who have not dealt with the Supervisor Engine upgrade process before.  Who wouldn’t be? This is, after all, the network backbone switch and when it comes to large campus, Enterprise networks or networks that operate around the clock, downtime is not an option.

At this point, we should note that when upgrading a Supervisor Engine the engine must be reloaded (rebooted) in order for the system to load the new IOS image. For the Cisco Catalyst 4503 and 4506 series, which can only accept a single Supervisor Engine, this means network service interruption is unavoidable as the single Supervisor Engine must reboot. On the other hand, the Cisco Catalyst 4507R and 4510R series are capable of accepting up to two Supervisor Engines (hence the ‘R’ – Redundancy), therefore in case of a 4507R/4510R with two Supervisor Engines installed, IOS upgrades can be performed with guaranteed Zero-Service-Interruption. 

Note: The process we are about to describe was performed on a live 4507R+E with two Supervisor Engines 7L-E, on a network of 120+ users and 11 servers connected to our 4507R+E via dual 10Gbps fiber optic links (one 10Gbps link on each Supervisor Engine).

Quick Overview of the Supervisor Engine Upgrade Process

Before we dive into the upgrade process, let’s take a quick look at the steps to be followed. This will help understand the process and caveats of each step.

When upgrading a system with redundant Supervisor Engines the upgrade process has to be performed in a specific way as each Supervisor Engine is upgraded in turn.  

Following is a brief overview of the upgrade steps:

• Load the new IOS image on to the Active Supervisor Engine (SE1)
• Copy IOS image to Standby Supervisor Engine (SE2)
• Configure Supervisor Engines to load the new image upon reboot
• Set Configuration-Register variable to ensure newest image is loaded upon bootup
• Force reload of Standby Supervisor Engine (SE2) & Switchover to Standby Supervisor Engine (SE2). This now becomes the new Active Supervisor Engine
• Force reload of previously Active Supervisor Engine (SE1).

Step 1: Loading the New IOS Image on to the Active Supervisor Engine (SE1)

The first step is to copy the new IOS image on to the active Supervisor Engine (SE1). For this, a TFTP server is required for the file transfer. Users can download a selection of Free TFTP Servers from our FTP/TFTP Servers & Clients download section.

Once the TFTP server is ready, we issue the necessary command to initiate the file transfer:

The Cisco Catalyst 4507R+E Switch

It's no news that we here at Firewall.cx enjoy writing about our installations of Cisco equipment and especially devices that we don’t get to see and play with every day. Today we cover the installation of a new Cisco 4507R+E Catalyst switch populated with two 7L-E Supervisor engines, three WS-X4648-RJ45V+E 48 Gigabit PoE line cards and two 4200Watt power supplies with the ability to cover full future PoE requirements of the switch, when fully populated with PoE line cards.

Many might be aware of our first 4507R article that covered the installation of a Cisco Catalyst 4507R-E switch.  Since then, Cisco has replaced the 4507R-E with the newer 4507R+E chassis and introduced new Supervisor Engines. The difference between the two chassis is that the 4507R-E supports up to 24Gbps bandwidth per slot, whereas the newer 4507R+E supports up to 48Gbps per slot, bringing the chassis up to date with the new market trends and high-connectivity speed requirements of enterprise companies.

To make things more interesting, we ensured we captured as many pictures as possible from our 4507R+E switch installation so that our readers can familiarise themselves with it as much as possible.

After unpacking and looking at the back of the switch chassis we noticed that not much has changed except that its label now mentions 4500+E Series, indicating that it is the newer +E series. On the front side, the fan tray manages to give away that this is the newer series as it too is labelled Catalyst 4507R+E.  Apart from these minor cosmetic changes the switch looks exactly the same as its predecessor.

The picture below shows the back of the Cisco 4507R+E chassis. The dual power supplies are positioned at the top part of the switch and the specially designed grid allows adequate air to be pumped through the power supplies and out the back, with the help of the massive power supply fans.  The fans used are extremely high quality with very little friction – when during our test run, we switched off the power supplies, the fans continued to spin for at least another 20 seconds before coming to a complete stop:

Mounting a Catalyst 4500 into a rack can be a daunting experience, mainly due to its weight. When fully populated, the switch can weigh up to 55 Kgs and requires at least two people to safely pick up and place the switch into the rack, then you’d need one more person to tighten the necessary screws to keep it inside the rack!

We also found it necessary for the rack to have adequate spacing above and below the area where the switch is to be placed, because it’s very difficult to keep the switch steady during installation because of its weight. In addition, it is imperative the rack’s side covers can be removed so the two handles on the switch (one on each side) are accessible.

To overcome the problem of installing the heavy switch, we decided to remove both power supplies and all cards from the chassis. The empty chassis made things much easier.

Revealing The Magnificent Cisco 4507R+E Backplane

As we begun to slowly remove the switch’s power supplies, line cards and Supervisor Engines, we had a clear view of the spectacular 4507R backplane! The backplane is the switch’s ‘spine’, responsible of interconnecting all components together. Naturally, we had to capture this moment and here it is in all its glory:

Today, Cisco announced major changes to their associate-level certifications aligning with the evolving job market and the latest Cisco technology.

News Facts

• The certification formerly known as CCNA is now CCNA Routing & Switching, and the only prerequisite certification is CCENT.
• CCENT is also the only prerequisite certification for CCNA Voice, CCNA Wireless, CCNA Security, and CCDA certifications.
• Updates include IOS v15, IPv6 Support, IOS licensing, and a simplified 802.1x security implementation.
• Cisco also announced that the existing ICND1 (640-822), ICND2 (640-816) and CCNA (640-802) exams will have an end-of-life date of September 30, 2013. You can mix and match old and new exams until September 30th—ICND1 (640-822 or 100-101) and ICND2 (640-816 or 200-101).
• Cisco Press has the only authorized self-study products and resources to help you prepare for and pass the new exams.

Vivek Tiwari Double CCIE #18616 (CCIE Routing and Switching and Service Provider)

Vivek Tiwari holds a Bachelor’s degree in Physics, MBA and many certifications from multiple vendors including Cisco’s CCIE.  With a double CCIE on R&S and SP track under his belt he mentors and coaches other engineers. 

Vivek has been working in the Inter-networking industry for more than fifteen years, consulting for many Fortune 100 organizations. These include service providers, as well as multinational conglomerate corporations and the public sector. His five plus years of service with Cisco’s Advanced Services has gained him the respect and admiration of colleagues and customers alike.

His experience includes, but is not limited to, network architecture, training, operations, management and customer relations, which made him a sought after coach and mentor, as well as a recognized leader. 

He is also the author of the following titles:

 “Your CCIE Lab Success Strategy the non-Technical guidebook”

“Stratégie pour réussir votre Laboratoire de CCIE”

“Your CCNA Success Strategy Learning by Immersing – Sink or Swim”

“Your CCNA Success Strategy the non-technical guidebook for Routing and Switching”

Q1.  Hello Vivek and thanks for accepting Firewall.cx’s invitation for this interview.   Can you let us know a bit more about your double CCIE area of expertise and how difficult the journey to achieve it was?

I have my CCIE in Routing and Switching and Service Provider technologies. The first CCIE journey was absolutely difficult. I was extremely disappointed when I failed my lab the first time. This is the only exam in my life that I had not passed the first time. However, that failure made me realize that CCIE is difficult but within my reach. I realized the mistakes I was making, persevered and eventually passed Routing and Switching CCIE in about a year’s time.

After the first CCIE I promised myself never to go through this again but my co-author Dean Bahizad convinced me to try a second CCIE and surprisingly it was much easier this time and I passed my Service Provider lab in less than a year’s time.

We have chronicled our story and documented the huge number of lessons learned in our book “Your CCIE Lab Success Strategy the non-technical guidebook”. This book has been reviewed by your website and I am proud to state has been helping engineers all over the globe.

Q2. As a globally recognised and respected Cisco professional, what do you believe is the true value of Firewall.cx toward its readers?

Firewall.cx is a gem for its readers globally. Any article that I have read to date on Firewall.cx is well thought of and has great detailed information. The accompanying diagrams are fantastic. The articles get your attention and are well written because I have always read the full article and have never left it halfway.

The reviews for books are also very objective and give you a feel for it.

Overall this is a great service to the network engineer community.

Thanks for making this happen.

Q3. Could you describe your daily routine as a Cisco double CCIE?

My daily routine as a CCIE depends on the consulting role that I am playing at that time. I will describe a few of them:

Operations: being in operations you will always be on the lookout for what outages happened in the last 24 hours or in the last week. Find the detailed root cause for it and suggest improvements. These could range from a change in design of the network to putting in new processes or more training at the appropriate levels.

Architecture: As an architect you are always looking into the future and trying to interpret the current and future requirements of your customer. Then you have to extrapolate these to make the network future proof for at least 5 to 7 years. Once that is done then you have to start working with network performance expected within the budget and see what part of the network needs enhancement and what needs to be cut.

This involves lots of meetings and whiteboard sessions.

Mix of the Above: After the network is designed you have to be involved at a pilot site where you make your design work with selected operations engineers to implement the new network. This ensures knowledge transfer and also proves that the design that looked good on the board is also working as promised.

All of the above does need documentation so working with Visio, writing white papers, implementation procedures and training documents are also a part of the job. Many engineers don’t like this but it is essential.

Q4. There are thousands of engineers out there working on their CCNA, CCNP and CCVP certifications.  Which certification do you believe presents the biggest challenge to its candidates?

Virtual Private Networks constitute a hot topic in networking because they provide low cost and secure communications between sites (site-to-site VPNs) while improving productivity by extending corporate networks to remote users (remote access VPNs).

Cisco must be proud of its VPN solutions. It’s one of the few vendors that support such a wide range of VPN technologies with so many features and flexibility. Cisco Routers and Cisco ASA Firewalls are the two types of devices that are used most often to build Cisco Virtual Private Networks.  

In this article we will discuss and compare two general Cisco VPN categories that are utilized by network engineers to build the majority of VPN networks in today’s enterprise environments. These categories are “Policy Based VPNs” (or IPSEC VPNs) and “Route Based VPNs”. Of course Cisco supports additional VPN technologies such as SSL VPNs (Anyconnect SSL VPN, Clientless SSL VPN), Dynamic Multipoint VPN (DMVPN), Easy VPN, Group Encrypted Transport (GET) VPN etc. Many of these VPN technologies are already covered on Firewall.cx and are beyond the scope of this article.  

Below is a selection of Cisco VPN articles to which interested users can refer:

• Understanding Cisco Dynamic Multipoint VPN (DMVPN)
• Dynamic Multipoint VPN (DMVPN) Deployment Models & Architectures
• Configuring Cisco Dynamic Multipoint VPN (DMVPN)
• Configuring Site to Site IPSec VPN Tunnel Between Cisco Routers
• Configuring Cisco Site to Site IPSec VPN with Dynamic IP Endpoint Cisco Routers
• Configuring Point-to-Point GRE VPN Tunnels on Cisco Routers
• Cisco GRE and IPSec - GRE over IPSec - Selecting and Configuring GRE IPSec Tunnel or Transport Mode
• Configuring Cisco SSL VPN AnyConnect (WebVPN) on Cisco IOS Routers

Overview of Policy-Based and Route-Based Cisco VPNs

The diagram below shows a quick overview of the two VPN Categories we are going to discuss and their Practical Applications in actual networks:

For a Network Engineer or Designer it’s important to know the main differences between these two VPN categories and their practical applications. Knowing these will help professionals choose the right VPN type for their company and customers.

As shown in the diagram above, Policy-Based VPNs are used to build Site-to-Site and Hub-and-Spoke VPN and also remote access VPNs using an IPSEC Client. On the other hand, Route-Based VPNs are used to build only Site-to-Site or Hub-and-Spoke VPN topologies.

Now let’s see a brief description of each VPN Type.

Policy-Based IPSEC VPN

This is the traditional IPSEC VPN type which is still widely used today. This VPN category is supported on both Cisco ASA Firewalls and Cisco IOS Routers. With this VPN type the device encrypts and encapsulates a subset of traffic flowing through an interface according to a defined policy (using an Access Control List). The IPSEC protocol is used for tunneling and for securing the communication flow. Since the traditional IPSEC VPN is standardized by IETF, it is supported by all networking vendors so you can use it to build VPNs between different vendor devices as well. 

Sample Configuration on Cisco ASA Firewalls

To illustrate the reason why this VPN type is called Policy-Based VPN, we will see a sample configuration code on a Cisco ASA firewall based on the diagram below.

Full step-by-step configuration instructions for Policy-Based VPN on IOS Routers can be found at our Configuring Site to Site IPSec VPN Tunnel Between Cisco Routers article.

ASA-1:

ASA-2:

From the configuration sample above, the access control list VPN-ACL defines the traffic flow that will pass through the VPN tunnel. Although there is other traffic flowing through the outside ASA interface, only traffic between LAN1 and LAN2 will pass through the VPN tunnel according to the traffic policy dictated by VPN-ACL. That’s exactly the reason why this VPN type is called Policy-Based VPN.

Understanding Route-Based VPNs

A route-based VPN configuration uses Layer3 routed tunnel interfaces as the endpoints of the VPN. Instead of selecting a subset of traffic to pass through the VPN tunnel using an Access List, all traffic passing through the special Layer3 tunnel interface is placed into the VPN. Therefore you need to configure routing accordingly. Either a dynamic routing protocol (such as EIGRP or OSPF) or static routing must be configured to divert VPN traffic through the special Layer3 tunnel interface.

This VPN Type is supported only on Cisco Routers and is based on GRE or VTI Tunnel Interfaces. For secure communication, Route-Based VPNs use also the IPSEC protocol on top of the GRE or VTI tunnel to encrypt everything.

Sample Configuration on Cisco Routers

What is Unified Communications (UC)?

Unified communications is a very popular term these days and we see it appearing on almost every vendor as they rename their platforms and products to include this term. The definition of unified communications changes slightly depending on the vendor you are looking at, but its foundation remains the same. Breaking unified communications into components makes it a lot easier to analyze and put things into the correct perspective.

Unified Communications Foundational Components

These are, in essence, the main-core services a unified communications product should offer:

• Network Infrastructure. Almost all unified communications services require a rock-solid network infrastructure. Without this foundation component we are unable to use all the features an advanced unified communications solution can offer.
• IP telephony. Also known as Voice over IP (VoIP). This is a critical part of UC.
• Presence. Being able to monitor the availability and state of another user. Check if the user's phone line is occupied, is in a conference or away from his desk/office.

Unified Communications Basic Components

These are your everyday applications and services helping to unify your communications needs:

• Email. The ability to send messages and attachments between colleagues and customers.
• Messaging. Includes faxing, instant messaging services and voicemail.
• Conferencing. Includes audio conferencing and Web conferencing services that tightly integrate with the UC infrastructure.

Unified Communications Emerging Components

These unified communications components are pretty much the most popular ones around today:

• Mobility. Perhaps unified communications' greatest driving force. This component gives mobile workers corporate communications no matter where they are located.
• Social Media. Many companies are using social media to help them reach out to millions of consumers at a fraction of the traditional marketing cost.
• Videoconferencing. Mainly used by companies to reduce travel expenses and organize meetings.

Understanding your True Unified Communications Needs

There is no doubt unified communications is not one product but a combination of complex technologies working together to meet your needs. A very common problem IT Managers and engineers are faced with is to understand the needs of their company when considering a unified communications solution.

This process unfortunately can be harder than it sounds as there are a lot of parameters often not taken in consideration during the planning and decision-making process.

To help this process, we've outlined a number of points that require consideration and will help you reveal your true unified communications needs:

• Return on investment (ROI). ROI is a key point to help you understand how your investment will help you save money. ROI can be difficult to measure. ROI must be calculated based on the unified communications solution being examined, the features it offers and how necessary they are for your organization. Don't focus entirely on the product's features but your real needs today and tomorrow.
• Unified communications is an evolving trend. Are you ready for the cloud? Many organizations are already migrating their unified communications services to the cloud, relieving them from the administration burden and management cost while providing a solid platform that has the ability to deliver true 100% uptime and ease of administration.
• Future proof / Adapt to changes. This is where most unified communications solutions fall short. A unified communications solution should be able to adapt to company-wide changes and provide room for future growth. Examine your company's future plans and ensure the unified communications solution selected has the ability to support your growth plan and adapt to rapid changes.
• Roll-out plan. Most unified communication solutions consist of core services that affect everyone in the organization during the rollout (installation) phase. In some cases, these installations can disrupt the company's normal workflow and therefore cannot be made during working hours. Rollout of these services must be planned with your integrator so that your workflow is not affected. Any serious integrator will have this in mind and present an accepted rollout plan that will have minimum impact on the company's operation.