McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 42

↗ View in doc context
page
42
source
cucm/v15/preferred-architecture/preferred-architecture.md
chunk_id
cucm::v15::preferred-architecture::preferred-architecture::48

Preferred Architecture for Cisco Collaboration Release 15 On-Premises Deployments PAGE 42
Security

Recommended Deployment We recommend the following general security practices for the Cisco Collaboration on-premises Preferred Architecture: • Secure the infrastructure by restricting physical access to hardware.
• Securing the IP network by utilizing encryption wherever possible and restricting unnecessary access to other devices on the network. • Use hardening techniques to secure all devices, including servers and endpoints. • Protect your deployment against toll fraud. • Educate users on the Malicious Call Identification (MCID) feature. • Simplify certificate management by having certificates signed by a certificate authority (CA). • Do not disable native security features.
• Enable Single Sign-On (SSO) using an IdP configured with secure authentication requirements including complex passwords and two-factor authentication. • Regularly audit authentication logs for suspicious activity. • Encrypt SIP trunks, web server connections, and other server-to-server links. • Use SIP OAuth on all endpoints that support it to enable encryption for call signaling, media, and IP phone config files. • If SIP OAuth is not an option or not supported on all endpoints, enable mixed mode on Cisco Unified CM to enable encrypted signaling, media, and config files for endpoints. Secure Infrastructure Recommendations • Secure your infrastructure; it is the foundation of your collaboration deployment. • Protect physical access to your premises, network, endpoints, and servers. • Protect your network with firewall and Intrusion Prevention System (IPS) devices. • Implement security features at Layer 2 and Layer 3 for your network. For example, protect access to your network with 802.1X, and protect your DHCP server with DHCP Snooping and Dynamic ARP Inspection. • Implement network segmentation by having a separate voice/video VLAN for hardware endpoints and a data VLAN for multipurpose devices such as mobile phones and laptops running Jabber. • With Cisco Unified Border Element deployed at the network edge, configure the Unified Border Element protection mechanisms against telephony denial of service (TDoS) and configure access control lists (ACLs). Device Hardening Recommendations • Protect network access to devices by using hardening techniques.