Detailed Outlines

Course Outlines

Module 1: Vulnerabilities of Cisco Unified Communications Networks and Security Fundamentals

Identify vulnerabilities in Cisco Unified Communications networks, and describe security implementation strategies, cryptographic services, PKI, and VPN technologies.

Lesson 1: Assessing Vulnerabilities of Cisco Unified Communications Networks

• Identify the threats to a Cisco Unified Communications solution
• Describe types of attackers and attacks
• Identify weaknesses of protocols that are used in Cisco Unified Communications networks
• Describe what needs to be considered regarding end users and administrators when dealing with security
• Describe identity spoofing and the identity types that an attacker can impersonate
• Explain examples of DoS attacks
• Describe an example of unauthorized privilege escalation that is achieved by exploiting a buffer overflow issue
• Describe eavesdropping attacks and the techniques that can be employed to perform them
• Describe data manipulation and discuss how data integrity can be compromised
• Describe attacks against Cisco Unified IP phones

Lesson 2: Describing Security Implementation Strategies

• Describe how risk assessment is performed
• Describe guidelines for security implementation
• Describe the function of a security policy
• Describe the need for auditing and how auditing can be performed
• Describe the need for accountability and how accountability can be implemented

Lesson 3: Describing Cryptographic Services and Functions

• Describe cryptographic services
• Describe the characteristics of symmetric encryption and what it is used for
• Describe the characteristics of asymmetric encryption and what it is used for
• Describe the characteristics of hashes and what they are used for
• Describe the characteristics of HMAC and what they are used for
• Describe the characteristics of digital signatures and what they are used for

Lesson 4: Describing Key Management and PKI

• Describe the issues of key management when using symmetric keys and when using asymmetric keys
• Describe the purpose of a PKI
• Describe how a PKI works
• Describe considerations when implementing a PKI
• Describe how commonly used applications utilize a PKI for secure communication

Lesson 5: Describing IPsec and Cisco AnyConnect SSL VPN

• Describe the purpose of IPsec and Cisco AnyConnect SSL
• Describe the characteristics of IPsec
• Describe the operation of IPsec
• Describe considerations when implementing IPsec
• Describe special implementation models of IPsec
• Describe the characteristics of Cisco AnyConnect SSL
• Describe the operation of Cisco AnyConnect SSL
• Describe considerations when implementing Cisco AnyConnect SSL

Module 2: Network Infrastructure Security

Implement network infrastructure security features such as network separation and firewalls, IEEE 802.1X in phone VLANs, and the IP Phone VPN Client.

Lesson 1: Implementing Network Separation and Packet Filtering

• Describe the function of security domains
• Describe network separation methods
• Implement voice VLANs
• Describe how network access control is implemented between security domains and describe how NAT can be used between security domains
• Describe the most important stateless packet filtering features on Cisco IOS routers, Cisco Catalyst switches, and Cisco ASA adaptive security appliances
• Describe how stateful packet filters can be used to provide network access control
• Describe the need for deep packet inspection and how it interacts with network access control
• Describe the operation of application proxies and the features that they provide
• Describe network separation considerations when implementing softphones

Lesson 2: Implementing Switch Security Features

• Describe the security features available in Cisco Catalyst switches
• Describe the characteristics of 802.1X
• Describe how 802.1X works
• Describe how to implement 802.1X

Lesson 3: Implementing Cisco AnyConnect SSL VPNs in Cisco Unified Communications Networks

• Describe the characteristics of the IP phone VPN Client feature
• Describe the trust requirements of the IP phone VPN Client feature
• Describe considerations when implementing the IP phone VPN Client feature
• Describe how to implement the IP phone VPN Client feature
• Describe how to verify proper operation of the IP phone VPN Client feature

Module 3: Cisco Unified Communications Manager and Endpoint Security Features

Harden Cisco Unified Communications endpoints and implement toll-fraud prevention features and Cisco Unified Communications Manager cryptographic security features.

Lesson 1: Hardening Cisco Unified Communications Endpoints

• Describe general guidelines for device hardening, including Cisco IOS devices
• List IP phone and Cisco Unified Communications Manager hardening options
• Describe how to control access to the Settings button on the IP phone in Cisco Unified Communications Manager
• Describe how to control PC port access at the IP phone in Cisco Unified Communications Manager
• Describe how to process GARP packets at the IP phone in Cisco Unified Communications Manager
• Describe how to control IP phone web server access in Cisco Unified Communications Manager

Describe how to harden Cisco IOS gateways

Lesson 2: Implementing Toll-Fraud Prevention

• List toll-fraud prevention features
• Describe the purpose and the configuration of class classification in Cisco Unified Communications Manager
• Describe how Cisco Unified Communications Manager can be configured to block external-to-external transfers
• Describe how Cisco Unified Communications Manager can be configured to drop ad hoc conferences when no on-net party remains in the conference
• Describe how CoS can be implemented in Cisco Unified Communications Manager in order to avoid toll fraud
• Describe how Cisco Unified Communications Manager can be configured to force an end user to enter a valid FAC before processing calls
• Describe how call monitoring and accounting can be configured in Cisco Unified Communications Manager in order to detect and prevent toll fraud
• Describe how Cisco Unified Communications Manager Express and Cisco IOS gateways can be configured for toll-fraud prevention

Lesson 3: Implementing Native Cisco Unified Communications Manager Security Features

• Describe how Cisco Unified Communications Manager protects IP phones by using firmware that is digitally signed
• Describe SIP digest authentication, what attacks it can mitigate, and how it is implemented for IP phones and SIP trunks
• Describe how SIP trunks can be configured to use TLS for signaling and SRTP for media
• Describe how IPsec is supported in Cisco Unified Communications Manager
• Describe the purpose of the Security by Default feature
• Describe the components of the Security by Default feature
• Describe how an IP phone can validate received certificates using CVS and describe how configuration file protection is provided by Security by Default
• Describe how Security by Default interacts with other security features

Lesson 4: Implementing Cisco Unified Communications Manager Security Features Based on Security Tokens

• Describe the issuers of certificates that are used in a secure Cisco Unified Communications Manager environment
• Describe the purpose of the CTL file
• Describe how a CTL file is created or updated
• Describe how the CTL file interacts with the ITL file
• List the security features that rely on the CTL file
• Describe how Cisco Unified Communications Manager provides secure signaling to IP phones
• Describe how Cisco Unified Communications Manager enables IP phones to use secure media exchange to other IP phones
• Describe how Cisco Unified Communications Manager provides IP phone configuration file encryption
• Describe how Cisco Unified Communications Manager can provide secure conference bridges to IP phones
• Describe the impact of encrypted signaling on intermediate network devices providing NAT or firewall services

Module 4: Secure Cisco Unified Communications Integration and Features

Implement secure Cisco Unified Communications Manager integration with external devices such as gateways, firewalls, and application proxies.

Lesson 1: Implementing SRTP to Gateways and Signaling Protection by IPsec

• Provide an overview of secure Cisco IOS gateway communication
• Describe the signaling and media protection options between the Cisco Unified Communications Manager and a SIP gateway
• Describe the media protection to MGCP gateways
• Describe the media protection to H.323 gateways
• Describe how to configure IPsec for signaling encryption

Lesson 2: Implementing Secure Signaling and SRTP in SRST and Cisco Unified Communications Manager Express

• Describe the trust requirements for secure SRST
• Describe how IP phones can trust their SRST gateway
• Describe how SRST gateways can trust IP phones
• Describe secure SRST operation
• Describe how to implement secure SRST
• List security features provided by Cisco Unified Communications Manager Express
• Describe the PKI topology and trust requirements when implementing secure Cisco Unified Communications Manager Express
• Describe additional Cisco Unified Communications Manager Express security features
• Describe how to implement security features in Cisco Unified Communications Manager Express

Lesson 3: Implementing Trusted Relay Points

• Describe the purpose of trusted relay points
• Describe the characteristics of trusted relay points
• Describe the components of trusted relay points
• Describe how trusted relay points work
• Describe how to implement trusted relay points

Lesson 4: Implementing Proxies for Secure Signaling and SRTP

• Describe the purpose and function of an application layer gateway, also known as a proxy
• Describe the purpose and functions of Cisco Unified Border Element
• Describe Cisco Unified Border Element security features including signaling and media proxy
• Describe how to configure Cisco Unified Border Element as signaling and media proxy
• Describe the purpose and functions of the Cisco ASA adaptive security appliance TLS proxy feature
• Describe how to configure a TLS proxy in the Cisco ASA adaptive security appliance
• Describe the purpose and functions of the Cisco ASA adaptive security appliance phone proxy feature
• Describe how to configure a phone proxy in the Cisco ASA adaptive security appliance
• Describe the differences between Cisco Unified Border Element, TLS proxy, and phone proxy

UCSEC v1.0 Labs

• Lab 1-1: Identifying Security Weaknesses in a Cisco Unified Communications Network
• Lab 2-1: Implementing Firewalls
• Lab 2-2: Implementing 802.1X
• Lab 2-3: Implementing Cisco AnyConnect SSL VPNs
• Lab 3-1: Implementing Cisco Unified Communications Manager Security Features Based on Security Tokens
• Lab 4-1: Implementing SRTP to Gateways and Signaling Protection by IPsec
• Lab 4-2: Implementing Secure SRST and Secure Cisco Unified Communications Manager Express
• Lab 4-3: Implementing Trusted Relay Points
• Lab 4-4: Implementing Proxies for Signaling and RTP