Table of Contents
Perform an installation and initial set up of a CallManager cluster
Configure Call Manager to support a call between any two endpoints on-cluster and off-cluster
Given a list of IP phone features, configure the CallManager to support the given feature set
Secure an IP telephone network
Given a specific set of IP telephony applications and tools, configure CallManager to support the applications
Monitor and manage an IP telephony network using Internal Server Tools
Perform an installation and initial set up of a CallManager cluster
Describe CallManager cluster relationships
Describe CallManager redundancy designs
Configure DHCP, TFTP and NTP
Determine which CallManager services are necessary and make sure the appropriate services are enabled
Configure Call Manager to support a call between any two endpoints on-cluster and off-cluster
Explain the function of a CallManager group
Describe the functions and usage of
CSS
and partitions
Configure a route plan
Explain digit analysis
Describe and configure route patterns to route or block calls
Explain route filters
Explain discard digit instructions, translation patterns, and transformation masks
Describe the functions of CallManager regions
Describe the functions or usage of a device pool
Explain the purpose of locations
Configure CallManager and gatekeeper to support CAC
Desribe the purpose and features of SRST and AAR
Configure intercluster communications
Configure voice gateways
Given a list of IP phone features, configure the CallManager to support the given feature set
Configure call forward
Configure MeetMe conferencing and conferencing resources
Configure Music-on-hold
Configure soft-key and IP phone button templates
Configure multiple calls per line appearance
Configure IPMA
Configure Malicious Call ID
Configure hunt groups
Configure IP phone services
Configure extension mobility
Configure MRGs and MRGLs
Configure other CallManager features and services
Secure an IP telephone network
Explain Secure RTP and other components that help protect a CIPT network against threats
Threats
Loss of privacy
Loss of integrity
Impersonation
Denial of Service (DoS)
Secure Signaling - encrypt SCCP using TLS
Secure media transfer - sRTP (key exchange during Secure Signaling)
Secure Signaling and media transfer
Only on 7970, 7960, 7940
Btw IP Phones and gateway
Not intercluster call
Not to media resources e.g. conference, transcoding or MoH
Authentication of phone images - Cisco signed image
Authentication of phone configuration files - TFTP server signed config
The certificate Trusted List (CTL)
Cisco Call Manager certificates
TFTP server certificates
CAPF certificates
Cisco certificates - use to verify the MIC
Cisco CTL certficate - use to verify subsequent CTL
Certificate Authority Proxy Function (CAPF)
Rules for Cisco CallManager authentication and encryption
Signaling encryption requires signaling authentication
Media encryption requires media authentication and signaling encryption
Media authentication requires media encryption
Signaling encryption requires media encryption
Authentication - using TLS SHA-1 (signaling) SRTP SHA-1 (media)
Encryption - using TLS AES (signaling) SRTP AES (media)
Securing the CallManager Server - best practices/recommendations
Describe the Cisco SAFE network design
Configure SSL
Configure IPSec
Configure CallManager to use certificates
Enable Security Services
CTL Provider
Certificate Authority Proxy Function
Use the CTL to activate security options
Smart Card service must be enabled on PC with USB port
Mixed Mode - allow call between two security-enabled devices
Nonsecure Mode (default)
Configure devices for security
Certficate Operation
Install/Upgrade (add or update CTL)
Delete (delete CTL)
Troubleshoot
No Pending Operation (default)
Authentication Mode
By Authentication String (Password)
BY Null String (no auth)
By Existing Certficate (Precedence to LSC)
By Existing Certficate (Precedence to MIC)
Device Security Mode
Non Secure
Authenticated
Encrypted
Generating a CAPF Report (based on)
Certficate Operation Status
Device Security Mode
Authentication Mode
Authentication String
Configure MLA (multi-level admin)
Standard MLA Functional Groups
Plugin, User Privilege Management, User Management, Feature, System, Service Management, Service, Serviceability, Gateway, RoutePlan, Phone
Standard MLA User Groups
Phone Administration, ReadOnly, ServerMonitoring, SuperUserGroup, ServerMaintenance, Gateway Administration
Privilege Level
No Access, Read Only, Full
Configure toll-fraud prevention
Different types of toll fraud
Call Forward All, Transfer from voice mail, Social Engineering, Inside facilitators
Call Forward All
and
Transfer from voice mail
are 2 typical source of toll frauds
To Prevent Toll Fraud
Calling Search Space
Use Route Pattern to block Commonly exploited countries codes that look like are codes of the United States
Use
Time-of-Day Routing
- Apply to
Partition
Use
Force Authorization Codes
(FAC) - Call Authorization, apply to
Route Pattern
Use
Client Matter Codes
(CMC) - Call Accounting, apply to
Route Pattern
Configuring Call Transfer Restriction
Apply OffNet/OnNet to
Route Pattern
Intercluster trunks
- Intercluster trunk, SIP trunk
Gateways
- H.323, MGCP FXO/E1/T1
Drop Ad Hoc Conference Calls
Configured under (Service > Service Parameters > Cisco CallManager)
Never (default)
When Conference Creator Drops Out
When No OnNet Parties Remain in the Conference
Describe hardening IP phones
Signed phone images
Signed configuration files - 7940, 7960, 7970
Disabling Phone Settings in Cisco CallManager Administration
Speakerphone and Speakerphone Headset
PC Port - Not on the 7912
Setting Access - CCM, TFTP IP —- etc
Gratuitous ARP - unsolicit ARP response
PC Voice VLAN access
Web Access - Needed for XML push application
Enabling IP Phone Encryption and Authentication - sRTP and TLS SCCP
Cryptographic
Data Authenticity
Data Confidentiality
Data Integrity
Data nonrepudiation
Authenticity versus Non Repudiation
Encryption -
Confidentiality
Resistance to cryptographic attacks
Variable key lengths and scalability
Avalanche effect - small change in text result in big change in ciphertext
Symmetric
DES, 3DES, AES, IDEA, RC series, SEAL, Blowfish
Asymmetric Encryption
RSA
Hash Function
MD5
SHA-1 (More secure)
Hash-based Message Authentication Code (HMAC)
Authenticity, Integrity
Hash with a secret key as input
Keyed MD5
Keyed SHA-1
Digital Signatures
Authenticity, Integrity, Nonrepudiation
encrypt/sign with private key and decrypt/verify with public key
Public Key Infrastructure
Solve the problem of scalable, secure key exchange
Key Exchange in Symmetric Cryptography - out-of-band or PKI
Key Exchange in Asymmetric Encryption - public/private keys, Diffie-Hellman
PKI as Trusted Third-Party Protocol
PKI entities
Certificate Authority (CA)
Certificate (x.509) - identity of issuer, identity of owner and owner public key
Certficate Revocation List (CRL)
Download CRL
Online Certificate Status Protocol (OCSP)
Self-Signed Certicates
Secure PKI Enrollment
Over a trusted network
Mutual out-of-band authentication between PKI user and CA
PKI user verify CA using out-of-bands exchange of the fingerprints of the certficate
CA verify PKI user using out-of-bands exchange of the fingerprints of submitted information
PKI Revocation
Private key compromise
Contract Termination for that PKI users
Loss of private keys
Given a specific set of IP telephony applications and tools, configure CallManager to support the applications
Configure IP soft phone/IP communicator
Install and configure BAT and TAPS to bulk add/manage phones/users
Describe Call Detail Records and methods to extract
Install and use BARS to backup publisher
Monitor and manage an IP telephony network using Internal Server Tools
Describe the use of Serviceability tool
Describe the use of Real-Time monitoring tool
Describe the tools inherent in the operating system and database, and also provided by Cisco, to monitor CallManager operation