McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 46

↗ View in doc context
page
46
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::34

Negotiated Cipher Phones Capabilities Revert to RTP. Other than AES_CM_128_HMAC_SHA1_32 and AES_CM_128_HMAC_SHA1_80 SRTP Cipher Mismatch with Media Streaming Devices When a secure call is invoking features like Hold, IVR, or Annunciator announcements, and the remote caller performs a consult transfer, the new call leg may support a different crypto capability that of MOH, IVR, or Annunciator. This results in the crypto mismatch and the call will either be dropped to the non-secure mode or completely dropped depending on the SRTP fallback option of the endpoint. The secure call is dropped even when the Block Unencrypted Calls service parameter is set to True in Unified Communications Manager > System > Service Parameters > Service Parameter Configuration window. A new enhancement to the Unified Communications Manager platform supports all crypto ciphers when exchanging call capabilities post-Cisco IP Voice Media Streaming (IPVMS) devices (MOH, IVR, or Annunciator). The SRTP fallback configuration does not impact active calls nor security is compromised. Media devices only support SHA1_32 and SHA1_80 bit crypto ciphers. Note Self-encrypting Drive Unified Communications Manager supports self-encrypting drives (SED). This is also called Full Disk Encryption (FDE). FDE is a cryptographic method that is used to encrypt all the data that is available on the hard drive. The data includes files, operating system, and software programs. The hardware available on the disk encrypts all the incoming data and decrypts all the outgoing data. When the drive is locked, an encryption key is created and stored internally. All data that is stored on this derive is encrypted using that key and stored in the encrypted form. The FDE comprises a key ID and a security key. For more information, see Cisco UCS C-Series Servers Integrated Management Controller GUI Configuration Guide. Configuration File Encryption Unified Communications Manager pushes confidential data such as digest credentials and administrator passwords to phones in configuration file downloads from the TFTP server. Unified Communications Manager uses reversible encryption to secure these credentials in the database. To secure this data during the download process, Cisco recommends that you configure encrypted configuration files for all Cisco IP Phones that support this option. When this option is enabled, only the device configuration file gets encrypted for download. In some circumstances, you may choose to download confidential data to phones in the clear; for example, to troubleshoot the phone. Note Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 28 An Introduction to Unified CM Security SRTP Cipher Mismatch with Media Streaming Devices