McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 314

↗ View in doc context
page
314
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::315

• All of the above information are subject to the development and test processes of the Cisco Secure Product Lifecycle development approach, as described here: https://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/cisco-secure-development-lifecycle.pdf • The Unified Communications Manager workload layer does not support insertion of non-Cisco software or software updates/changes outside the above-mentioned controlled Cisco-provided interfaces. • All software within the workload is provided by Cisco and digitally signed and delivered as a monolithic image (.ISO file). • The only way to install, upgrade and update software is by using a Cisco-provided .ISO or .COP file. • .ISO file installs or updates one, some, or all of the software elements in the Cisco image .COP files are used to update single elements, most commonly user locales and phone firmware updates. • The following are not enabled or possible: • onboard agents like anti-virus clients, UPS agents, management agents and so on. • customer-uploadable or externally-uploadable software. • 3rd-party applications. • “Root access” to the guest OS inside the workload is not enabled: • Customers use authentication in the Cisco-provided GUI, CLI, and/or API. • All exposed interfaces to the workload are secured (e.g., enforced password complexity rules, SSH instead of telnet, TLS 1.2 with configurable minimum version and so on.) • For emergency issues that are not fixable in the field thru the normal GUI/CLI/API, customers can set up a temporary "Remote Account" so that a Cisco Technical Assistance Center (TAC) expert can gain root access. The customer maintain controls and can turn on or turn off this account with auto-expiry. The customer can see what the TAC representative is doing with all actions being performed by TAC being logged. • Built-in Intrusion Prevention Capabilities: • SELinux enforcing mode, providing host-based intrusion protection. • SELinux enforcing mode is enabled by default. This mode enforces mandatory access controls that confine applications, daemons, etc. to the “least privilege” required to do their job. • IPTables host-based firewall: • IPTables is enabled by default. • The rules are adjusted by Cisco Service Activation to open the appropriate ports and include the correct rate limiting for the services being used on that server. • The IPTable rules can be displayed using the following commands: • utils firewall ipv4 list • utils firewall ipv6 list Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 296 Advanced System Security Security Hardening