eduardo:cisco:cipt:cipt
Table of Contents
Perform an installation and initial set up of a CallManager cluster
- Describe CallManager cluster relationships
- Describe CallManager redundancy designs
- Configure DHCP, TFTP and NTP
- Determine which CallManager services are necessary and make sure the appropriate services are enabled
Configure Call Manager to support a call between any two endpoints on-cluster and off-cluster
- Explain the function of a CallManager group
- Describe the functions and usage of CSS and partitions
- Configure a route plan
- Explain digit analysis
- Describe and configure route patterns to route or block calls
- Explain route filters
- Explain discard digit instructions, translation patterns, and transformation masks
- Describe the functions of CallManager regions
- Describe the functions or usage of a device pool
- Explain the purpose of locations
- Configure CallManager and gatekeeper to support CAC
- Desribe the purpose and features of SRST and AAR
- Configure intercluster communications
- Configure voice gateways
Given a list of IP phone features, configure the CallManager to support the given feature set
- Configure call forward
- Configure MeetMe conferencing and conferencing resources
- Configure Music-on-hold
- Configure soft-key and IP phone button templates
- Configure multiple calls per line appearance
- Configure IPMA
- Configure Malicious Call ID
- Configure hunt groups
- Configure IP phone services
- Configure extension mobility
- Configure MRGs and MRGLs
- Configure other CallManager features and services
Secure an IP telephone network
-
- Threats
- Loss of privacy
- Loss of integrity
- Impersonation
- Denial of Service (DoS)
- Secure Signaling - encrypt SCCP using TLS
- Secure media transfer - sRTP (key exchange during Secure Signaling)
- Secure Signaling and media transfer
- Only on 7970, 7960, 7940
- Btw IP Phones and gateway
- Not intercluster call
- Not to media resources e.g. conference, transcoding or MoH
- Authentication of phone images - Cisco signed image
- Authentication of phone configuration files - TFTP server signed config
-
- Cisco Call Manager certificates
- TFTP server certificates
- CAPF certificates
- Cisco certificates - use to verify the MIC
- Cisco CTL certficate - use to verify subsequent CTL
- Rules for Cisco CallManager authentication and encryption
- Signaling encryption requires signaling authentication
- Media encryption requires media authentication and signaling encryption
- Media authentication requires media encryption
- Signaling encryption requires media encryption
- Authentication - using TLS SHA-1 (signaling) SRTP SHA-1 (media)
- Encryption - using TLS AES (signaling) SRTP AES (media)
- Securing the CallManager Server - best practices/recommendations
- Describe the Cisco SAFE network design
- Configure SSL
- Configure IPSec
- Configure CallManager to use certificates
- Enable Security Services
- CTL Provider
- Certificate Authority Proxy Function
- Use the CTL to activate security options
- Smart Card service must be enabled on PC with USB port
- Mixed Mode - allow call between two security-enabled devices
- Nonsecure Mode (default)
- Configure devices for security
- Certficate Operation
- Install/Upgrade (add or update CTL)
- Delete (delete CTL)
- Troubleshoot
- No Pending Operation (default)
- Authentication Mode
- By Authentication String (Password)
- BY Null String (no auth)
- By Existing Certficate (Precedence to LSC)
- By Existing Certficate (Precedence to MIC)
- Device Security Mode
- Non Secure
- Authenticated
- Encrypted
- Generating a CAPF Report (based on)
- Certficate Operation Status
- Device Security Mode
- Authentication Mode
- Authentication String
-
- Standard MLA Functional Groups
- Plugin, User Privilege Management, User Management, Feature, System, Service Management, Service, Serviceability, Gateway, RoutePlan, Phone
- Standard MLA User Groups
- Phone Administration, ReadOnly, ServerMonitoring, SuperUserGroup, ServerMaintenance, Gateway Administration
- Privilege Level
- No Access, Read Only, Full
- Configure toll-fraud prevention
- Different types of toll fraud
- Call Forward All, Transfer from voice mail, Social Engineering, Inside facilitators
- Call Forward All and Transfer from voice mail are 2 typical source of toll frauds
- To Prevent Toll Fraud
- Calling Search Space
- Use Route Pattern to block Commonly exploited countries codes that look like are codes of the United States
- Use Time-of-Day Routing - Apply to Partition
- Use Force Authorization Codes (FAC) - Call Authorization, apply to Route Pattern
- Use Client Matter Codes (CMC) - Call Accounting, apply to Route Pattern
-
- Apply OffNet/OnNet to
- Route Pattern
- Intercluster trunks - Intercluster trunk, SIP trunk
- Gateways - H.323, MGCP FXO/E1/T1
- Drop Ad Hoc Conference Calls
- Configured under (Service > Service Parameters > Cisco CallManager)
- Never (default)
- When Conference Creator Drops Out
- When No OnNet Parties Remain in the Conference
- Describe hardening IP phones
- Signed phone images
- Signed configuration files - 7940, 7960, 7970
- Disabling Phone Settings in Cisco CallManager Administration
- Speakerphone and Speakerphone Headset
- PC Port - Not on the 7912
- Setting Access - CCM, TFTP IP —- etc
- Gratuitous ARP - unsolicit ARP response
- PC Voice VLAN access
- Web Access - Needed for XML push application
- Enabling IP Phone Encryption and Authentication - sRTP and TLS SCCP
- Cryptographic
- Data Authenticity
- Data Confidentiality
- Data Integrity
- Data nonrepudiation
- Encryption - Confidentiality
- Resistance to cryptographic attacks
- Variable key lengths and scalability
- Avalanche effect - small change in text result in big change in ciphertext
- Symmetric
- DES, 3DES, AES, IDEA, RC series, SEAL, Blowfish
- Asymmetric Encryption
- RSA
- Hash Function
- MD5
- SHA-1 (More secure)
- Hash-based Message Authentication Code (HMAC)
- Authenticity, Integrity
- Hash with a secret key as input
- Keyed MD5
- Keyed SHA-1
-
- Authenticity, Integrity, Nonrepudiation
- encrypt/sign with private key and decrypt/verify with public key
- Public Key Infrastructure
- Solve the problem of scalable, secure key exchange
- Key Exchange in Symmetric Cryptography - out-of-band or PKI
- Key Exchange in Asymmetric Encryption - public/private keys, Diffie-Hellman
- PKI as Trusted Third-Party Protocol
- PKI entities
- Certificate Authority (CA)
- Certificate (x.509) - identity of issuer, identity of owner and owner public key
- Certficate Revocation List (CRL)
- Download CRL
- Online Certificate Status Protocol (OCSP)
- Self-Signed Certicates
- Secure PKI Enrollment
- Over a trusted network
- Mutual out-of-band authentication between PKI user and CA
- PKI user verify CA using out-of-bands exchange of the fingerprints of the certficate
- CA verify PKI user using out-of-bands exchange of the fingerprints of submitted information
- PKI Revocation
- Private key compromise
- Contract Termination for that PKI users
- Loss of private keys
Given a specific set of IP telephony applications and tools, configure CallManager to support the applications
- Configure IP soft phone/IP communicator
- Install and configure BAT and TAPS to bulk add/manage phones/users
- Describe Call Detail Records and methods to extract
- Install and use BARS to backup publisher
Monitor and manage an IP telephony network using Internal Server Tools
- Describe the use of Serviceability tool
- Describe the use of Real-Time monitoring tool
- Describe the tools inherent in the operating system and database, and also provided by Cisco, to monitor CallManager operation
eduardo/cisco/cipt/cipt.txt · Last modified: 2024/02/23 08:20 by 127.0.0.1