Introduction to Security
Achieving contact center enterprise solution security requires a security policy that accurately defines access, connection requirements, and systems management. A good security policy enables you to use the available Cisco technologies to protect your data center resources from internal and external threats. Security measures ensure data privacy, integrity, and system availability.
The security considerations for contact center enterprise solutions are similar to the considerations for the other applications in a Cisco Unified Communications solution. Contact center enterprise solutions vary greatly and often call for complex network designs. These deployments require competence in Layer 2 and Layer 3 networking as well as voice, VPN, QoS, Microsoft Windows Active Directory, and other networking issues. This chapter provides some guidance in these areas. But, this is not an all-inclusive guide for deploying a secure contact center.
Along with the Unified Communications Security Solution portal, use the design documentation in the Design Zone at http://www.cisco.com/c/en/us/solutions/enterprise/design-zone/index.html. These documents provide information on properly building a network infrastructure for Cisco Unified Communications. In particular, consult the following relevant documents about security and Cisco Unified Communications:
-
Cisco Unified Communications SRND Based on Cisco Unified Communications Manager
-
Data Center Networking: Server Farm Security SRNDv2
-
Site-to-Site IPSec VPN SRND
-
Voice and Video Enabled IPSec VPN (V3PN) SRND
-
Business Ready Teleworker SRND
Updates and additions to these documents are posted periodically, so visit the Design Zone frequently.
This chapter provides limited guidance on the intricacies of designing and deploying a Windows Active Directory. More information is available from Microsoft on the following topics:
-
Designing a new Active Directory logical structure.
-
Deploying Active Directory for the first time.
-
Upgrading an existing Windows environment to supported Microsoft Windows Server Active Directory version.
-
Restructuring your current environment to a Windows Active Directory environment.
Security Layers
An adequately secure solution requires a multilayered approach to protect it from various threats.
Implement the following security layers and establish policies around them:
-
Physical Security—Ensure that the servers hosting the contact center applications are physically secure. Locate the server in data centers to which only authorized personnel have access. Also control access to the cabling plant, routers, and switches. Implementing a strong physical-layer network security plan also includes using techniques like port security on data switches.
-
Perimeter Security—The design and deployment of a secure data network is a complex subject. This guide provides references to resources on establishing an effective perimeter security for your contact center enterprise solution.
-
Data Security—To ensure an increased level of protection from eavesdropping for customer-sensitive information, contact center enterprise solutions support Transport Layer Security (TLS) for agent desktops. It also supports IPsec to secure communication channels between servers.
Note
The contact center enterprise solutions use TLS 1.2 by default. For most components, you can enable earlier versions of TLS if necessary.
-
Host-Based Firewall—You can use the Windows Firewall to protect from malicious users and programs that attack servers with unsolicited incoming traffic. For more information about the Windows Firewall, see Microsoft documentation.
-
Virus Protection—Run antivirus applications with the latest virus definition files (scheduled for daily updates) on all VMs. See the Compatibility Matrix for your solution for a list of all the tested and supported antivirus applications.
-
Patch Management—Do not connect your solution to a live network without applying all security updates. Keep all hosts up-to-date with Microsoft (Windows, SQL Server, and so forth) and other third-party security patches. See the third-party patch management policy at http://www.cisco.com/c/en/us/products/collateral/customer-collaboration/unified-contact-center-enterprise/product_bulletin_c25-455396.html.
For most of these security layers, contact center enterprise solutions support several capabilities. However, what Cisco cannot control or enforce is your enterprise policies and procedures for deploying and maintaining a secure solution.
Secure Signaling and Media Design and Configuration
TLS-SRTP supports encryption for SIP signal and RTP in CallServer. This figure displays the comprehensive deployment model.
Deployment Models
-
Unsecured
This deployment model is the model from earlier releases of CVP and VVB. The operations are rendered as they have been before. This is a zero-impact deployment for existing solutions.
-
Secured signaling only
This deployment model introduces signaling security on top of the unsecured model. The operations are enhanced to have secured SIP for call setup. This ensures that all data exchange before any audio is heard is done in a secured manner.
-
Secured signaling with media security for agent call
This deployment model supports signaling security and adds further security for media and audio between the caller and the agent. The spoken content between the caller and the agent that is carried over the IP network within the enterprise is resistant to hacking and snooping.
-
Signaling with end-to-end media security for IVR and agent call
This deployment mode offers complete security cover to a call. It ensures that not only is the signaling secured but the media and audio from the caller to IVR and the agent is secured as well.
Note |
|
Call Flow
Media Encryption (SRTP) Considerations
Before enabling SRTP in your deployment, consider the following points:
-
To use secure media on the agent leg, ensure that the installed IP phones are compatible with SRTP.
-
The Virtualized Voice Browser supports SRTP for the VRU leg.
-
The IOS VXML Gateway does not support SRTP.
-
Mobile Agents cannot use SRTP.
-
The Cisco Outbound Option Dialers do not support SRTP. While calls are connected to the Dialer, the calls cannot use SRTP. But, calls can negotiate SRTP once the call is no longer connected to the Dialer.
Platform Differences
The contact center enterprise solution consists of several application servers that are managed differently. The primary servers are for the core components. Install these servers only on a standard (default) operating system installation. For components that you install on Windows Server, use only a default retail version of the Windows Server software. Keep the operating system up to date with the latest device drivers, security updates, and so forth.
Some servers, like Unified Communications Manager (Unified CM), run on the Cisco Voice Operating System (VOS). Obtain all relevant patches and updates to this operating system from Cisco. You can find the security hardening specifications for this operating system in the Cisco Collaboration System Solution Reference Network Designs and other Unified CM product documentation at http://www.cisco.com/c/en/us/support/unified-communications/unified-communications-manager-callmanager/tsd-products-support-series-home.html.
Appropriate security varies between the servers. Keep this in mind as you design, deploy, and maintain these servers in your environment. Cisco constantly enhances its Unified Communications products with the eventual goal of having them all support the same customized operating system, antivirus applications, and security path management techniques.
Security Design Elements
Unified CCE has the Security Guide for Cisco Unified ICM/Contact Center Enterprise at http://www.cisco.com/c/en/us/support/customer-collaboration/unified-contact-center-enterprise/products-configuration-examples-list.html. That guide expands on the information in this chapter. The guide covers details of security implementation along with general guidance for securing a Unified CCE deployment. The security guide includes the following topics:
-
Encryption Support
-
IPsec and NAT Support
-
Windows Firewall Configuration
-
Automated Security Hardening
-
Updating Microsoft Windows
-
SQL Server Hardening
-
SSL Encryption
-
Microsoft Baseline Security Analysis
-
Auditing
-
Antivirus Guidelines
-
Secure Remote Administration
-
Single Sign-On
The guidelines are based in part on hardening guidelines published by Microsoft and other third-party vendors. The guide also serves as a reference point for most of the security functionality in the product. The guide covers installation for the Automated OS and SQL Security Hardening bundled with the various contact center enterprise tools.