Secure Voice on Cisco Multiservice and Integrated Services Routers

Media authentication and encryption features on the Cisco Systems® portfolio of multiservice and integrated services routers help ensure that voice conversations are protected from eavesdropping.

The Cisco® Unified Communications system of voice and IP communications products and applications enables organizations to communicate more effectively-enabling them to streamline business processes, reach the right resource the first time and impact the top and bottom line. The Cisco Unified Communications portfolio is an integral part of the Cisco Business Communications Solution-an integrated solution for organizations of all sizes which also includes network infrastructure, security, and network management products, wireless connectivity, and a lifecycle services approach, along with flexible deployment and outsourced management options, end-user and partner financing packages, and third party communications applications.

PRODUCT OVERVIEW

Businesses are moving to IP communications to reduce operational expenses, increase productivity, and simplify network administration. The Cisco multiservice and integrated services router portfolio, ranging from the Cisco 1700 Series to the Cisco 3800 Series platforms, deliver powerful and scalable IP communications solutions for the most demanding enterprise environments.
A wide range of voice security features are available on Cisco multiservice and integrated services routers to deliver high levels of security protection for businesses deploying IP communications solutions. The Cisco multilayer offering, based on the self-defending network model, starts with the network itself and extends to the endpoints and applications. The SAFE Blueprint from Cisco presents a detailed framework of best practices and tools to help secure business networks.
Media encryption using Secure Real-Time Transport Protocol (SRTP) delivers protection by encrypting the voice conversation, rendering it unintelligible to internal or external eavesdroppers who have gained access to the voice domain. Designed for voice packets, SRTP supports the AES encryption algorithm and is an IETF RFC 3711 standard.
Media encryption on Cisco routers works together with Cisco Unified CallManager software and the media encryption feature on Cisco Unified IP phones to secure both gateway-to-gateway calls and IP phone-to-gateway calls. This enables secure analog phone calls, secure fax calls, or secure calls between an IP phone and the gateway, depending on the gateway interface type the media is terminated on. Voice encryption keys derived by Cisco Unified CallManager are securely sent by encrypted signaling path to Cisco Unified IP phones through the use of Transport Layer Security (TLS) and to gateways over IP Security (IPSec) protected links.
Media encryption features on Cisco routers are available beginning with Cisco IOS® Software release 12.3(11)T2 and with an upgrade to the Advanced Enterprise Services and Advanced IP Services IOS Software Feature Sets. The features are enabled on digital signal processing modules (DSPs) available on the PVDM2, EVM-HD, NM-HD-, AIM-VOICE, NM-HDA and NM-HDV2 voice gateway network modules.

FEATURES TABLE

Table 1 provides details on the media authentication and encryption solution.

Table 1. Features Table

Authentication and
Encryption Features

· Media encryption of voice RTP streams using SRTP
· Exchange of RTP Control Protocol (RTCP) information using secure RTCP
· SRTP to RTP fallback for calls between secure and insecure endpoints
· Secure calls supported in Cisco Unified Survivable Remote Site Telephony (SRST) mode during WAN failover
· Compressed RTP (CRTP) supported with media encrypted calls using SRTP

Authentication and
Encryption Algorithm

· Supports AES-128 encryption algorithm
· Supports the HMAC secure hash authentication algorithm (SHA 1)

Signaling Authentication and Encryption Features

· Gateway to Cisco Unified CallManager signaling and encryption uses IPSec for Media Gateway Control Protocol (MGCP) and H.323 gateways
· IP phone to Cisco Unified Survivable Remote Site Telephony router signaling and encryption uses TLS
(Transport Layer Security)

Protocol Support

· MGCP 0.1 (supports MGCP gateways with Cisco Unified CallManager)
· H.323 (supported on H.323 gateways and IPIP gateway; Cisco Unified CallManager interoperability is optional)
· SCCP (Cisco Unified IP Phone) in SRST mode

Module Support

· PVDM modules: PVDM2-8, PVDM2-16, PVDM2-32, PVDM2-48, PVDM2-64
· Analog voice modules: EVM-HD (with PVDMs), NM-HD-1V, NM-HD-2V, NM-HD-2VE, NM-HAD
· Digital voice modules NM-HDV2, NM-HDV2-1T1/E1, NM-HDV2-2T1/E1, NM-HDV (all versions), AIM VOICE 30, AIM-ATM-VOICE-30

Codec Support

· G.711, G.729A, and G.729

APPLICATIONS

Media authentication and encryption on Cisco multiservice and integrated services routers, together with media encryption on Cisco Unified IP phones and Cisco Unified CallManager, provides a highly secure environment for IP communications across a WAN or LAN. As illustrated in Figure 1, SRTP is used to encrypt voice calls placed on voice gateway network modules in branch office A. This provides secure calls from analog phone to analog phone, or fax machine to fax machine, within the office. Similarly, secure calls are enabled from time-division multiplexing (TDM) endpoints or analog phones at branch office A to Cisco Unified IP phones at the headquarters. The signaling between the gateway at branch office A and Cisco Unified CallManager is secured using IPSec, and the signaling between the IP phones at headquarters and Cisco Unified CallManager is secured using TLS.

Figure 1. Media Authentication and Encryption

KEY FEATURES AND BENEFITS

Media Authentication and Encryption

Media encryption currently delivers end-to-end encryption for voice calls between Cisco Unified IP phones. The introduction of media encryption on Cisco routers adds the ability to place secure IP phone-to-gateway and gateway-to-gateway calls. Callers can now place encrypted calls to the PSTN gateway using IETF RFC3711 standards-based SRTP. SRTP encrypts only the payload of a voice packet without adding additional encryption headers. Because of this, an SRTP-encrypted voice packet is almost indistinguishable from an RTP voice packet, allowing features like quality of service (QoS) and compressed RTP to be supported without any additional development or packet manipulation. In addition, SRTP uses the largest practical key size supported by the AES encryption standard for increased security. Voice encryption keys are generated for each call, ensuring a higher level of security protection. Media authentication also validates the identity of the devices encrypting the calls.
Media encryption using SRTP is suitable for voice privacy and confidentiality on the LAN to protect against internal threats. In addition, media encryption can also be delivered across an IP WAN or the Internet, using the same VPN infrastructure deployed for data.

Signaling Authentication and Encryption

Signaling authentication and encryption between the gateways and Cisco Unified CallManager is protected using IPSec. This ensures that signaling information such as dual tone multifrequency (DTMF) digits, passwords, PINs, and voice encryption keys are secure. Both software-based IPSec, available in Cisco IOS Software, and hardware-based IPSec using the AIM-VPN modules are supported.

Scalability of Encrypted Calls

SRTP media encryption is performed on DSP modules and not on the router CPU. This enables efficient scalability as increasing the number of voice gateway interfaces with DSPs, or increasing the number of DSPs integrated on the platforms (such as on the integrated services routers), increases the number of DSPs available for secure calls.

Efficient Delay Optimization and Channel Capacity Impact

No additional call setup delays are introduced with encrypted calls, as the key exchange is completed as part of the normal MGCP call setup and no extra messages are introduced. Voice media delay is also not introduced because SRTP media encryption is performed in the DSP, and not by the router CPU or a separate encryption engine that processes the completed voice packet.
There is no channel capacity impact for encrypted calls in G.729 and G.729a modes, and minimal impact in G.711 mode (Table 2).

Table 2. Channel Impact per DSP (ex: PVDM2-16)

Codec

Regular Voice Call/DSP

Encrypted Voice Call/DSP

G.711

16 calls

10 calls

G.729a

8 calls

8 calls

G.729

6 calls

6 calls

Management Features

Media authentication and encryption is easily configured on Cisco routers using the command-line interface (CLI). In addition, features such as a lock icon indicator on Cisco IP Phones provide visual confirmation of encryption in calls to supported gateways. If a device within the call flow does not support media encryption or the security is compromised, the lock icon disappears. CLI commands are also available to confirm and provide details about an encrypted call and to debug calls.

Security in Cisco Unified Survivable Remote Site Telephony Mode

Cisco Unified Survivable Remote Site Telephony provides call processing redundancy when connectivity to Cisco Unified CallManager is lost. Media authentication and encryption is supported in Cisco Unified Survivable Remote Site Telephony mode, beginning with Cisco IOS Software release 12.3(14)T, providing the ability to place secure calls within a remote branch office when the WAN link or Cisco Unified CallManager goes down. When the WAN link or Cisco Unified CallManager is restored, Cisco Unified CallManager resumes secure call handling capabilities. The signaling from the Cisco Unified Survivable Remote Site Telephony router to the IP phones is encrypted using TLS.

SRTP AND IPSEC VPNS

SRTP and IPSec are complementary VPN technologies. One of the key differences is that SRTP can deliver encryption from end to end, that is, from IP phone to IP phone, whereas IPSec VPN is a router-to-router tunnel-based encryption. In addition, SRTP encrypts only voice packets, whereas IPSec VPN tunnels can transport data, voice, and video (and thus are called V3PN).
This means that SRTP can add additional protection for voice traffic using an IPSec VPN.
For enterprises and small and medium-sized businesses that have a trusted WAN network, SRTP can be used to encrypt voice end to end across this network. However, most of these businesses conduct business across the Internet or across a WAN that is managed by a service provider. Therefore, the WAN may be insecure, and a VPN tunnel is used to transport data securely between branch offices. SRTP can be used to secure voice in the WAN across the same IPSec VPN network that is used for data. This is illustrated in Figure 2.

Figure 2. Secure RTP and V3PN

FEATURE AVAILABILITY

Table 3. Feature Availability

Protocol/Feature Support

Platform Support (with Supported Modules in Table 4)

Release

MGCP Gateways (MGCP 0.1)

· Cisco 2600XM, 2691, 3660, 3725, and 3745
multiservice platforms
· Cisco 2811, 2821, 2851, 3825, and 3845 integrated
services routers
· Cisco VG224 Analog Phone Gateway
· Cisco IOS Software Release 12.3(11)T2 and Cisco Unified CallManager 4.1

H.323 Gateways
and IPIP Gateway

· Cisco 2600XM, 2691, 3725, and 3745 multiservice platforms
· Cisco 2811, 2821, 2851, 3825, and 3845 integrated services routers
· Cisco VG224 Analog Phone Gateway
· Cisco IAD 2430 Series Integrated Access Device
· IPIP gateway is supported in both flow-through and flow around mode.
· Cisco IOS Software Release 12.4(6)T1
· Interworking with Cisco Unified CallManager 5.0 is supported,
but is optional

SCCP IP Phones in
Cisco Unified SRST Mode

· Cisco 2600XM, 2691, 3660, 3725, and 3745
multiservice platforms
· Cisco 2811, 2821, 2851, 3825, and 3845 integrated
services routers
· Cisco IOS Software Release 12.3(14)T and Cisco Unified CallManager 4.1

MODULE AVAILABILITY

Table 4. Module Availability

Module Support

Platform Support

Release

NM-HD-1V, NM-HD-2V, NM-HD-2VE

· Cisco 2600XM, 2691, 3660, 3725, and 3745 multiservice platforms
· Cisco 2811, 2821, 2851, 3825, and 3845 integrated services routers
· Cisco IOS Software Release 12.3(11)T2

NM-HDV2, NM-HDV2-1T1/E1,
NM-HDV2-2T1/E1

· Cisco 2600XM, 2691, 3725, and 3745 multiservice platforms
· Cisco 2811, 2821, 2851, 3825, and 3845 integrated services routers
· Cisco IOS Software Release 12.3(11)T2

PVDM2-8, PVDM2-16, PVDM2-32,
PVDM2-48, PVDM2-641

· Cisco 2801, 2811, 2821, 2851, 3825, and 3845 integrated services routers
· Cisco IOS Software Release 12.3(11)T2-all platforms except 2801
· Cisco IOS Software Release 12.3(14)T-2801 platform

EVM-HD

· Cisco 2821, 2851, 3825, and 3845 integrated services routers
· Cisco IOS Software Release 12.3(11)T2 and Cisco Unified CallManager 4.1

NM-HDV (Including All Bundle Variations)

· Cisco 2600XM, 2691, 3725, and 3745 multiservice platforms
· Cisco 2811, 2821, 2851, 3825, and 3845 integrated services routers
· Cisco IOS Software Release 12.3(14)T and Cisco Unified CallManager 4.1

AIM-VOICE-30, AIM-ATM-VOICE-30, NM-HDA

· Cisco 2600XM, 2691, 3725, and 3745 multiservice platforms
· Cisco IOS Software Release 12.4(6)T1
1. The PVDM2 Packet/Voice DSP modules are used with native VICs/VWICs and NM-HDV2s on the Cisco 2801, 2811, 2821, 2851, 3825 and 3845 integrated services routers. They are also used with the High-Density Analog and Digital Extension Module (EVM-HD) supported on the Cisco 2821, 2851, 3825, and 3845 integrated services routers.

Note: The voice gateway modules on the Cisco multiservice and integrated services routers interoperate with Cisco Unified IP Phone 7940G, 7960G, and 7970G that support media encryption. The Cisco Unified IP Phone 7970G supports media encryption with the Cisco Unified CallManager 4.0 release, and the Cisco Unified IP Phone 7960G and 7940G support media encryption with Cisco Unified CallManager 4.1 release.

CISCO UNIFIED COMMUNICATIONS SERVICES AND SUPPORT

Using the Cisco Lifecycle Services approach, Cisco Systems® and its partners offer a broad portfolio of end-to-end services to support the Cisco Unified Communications system. These services are based on proven methodologies for deploying, operating, and optimizing IP communications solutions. Upfront planning and design services, for example, can help you meet aggressive deployment schedules and minimize network disruption during implementation. Operate services reduce the risk of communications downtime with expert technical support. Optimize services enhance solution performance for operational excellence. Cisco and its partners offer a system-level service and support approach that can help you create and maintain a resilient, converged network that meets your business needs.

CONCLUSION

Media authentication and encryption provides an additional layer of security for enterprises and small and medium-sized businesses deploying IP communications. Voice conversations terminated on TDM or analog voice gateway ports or Cisco Unified IP phones are protected from eavesdropping within the LAN and WAN using standards-based encryption.

PRODUCT COMPATIBILITY

Table 5. Product Compatibility

Product Compatibility

· Cisco 2600XM, 2691, 3725, and 3745 multiservice platforms
· Cisco 2811, 2821, 2851, 3825, and 3845 integrated services routers
· Cisco VG224 Analog Phone Gateway
· Cisco IAD 2430 Series Integrated Access Device
· Cisco Unified CallManager 4.1 for MCGP and SCCP (Cisco Unified SRST mode)
· Cisco Unified CallManager 5.0 (H.323)

Software Compatibility

· Advanced IP Services Image
· Advanced Enterprise Services Image

Protocols

· MGCP 0.1, H.323, SCCP (SRST mode)

ORDERING INFORMATION

To place an order, contact your Cisco representative or visit the Cisco Website. See Table 6 for ordering information.

Table 6. Ordering Information

Product Name

Part Number

IP Communications High Density Digital Voice Network Module

NM-HDV2

IP Communications High Density Digital Voice Network Module with One Built-in T1/E1 Port

NM-HDV2-1T1/E1

IP Communications High Density Digital Voice Network Module with Two Built-in T1/E1 Port

NM-HDV2-2T1/E1

One-Slot IP Communications Voice/Fax Network Module

NM-HD-1V

Two-Slot IP Communications Voice/Fax Network Module

NM-HD-2V

Two-Slot IP Communications Enhanced Voice/Fax Network Module

NM-HD-2VE

Digital T1/E1 Packet Voice/Fax Network Module

NM-HDV (and all bundle variations)

30-Channel Voice/Fax DSP Advanced Integration Module

AIM-VOICE-30, AIM-ATM-VOICE-30

High-Density Analog and Digital Extension Module

EVM-HD

8-Channel Packet Fax/Voice DSP Module

PVDM2-8

16-Channel Packet Fax/Voice DSP Module

PVDM2-16

32-Channel Packet Fax/Voice DSP Module

PVDM2-32

48-Channel Packet Fax/Voice DSP Module

PVDM2-48

64-Channel Packet Fax/Voice DSP Module

PVDM2-64

2007/05/05 21:12 2007/05/05 21:12

트랙백 주소 :: http://thinkit.or.kr/network/trackback/369

댓글을 달아 주세요