Cisco Unified Communications Manager. Common Criteria Configuration Guide

Transcription

1 Cisco Unified Communications Manager Common Criteria Configuration Guide Version 0.4 EDCS July , Cisco Systems, Inc. All rights reserved. This document can be reproduced in full without any modifications.

2 Table of Contents 1 Introduction... 8 Audience... 8 Purpose... 8 Document References... 8 Supported Hardware and Software... 9 Operational Environment Supported non-toe Hardware/ Software/ Firmware Excluded Functionality Secure Acceptance of the TOE Secure Installation and Configuration Physical Installation Initial Setup of CUCM Enabling FIPS Mode Certificates Administrator Configuration, Credentials and Session Termination Logging Configuration Endpoint Devices and User Association Network Protocols and Cryptographic Settings Remote Administration Protocols SIP Connections and Protocols Clusters and Route Patterns Secure Management User Roles Clock Management Identification and Authentication Login Banners Product Updates Security Relevant Events Reviewing, Downloading and Deleting Audit Records Network Services and Protocols Page 2 of 35

3 7 Modes of Operation Security Measures for the Operational Environment Related Documentation Documentation Feedback Obtaining Technical Assistance Page 3 of 35

4 List of Tables Table 1: Acronyms... 5 Table 2 Terminology... 6 Table 3 Cisco Documentation... 8 Table 4: Operational Environment Components Table 5 Excluded Functionality Table 6 TOE External Identification Table 7 Evaluated Software Images Table 8 Audit Entries Table 10: Protocols and Services Table 11 Operational Environment Security Measures Page 4 of 35

5 List of Acronyms The following acronyms and abbreviations may be used in this document: Table 1: Acronyms Acronyms / Definition Abbreviations AAA Administration, Authorization, and Accounting ACL Access Control Lists AES Advanced Encryption Standard BRI Basic Rate Interface CC Common Criteria for Information Technology Security Evaluation CEM Common Evaluation Methodology for Information Technology Security CM Configuration Management CTI Computer Telephony Integration ports CUCM Cisco Unified Communications Manager DHCP Dynamic Host Configuration Protocol EAL Evaluation Assurance Level EHWIC Ethernet High-Speed WIC ESP Encapsulating Security Payload GE Gigabit Ethernet port HTTP Hyper-Text Transport Protocol HTTPS Hyper-Text Transport Protocol Secure ICMP Internet Control Message Protocol IT Information Technology NDPP Network Device Protection Profile OS Operating System PoE Power over Ethernet PP Protection Profile SBC Session Border Controllers SHS Secure Hash Standard SIP Session Initiation Protocol ST Security Target TCP Transport Control Protocol TLS Transport Layer Security TOE Target of Evaluation TSC TSF Scope of Control TSF TOE Security Function TSP TOE Security Policy UCM Unified Communications Manager UDP User datagram protocol UCS Unified Computing System VoIP Voice over IP WAN Wide Area Network WIC WAN Interface Card Page 5 of 35

6 Terminology Term Authorized Administrator Peer CUCM Security Administrator SIP Server User Table 2 Terminology Definition Any user which has been assigned to a privilege level that is permitted to perform all TSF-related functions. Another CUCM on the network that the TOE interfaces with. Synonymous with Authorized Administrator for the purposes of this evaluation. The SIP Server (the TOE) interacts with a VoIP client (user smartphone) and provides registrar and proxy capabilities required for call-session management as well as establishing, processing, and terminating VoIP calls. Any entity (human user or external IT entity) outside the TOE that interacts with the TOE. Page 6 of 35

7 DOCUMENT INTRODUCTION Prepared By: Cisco Systems, Inc. 170 West Tasman Dr. San Jose, CA This document provides supporting evidence for an evaluation of a specific Target of Evaluation (TOE), the Cisco Unified Communications Manager (CUCM). This Operational User Guidance with Preparative Procedures addresses the administration of the TOE software and hardware and describes how to install, configure, and maintain the TOE in the Common Criteria evaluated configuration. REVISION HISTORY Rev Date Description.01 2 March 2015 Initial Draft April 2015 Updated based on Evaluator findings May 2015 Updated based on Evaluator findings July 2015 Updated based on Evaluator findings Page 7 of 35

8 1 Introduction This Operational User Guidance with Preparative Procedures documents the administration of the Cisco Unified Communications Manager (CUCM), the TOE, as it was certified under Common Criteria. The Cisco Unified Communications Manager (CUCM ) may be referenced below as the Cisco Unified Communications Manager, CUCM, or simply TOE. Audience This document is written for administrators configuring the TOE. This document assumes that you are familiar with Cisco or equivalent call processing and unified communications products. It is also assumed that you have a general understanding and knowledge with the basic concepts and terminologies used in enterprise telephony features and functions to packet telephony network devices such as IP phones, media processing devices, voice-over-ip (VoIP) gateways, and multimedia applications, that you are a trusted individual, and that you are trained to use the operating systems on which you are running your network. Purpose This document is the Operational User Guidance with Preparative Procedures for the Common Criteria evaluation. It was written to highlight the specific TOE configuration and administrator functions and interfaces that are necessary to configure and maintain the TOE in the evaluated configuration. The evaluated configuration is the configuration of the TOE that satisfies the requirements as defined in the Security Target (ST). This document covers all of the security functional requirements specified in the ST and as summarized in Section 3 of this document. This document does not mandate configuration settings for the features of the TOE that are outside the evaluation scope, which should be set according to your organizational security policies. This document is not meant to detail specific actions performed by the administrator but rather is a road map for identifying the appropriate locations within Cisco documentation to get the specific details for configuring and maintaining CUCM operations. It is recommended that you read all instructions in this document and any references before performing steps outlined and entering commands. Section 9 of this document provides information for obtaining assistance. Document References This section lists the Cisco Systems documentation that is also the Common Criteria Configuration Item (CI) List. The documents used are shown below in Table 3. Throughout this document, the guides will be referred to by the #, such as [1]. Table 3 Cisco Documentation # Title Link [1] Cisco Unified Communications Manager (CallManager) Maintain and Operate Guides Page 8 of 35

9 # Title Link [2] Cisco UCS C220 Server Installation and Service Guide /C220/install/C220.html Cisco UCS C210 Installation and Service Guide [3] Administration Guide for Cisco Unified Communications Manager, Release 11.0(1) /C210M1/install/C210M1.html n/11_0_1/administration/cucm_bk_a0a10476_00_administrati on-guide-for-cisco-unified.html [4] Cisco Unified Real-Time Monitoring Tool Administration Guide, Release 11.0(1) [5] System Configuration Guide for Cisco Unified Communications Manager, Release 11.0(1) ce/11_0_1/rtmt/cucm_bk_cc660a6b_00_cisco-unifiedrtmt-administration-1101.html n/11_0_1/sysconfig/cucm_bk_c733e983_00_cucm-systemconfiguration-guide.html [6] Security Guide for Cisco Unified Communications Manager, Release 11.0(1) [7] Cisco Unified Communications Manager FIPS Certificate [8] Cisco Unified Communications Manager Common Criteria Guidance, version 0.1 [9] Cisco Unified Communications Manager Security Target, version.01 [10] Installation Guide for Cisco Unified Communications Manager, Release 11.0(1) [11] Release Notes for Cisco Unified Communications Manager and IM and Presence Service, Release 11.0(1) [12] Cisco Collaboration on Virtual Servers ity/11_0_1/secugd/cucm_bk_c1a78c1d_00_cucm-securityguide-1101.html Refer to FIPS certificate 2100; Cisco FIPS Object Module (Software Version: 4.1) This will be updated with a link to the Cisco certification webpage This will be updated with the link to the NIAP webpage l/11_0_1/cucm_bk_idf93684_00_installing-cucm_1101.html otes/11_0_1/cucm_bk_r30921a8_00_cucm_releasenotes_1101.html l/cucm_bk_cf3d71b4_00_cucm_virtual_servers.html Supported Hardware and Software Only the hardware and software listed in section 1.5 of the Security Target (ST) is compliant with the Common Criteria evaluation. Using hardware not specified in the ST invalidates the secure configuration. Likewise, using any software version other than the evaluated software Page 9 of 35

10 listed in the ST will invalidate the secure configuration. The TOE is a hardware and software solution that makes up the CUCM system as follows: The hardware is comprised of the Cisco Unified Computing System (Cisco UCS) C220 M3 Rack Server or the Cisco Unified Computing System (Cisco UCS) C210 M2 Rack Server The software is comprised of the CUCM software image Release 11.0 The software comes pre-installed on the UCS C220 M3 Server or the UCS C210 M2 Server and is comprised of the Cisco CUCM 11.0 software. Cisco Unified CM Administration is a web-based application that is the main administration and configuration interface for Cisco Unified Communications Manager. The CUCM Administration is used to manage the system, features, server settings, call routing rules, phones and end users. CUCM Administration supports the following operating system browsers: Microsoft Internet Explorer (IE) 7 when running on Microsoft Windows XP SP3 Microsoft Internet Explorer (IE) 8 when running on Microsoft Windows XP SP3 or Microsoft Vista SP2 Firefox 3.x when running on Microsoft Windows XP SP3, Microsoft Vista SP2 or Apple MAC OS X Safari 4.x when running on Apple MAC OS X HTTPS is used to secure the connection between CUCM and the browser. Refer to [6] Hypertext Transfer Protocol Over Secure Sockets Layer (HTTPS) Cisco Unified Communications Manager works as an Appliance on a non-windows-based Operating System. The Cisco Unified Communications Manager appliance refers to the following functions: Works on a specific hardware platform(s) that Cisco specifies and supplies and, in some cases, the customer supplies Works in a carefully controlled software environment that Cisco specifies and installs Includes all software that is required to operate, maintain, secure, and manage servers Cisco Unified Communications Manager servers get preinstalled with software to ease customer and partner deployment and automatically search for updates and notify administrators when key security fixes and software upgrades are available for their system. This process comprises Electronic Software Delivery. Because Cisco Unified Communications Manager is a software application, enhancing its capabilities in production environments requires only upgrading software on the server platform. Page 10 of 35

11 Operational Environment Supported non-toe Hardware/ Software/ Firmware The TOE supports (in some cases optionally) the following hardware, software, and firmware in its environment: Table 4: Operational Environment Components Component Required Usage/Purpose Description for TOE performance Local No This includes any IT Environment Console that is directly Console connected to the TOE via the Serial Console Port and is used by Management Workstation using web browser for HTTPS Yes the TOE administrator to support TOE administration. This includes any IT Environment Management workstation with a web browser installed that is used by the TOE administrator to support TOE administration through HTTPS protected channels. Any web browser that supports TLSv1.0 with the supported ciphersuites may be used. NTP Server Yes The TOE supports communications with an NTP server in order to synchronize the date and time on the TOE with the NTP server s date and time. RADIUS or TACACS+ AAA Server Syslog Server Remote Endpoint No Yes Yes This includes any IT environment RADIUS or TACACS+ AAA server that provides single-use authentication mechanisms. This can be any RADIUS or TACACS+ AAA server that provides single-use authentication. This includes any syslog server to which the TOE would transmit syslog messages. This includes any peer (other SIP servers) or VoIP client with which the TOE communicates with the end points over a protected TLS channel. Excluded Functionality Excluded Functionality Non-FIPS mode of operation on the router. Table 5 Excluded Functionality Exclusion Rationale This mode of operation includes non-fips allowed operations. The exclusion of this functionality does not affect compliance to the U.S. Government Protection Profile for Security Requirements for Network Devices PP or the SIP Server EP. Page 11 of 35

12 2 Secure Acceptance of the TOE In order to ensure the correct TOE is received, the TOE should be examined to ensure that that is has not been tampered with during delivery. Verify that the TOE software and hardware were not tampered with during delivery by performing the following actions: Step 1 Before unpacking the TOE, inspect the physical packaging the equipment was delivered in. Verify that the external cardboard packing is printed with the Cisco Systems logo and motifs. If it is not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner). Step 2 Verify that the packaging has not obviously been opened and resealed by examining the tape that seals the package. If the package appears to have been resealed, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner). Step 3 Verify that the box has a white tamper-resistant, tamper-evident Cisco Systems bar coded label applied to the external cardboard box. If it does not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner). This label will include the Cisco product number, serial number, and other information regarding the contents of the box. Step 4 Note the serial number of the TOE on the shipping documentation. The serial number displayed on the white label affixed to the outer box will be that of the device. Verify the serial number on the shipping documentation matches the serial number on the separately mailed invoice for the equipment. If it does not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner). Step 5 Verify that the box was indeed shipped from the expected supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner). This can be done by verifying with the supplier that they shipped the box with the courier company that delivered the box and that the consignment note number for the shipment matches that used on the delivery. Also verify that the serial numbers of the items shipped match the serial numbers of the items delivered. This verification should be performed by some mechanism that was not involved in the actual equipment delivery, for example, phone/fax or other online tracking service. Step 6 Inspect the TOE according to the instructions in [2] Unpack and Inspect the Cisco Unified Computing System (Cisco UCS) C220 M3 or the Cisco UCS C210 M2. Rack Server installed with CUCM software image Release Verify that the serial number displayed on the unit itself matches the serial number on the shipping documentation and the invoice. If it does not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner). Also verify that the unit has the following external identification as described in Table 6 below. Table 6 TOE External Identification Product Name Model Number External Identification Cisco Unified Computing System (Cisco UCS) C220 M3S UCS C220 M3S Cisco Unified Computing System (Cisco UCS) C210 M2 UCS C210 M2 Page 12 of 35

13 Step 7 As noted above, Cisco Unified Communications Manager servers get preinstalled with software. To verify the software version and to register the license, from a PC in your network that has been installed with one of the supported browsers, browse into a server that is running Cisco Unified Communications Manager Administration and log in with administrative privileges. Follow the instructions in [3] Administration Overview -> Getting Started -> Sign In Step 8 To verify the software version CUCM 11.0 Follow the instructions in [3] Manage the System -> Monitor System Status -> View Installed Software. See Table 7 below for the details that must be checked to ensure the software has not been modified in anyway. Table 7 Evaluated Software Images Software Version Image Name Hash Unified Communications Manager Version 11.0 UCSInstall_UCOS_ sgn.iso File size MB ( bytes) MD5 Checksum: 0fea04be800597d7e414984afed5ae26 SHA512 Checksum: 27f41b24ee75a91a59a18ea857feca48... Page 13 of 35

14 3 Secure Installation and Configuration Physical Installation Follow the instructions in [2] Preparing for Server Installation following with Installing the Server In a Rack and Initial Setup. There are network requirements that must be met before deploying CUCM. Initial Setup of CUCM Follow the instructions in Configure Initial Parameters for the System in [5] for the initial setup configurations. There are network requirements that must be met before deploying CUCM such as IP addressing, DNS requirements, software and supported browsers and their associated certificates. During the initial startup of the Cisco Unified Communications Manager you will be required to reset the Administrator default setting. Refer to the password requirements listed below in Section Administrator Configuration, Credentials and Session Termination. The Initial configuration setup the licensing requirements, the server name and ports, systemwide parameters that are required when you setup a node for the first time and the core settings for server groups, time zone information and regions.. The Post-Installation Tasks for Cisco Unified Communications Manager in [10] will guide you through activating services and installing the license. After the initial setup and activating licenses and services are completed, the remainder of this guide will guide you through setting up enterprise parameters for end users, endpoint devices and call administration control [5]. The default method to administer is CUCM is securely connecting to the CUCM GUI interface using TLS. If local administration is required via directly connected to the UCS appliance, refer to Administration in [12] using vsphere client. Enabling FIPS Mode The TOE must be run in the FIPS mode of operation. Refer to [6] Security for SRST References, Trunks, and Gateways -> FIPS Mode Setup for the configuration settings. The self-tests for the cryptographic functions in the TOE are run automatically during power-on as part of the POST. The same POST self-tests for the cryptographic operations are also run periodically during operational state. If any of the self-tests fail, the TOE transitions into an error state. In the error state, all secure management and data transmission that is affected by the failure is halted and the TOE outputs status information indicating the failure. In an error state the Administrator may be able to log in to troubleshoot the issue. During the POST, all ports are blocked from moving to forwarding state. If all components of all modules pass the POST, the system is placed in FIPS PASS state and ports are allowed to forward management and data traffic. If the POST fails the TOE will continuously reboot in attempts to correct the failure. During this state no one can login, no traffic is passed, the TOE is not operational. If the problem is not corrected by the reboot, Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The Cisco Technical Support & Page 14 of 35

15 Documentation website on Cisco.com features extensive online support resources. In addition, if you have a valid Cisco service contract, Cisco Technical Assistance Center (TAC) engineers provide telephone support. Contact Cisco TAC as described in 9.2 Obtaining Technical Assistance. In this 11.0 release of CUCM, the TOE provides support to monitor the Entropy Monitoring Daemon. This feature does not require any configuration, though it can be turned off by using the CLI. In the evaluated configuration, this service should not be turned off [6] Default Security Setup -> ECDSA Support for Common Criteria for Certified Solutions -> Entropy. Certificates The CUCM supports self-signed and third party signed certificates. The certificates are used to securely authenticate devices, encrypt data and to hash data to ensure its integrity. The most important part of certificates is that you know and define how your data is encrypted and shared with entities such as the intended website, phone, or FTP server. When your system trusts a certificate, this means that there is a preinstalled certificate on your system which states it is fully confident that it shares information with the correct destination. Otherwise, it terminates the communication between these points. In order to trust a certificate, trust must already be established with a third-party certificate authority (CA). Your devices must know that they can trust both the CA and intermediate certificates first, before they can trust the server certificate presented by the exchange of messages called the secure sockets layer (SSL) handshake. Refer to Manage Certificates in [3] and Security Overview -> Certificates and Security Overview -> Certificate Setup in [6]. The CUCM also supports EDCSA certificates and in the evaluated configuration, it is required to use these certificates [10]. When you install Cisco Unified Communications Manager, the selfsigned certificate is generated. Cisco Unified Communications Manager Release 11.0 always has an ECDSA certificate and uses that certificate in its SIP interface. All SIP connections support the ECDSA ciphers and use ECDSA certificates. For third-party signed certificates or certificate chain, you will need to upload the certificate authority root certificate of the certificate authority that signed an application certificate. If a subordinate certificate authority signs an application certificate, you must upload the certificate authority root certificate of the subordinate certificate authority. You can also upload the PKCS#7 format certificate chain of all certificate authority certificates. You can upload certificate authority root certificates and application certificates by using the Upload Certificate dialog box. When you upload a certificate authority root certificate or certificate chain that contains only certificate authority certificates, choose the certificate name with the format certificate type-trust. When you upload an application certificate or certificate chain that contains an application certificate and certificate authority certificates, choose the certificate name that includes only the certificate type. To download certificates, on the Cisco Unified OS Administration page, choose Security > Certificate Management. Next, specify the search criteria and then click Find, then choose the file name of the certificate or certificate trust list (CTL) and click Download. To upload any new certificates or certificate chains that you want your system to trust, from the Cisco Unified OS Administration, choose Security > Certificate Management, click Upload Certificate/Certificate Chain, choose the certificate name from the Certificate Purpose dropdown list, then choose the file to upload by performing one of the following steps: Page 15 of 35

16 o In the Upload File text box, enter the path to the file. o Click Browse, navigate to the file, and then click Open. To upload the file to the server, click Upload File Note, certificates will also be required for each device that communicates with CUCM. Refer to [3] Manage Certificates. Administrator Configuration, Credentials and Session Termination The CUCM must be configured to use a username and password for each administrator. Once the CUCM has been setup and configured, the Administrator can create additional administrative user accounts, refer to [3] Manage Users -> Manage User Access. Also refer to Manage User Access -> Standard Roles and Access Control Groups. The security policies for administrative users include the settings for: idle timeouts (session termination) is set by default to 30 minutes password criteria o by default, is set to a minimum of six (6) characters. In the evaluated configuration the password must be set to a minimum of at least 15 characters o password complexity include the following settings: password must be a combination of upper and lower case letters (a-z and A-Z), numbers (0-9) and the following special #, $, %, ^, &, *, (, ) pins (personal identification number) needs to be set to at least eight (8) characters The credential policies control the authentication process for resources (users) of the TOE. The defines password requirements and account lockout details such as failed login attempts, expiration periods and lockout durations for end user passwords, end user PINs, and application user passwords. Credential policies can be assigned broadly to all accounts of a specific credential type, such as all end user PINs, or they can be customized for a specific application user, or end user. Refer to [5] Configure Credential Policy. Inactivity settings must trigger termination of the administrator session. The default value for the CUCM Web Interface is 30 minutes. If the TOE detects there is no activity for 30 minutes, the CUCM Web Interface times out and the Administrator will be logged off. These settings are only configurable by using the Command Line Interface. It is recommended to accept the default time in the evaluated configuration as the CLI was not included. Logging Configuration Once the TOE becomes operational, auditing is on by default, though can be configured via the access the Audit Log Configuration window in the serviceability GUI to configure the settings for the audit logs [3] Tools and Reports -> Audit Logs -> Set up audit log. Cisco Unified Serviceability logs the following events: Activation, deactivation, start, or stop of a service. Changes in trace configurations and alarm configurations. Changes in SNMP configurations. Page 16 of 35

17 Changes in CDR management. (Cisco Unified Communications Manager only) Review of any report in the Serviceability Reports Archive. This log gets viewed on the reporter node. (Cisco Unified Communications Manager only) The Cisco Unified Real-Time Monitoring Tool can also be used to monitor system performance, operations and events on the TOE. Refer to [4]. Cisco Unified Real-Time Monitoring Tool logs the following events with an audit event alarm: Alert configuration Alert suspension configuration Set node alert status Alert addition Add alert action Clear alert Enable alert Remove alert action Remove alert By default, the logs are configured to rotate. If the AuditLogAlarmMonitor cannot write an audit event, the AuditLogAlarmMonitor logs this failure as a critical error in the syslog file. The Alert Manager reports this error as part of a SeverityMatchFound alert. The actual operation continues even if the event logging fails. All audit logs get collected, viewed, and deleted from Trace and Log Central in the Cisco Unified Real-Time Monitoring Tool. Audit logging contains the following parts: Audit logging framework - The framework comprises an API that uses an alarm library to write audit events into audit logs. An alarm catalog that is defined as GenericAlarmCatalog.xml applies for these alarms. Different system components provide their own logging. The following example displays an API that a Cisco Unified Communications Manager component can use to send an alarm: User ID: CCMAdministratorClient IP Address: Severity: 3 EventType: ServiceStatusUpdated ResourceAccessed: CCMService EventStatus: Successful Description: CallManager Service status is stopped Audit event logging - An audit event represents any event that is required to be logged. The following example displays a sample audit event: Page 17 of 35

18 CCM_TOMCAT-GENERIC-3-AuditEventGenerated: Audit Event Generated UserID:CCMAdministrator Client IP Address: Severity:3 EventType:ServiceStatusUpdated ResourceAccessed: CCMService EventStatus:Successful Description: Call Manager Service status is stopped App ID:Cisco Tomcat Cluster ID:StandAloneCluster Node ID:sa-cm1-3 For additional information refer to [3] Tools and Reports ->Audit Logs and [4] Traces and Logs Audit Trail Log Entries The following table identifies the elements of the audit record. Heading User ID Client IP Address Severity EventType Table 8 Audit Entries Definition The user that triggered the event IP address of the client device used Level of the event The type of event that was performed ResourceAccessed The resource that was accessed EventStatus Description The status of the event; successful, failed The description of the event; CallManager service status is stopped Audit trail records capture the following activities: Auditable Event Sample Audit Record Rationale All use of the user identification mechanism. 05/04/ :54:01.881, acumenadmin, , Info, UserLogging, Cisco CallManager Administration, Success, No, AdministrativeEvent, Cisco CCM Application, Successfully Logged into Cisco CCM Webpages, Cisco Tomcat,, CUCM1, 0 05/04/ :39:00.331, acumenadmin, , Info, UserLogging, CUCMAdmin, Success, No, CriticalEvent, Cisco CUCM Events will be generated for attempted identification/ authentication, and the username attempting to authenticate and source address or interface will be included in the log record. Page 18 of 35

19 Auditable Event Sample Audit Record Rationale Any use of the authentication mechanism. Administration, Successfully Logged out Cisco CCM Web Pages, Cisco Tomcat,, CUCM1, 15 05/04/ :09:56.498, acumensec, , Warning, UserLogging, Cisco CallManager Administration, Failure, No, AdministrativeEvent, Cisco CCM Application, Failed to Log into Cisco CCM Webpages, Cisco Tomcat,, CUCM1, 16 Events will be generated for attempted identification/ authentication, and the username attempting to authenticate will be included in the log record, along with the origin or source of the attempt. Management functions 05/04/ :08:59.564, acumenadmin, , Notice, UserRoleMembershipUpdate, CUCMAdmin, Success, No, AdministrativeEvent, Cisco CUCM Administration, End user acumensec added to usergroup Standard CCM End Users, Cisco Tomcat,, CUCM1, 12 The use of the security management functions is logged; modifications of the behavior of the functions in the TSF and modifications of default settings. 05/04/ :18:41.070, acumenadmin, , Notice, DeviceUpdate, CUCMAdmin, Success, No, AdministrativeEvent, Cisco CUCM Administration, New Phone added with MAC address=upcdivice, CAL mode=< None > and CAL value=< None >, Cisco Tomcat,, CUCM1, 21 05/04/ :55:44.631, acumenadmin, , Info, GeneralConfigurationUpdate, CUCMServiceability, Success, No, AdministrativeEvent, Cisco CCM Servicability, Cisco Location Bandwidth Manager Was Activated on node CUCM1, Cisco Tomcat,, CUCM1, 35 Changes to the time. Dec 17 16:22:23 ryhooper-cucm-dev Info ntpd : synchronized to , stratum 11 Changes to the time are logged. Failure to establish and/or establishment/termination of a TLS session Dec 18 02:19:53 ryhooper-cucm-dev Notice ntpd : time reset s Dec 18 02:19:53 ryhooper-cucm-dev Notice ntpd : kernel time sync status change 2001 Dec 18 02:20:56 ryhooper-cucm-dev Info ntpd : synchronized to , stratum 11 : 6: dchokshi-cucm1.cisco.com Dec :12:10 UTC : %UC_CALLMANAGER-6- EndPointRegistered: %[DeviceName=SEP001B545235C9][IPAddress= ][Protocol=SIP][DeviceType=119][Per fmonobjtype=2][description=sep001b545235c9 Attempts to establish a TLS session or the failure to establish a TLS session is logged as well as successfully established and Page 19 of 35

20 Auditable Event Sample Audit Record Rationale ][LoadID=SIP S][AssociatedDNs=2002][MACAddress=001B C9][IPAddrAttributes=0][ActiveLoadId=SIP S][ClusterID=StandAloneCluster][NodeID=dchok shi-cucm1]: Endpoint registered terminated sessions. TLS : 7: dchokshi-cucm1.cisco.com Dec :12:10 UTC : %UC_CALLMANAGER-6- DeviceDnInformation: %[DeviceName=SEP001B545235C9][DeviceType =119][StationDesc=SEP001B545235C9][StationDn =2002][ClusterID=StandAloneCluster][NodeID=dc hokshi-cucm1]: List of directory numbers (DN) associated with this device Dec 16 10:34:42 dchokshi-cucm1 local7 3 : 18: dchokshi-cucm1.cisco.com: Dec :34: UTC : %UC_CALLMANAGER-3- ServicePortOnline: %[Protocol=Secure SCCP][PortNumber=2443][ AppID=Cisco CallManager][ClusterID=StandAloneCluster][Node ID=dchokshi-cucm1]: A Cisco CallManager service port is online Failure to establish and/or establishment/termination of a HTTPS session 11:51: LogMessage UserID : appadmin ClientAddress : Severity : 3 EventType : UserLogging ResourceAccessed: Cisco CallManager Serviceability RTMT Servlet EventStatus : Success CompulsoryEvent : No AuditCategory : AdministrativeEvent ComponentID : Cisco CCM Application AuditDetails : Login Authentication Successful App ID: Cisco Tomcat Cluster ID: Node ID: dchokshi-cucm1 Attempts to establish a HTTPS session or the failure to establish a HTTPS session is logged as well as successfully established and terminated HTTPS sessions. 12:11: LogMessage UserID : fakeuser ClientAddress : Severity : 3 EventType : UserLogging ResourceAccessed: Cisco CallManager Serviceability RTMT Servlet EventStatus : Failure CompulsoryEvent : No AuditCategory : AdministrativeEvent ComponentID : Cisco CCM Application AuditDetails : Login Authentication Failed App ID: Cisco Tomcat Cluster ID: Node ID: dchokshicucm1 Session Establishment with 11:51: LogMessage UserID : appadmin ClientAddress : Severity : 3 The establishment of a Page 20 of 35

21 Auditable Event Sample Audit Record Rationale peer (TLS) EventType : UserLogging ResourceAccessed: Cisco CallManager Serviceability RTMT Servlet EventStatus : Success CompulsoryEvent : No AuditCategory : AdministrativeEvent ComponentID : Cisco CCM Application AuditDetails : Login Authentication Successful App ID: Cisco Tomcat Cluster ID: Node ID: dchokshi-cucm1 TLS session is logged Session Establishment with peer (SIP) Establishing session with CA 12:11: LogMessage UserID : fakeuser ClientAddress : Severity : 3 EventType : UserLogging ResourceAccessed: Cisco CallManager Serviceability RTMT Servlet EventStatus : Failure CompulsoryEvent : No AuditCategory : AdministrativeEvent ComponentID : Cisco CCM Application AuditDetails : Login Authentication Failed App ID: Cisco Tomcat Cluster ID: Node ID: dchokshicucm :23: AppInfo SIPTcp - wait_sdlspisignal: Outgoing SIP TCP message to on port index :23: AppInfo SIPTcp - wait_sdlreadrsp: Incoming SIP TCP message from on port index 5 with 1478 bytes: :23: AppInfo //SIP/SIPHandler/ccbId=1677/scbId=0/insertConta ctintocontainer: Outgoing Contact=[<sip:2002@ :5061;transport=tl s>] 05/04/ :55:44.644, acumenadmin, , Info, GeneralConfigurationUpdate, CUCMServiceability, Success, No, AdministrativeEvent, Cisco CCM Servicability, Self Provisioning IVR Was Activated on node CUCM1, Cisco Tomcat,, CUCM1, 43 The establishment of a SIP session is logged The connection to CA s for the purpose of certificate verification is logged. Indication that TSF selftest was completed. 05/04/ :55:44.649, acumenadmin, , Info, GeneralConfigurationUpdate, CUCMServiceability, Success, No, AdministrativeEvent, Cisco CCM Servicability, Cisco Certificate Authority Proxy Function Was Activated on node CUCM1, Cisco Tomcat,, CUCM1, 52 The status of startup operation is currently being audited as syslog entries. Examples are pasted below: During bootup, if the self-test fails, the failure is logged. Page 21 of 35

22 Auditable Event Sample Audit Record Rationale Sep 4 17:56:30 Infy-S64-cucm6 local7 2 : 7: Infy- S64-cucm6.cisco.com: Sep :26: UTC : %UC_SERVICEMANAGER-2- ServiceFailed: %[ServiceName=Cisco CallManager Admin][Reason=Service stopped abruptly][appid=cisco Service Manager][ClusterID=][NodeID=Infy-S64-cucm6]: Service terminated. Sep 4 17:56:30 Infy-S64-cucm6 local7 6 : 8: Infy- S64-cucm6.cisco.com: Sep :26: UTC : %UC_GENERIC-6-ServiceStarted: %[ServiceName=Cisco Trust Verification Service][ProcessID=25112][AppID=Cisco Service Manager][ClusterID=][NodeID=Infy-S64-cucm6]: Service started ,0,CiscoSystemInDemo, Reason : CiscoSystemInDemo AppID : Cisco License Manager ClusterID : NodeID : Infy-S64-cucm6 TimeStamp : Sat Sep 27 01:09:37 IST The alarm is generated on Sat Sep 27 01:09:37 IST 2014.,,4,1,,Infy-S64-cucm6.cisco.com,UCM ,1,AuthenticationFailed, Number of AuthenticationFailed events exceeds configured threshold during configured interval of time 1 within 3 minutes on cluster StandAloneCluster. There are 2 AuthenticationFailed events (up to 30) received during the monitoring interval From Tue Sep 30 00:31:24 IST 2014 to Tue Sep 30 00:34:24 IST 2014: TimeStamp : 9/30/14 12:31 AM LoginFrom : Interface : Cisco RTMT Reporter Servlet UserID : CUCService AppID : Cisco Tomcat ClusterID : NodeID : Infy- S64-cucm6 TimeStamp : Tue Sep 30 00:31:59 IST 2014 TimeStamp : 9/30/14 12:31 AM LoginFrom : Interface : Cisco RTMT Reporter Servlet UserID : CUCService AppID : Cisco Tomcat ClusterID : NodeID : Infy-S64-cucm6 TimeStamp : Tue Sep 30 00:31:28 IST 2014,,2,0,,,System Initiation of update 16:43: LogMessage UserID : admin ClientAddress : Severity : 6 EventType : CLICommand ResourceAccessed: GenericCLI EventStatus : Success CompulsoryEvent : No AuditCategory : AdministrativeEvent ComponentID : CLI Audit event is generated for the initiation of a software update. Page 22 of 35

23 Auditable Event Sample Audit Record Rationale AuditDetails : utils system upgrade status Command status= App ID: Command Line Cluster ID: Node ID: infyvoscm30-lnx Any attempts at unlocking of an interactive session. This requirement is satisfied based on CUCM does not provide the ability to 'lock' the admin s session. The sessions are terminated when the admin logsout or session is terminated due to inactivity. The admin must re-establish the session and log-on to gain access. We will reference the FIA audit logs. Audit event is generated after a user s session is locked and the admin user is required to reauthenticate. Once a remote interactive session is terminated after a Security Administratorconfigurable time interval of session inactivity. The termination of an interactive session. Initiation of the trusted channel/ path. Termination of the trusted channel/ path. Failure of the trusted channel/ path functions. 16:50: LogMessage UserID : admin ClientAddress : Severity : 6 EventType : UserLogging ResourceAccessed: CUCMAdmin EventStatus : Success CompulsoryEvent : No AuditCategory : CriticalEvent ComponentID : Cisco CUCM Administration AuditDetails : Successfully Logged out Cisco CCM Web Pages App ID: Cisco Tomcat Cluster ID: Node ID: infyvoscm28-lnx 15:46: LogMessage UserID : admin ClientAddress : Severity : 6 EventType : UserLogging ResourceAccessed: CUCMAdmin EventStatus : Success CompulsoryEvent : No AuditCategory : CriticalEvent ComponentID : Cisco CUCM Administration AuditDetails : Successfully Logged out Cisco CCM Web Pages App ID: Cisco Tomcat Cluster ID: Node ID: infyvoscm28-lnx 11:51: LogMessage UserID : appadmin ClientAddress : Severity : 3 EventType : UserLogging ResourceAccessed: Cisco CallManager Serviceability RTMT Servlet EventStatus : Success CompulsoryEvent : No AuditCategory : AdministrativeEvent ComponentID : Cisco CCM Application AuditDetails : Login Authentication Successful App ID: Cisco Tomcat Cluster ID: Node ID: dchokshi-cucm1 An audit event is generated by when sessions are terminated after exceeding the inactivity settings. An audit event is generated by an authorized administrator when the exit command is used. Also see the rows for TLS above. 12:11: LogMessage UserID : fakeuser ClientAddress : Severity : 3 EventType : UserLogging ResourceAccessed: Cisco CallManager Serviceability RTMT Servlet EventStatus : Failure CompulsoryEvent : No AuditCategory : AdministrativeEvent ComponentID : Cisco CCM Application AuditDetails : Login Authentication Failed App ID: Page 23 of 35

24 Auditable Event Sample Audit Record Rationale Node ID: dchokshi- Cisco Tomcat Cluster ID: cucm1 Audit Trail Capacities Log Partition Monitoring (LPM), which is installed automatically with the CUCM, uses configurable thresholds to monitor the disk usage of the log partition on a server. The Cisco Log Partition Monitoring Tool service starts automatically after installation of the CUCM. Every 5 minutes, Log Partition Monitoring uses the following configured thresholds to monitor the disk usage of the log partition and the spare log partition on a server: LogPartitionLowWaterMarkExceeded (% disk space): When the disk usage is above the percentage that you specify, LPM sends out an alarm message to syslog and an alert to RTMT Alert central. To save the log files and regain disk space, you can use trace and log central option in RTMT. LogPartitionHighWaterMarkExceeded (% disk space): When the disk usage is above the percentage that you specify, LPM sends an alarm message to syslog and an alert to RTMT Alert central. SparePartitionLowWaterMarkExceeded (% disk space): When the disk usage is above the percentage that you specify, LPM sends out an alarm message to syslog and an alert to RTMT Alert central. To save the log files and regain disk space, you can use trace and log central option in RTMT. SparePartitionHighWaterMarkExceeded (% disk space): When the disk usage is above the percentage that you specify, LPM sends a n alarm message to syslog and an alert to RTMT Alert central. To utilize log partition monitor, verify that the Cisco Log Partitioning Monitoring Tool service, a network service, is running on Cisco Unified Serviceability on the server or on each server in the cluster (if applicable). Warning, stopping the service causes a loss of feature functionality. When the log partition monitoring services starts at system startup, the service checks the current disk space utilization. If the percentage of disk usage is above the low water mark, but less than the high water mark, the service sends an alarm message to syslog and generates a corresponding alert in RTMT Alert central. To configure Log Partitioning Monitoring, set the alert properties for the LogPartitionLowWaterMarkExceeded and LogPartitionHighWaterMarkExceeded alerts in Alert Central. If the percentage of disk usage is above the high water mark that you configured, the system sends an alarm message to syslog, generates a corresponding alert in RTMT Alert Central, and automatically purges log files until the value reaches the low water mark. Refer to [4] Chapter 2, Log Partition Monitoring Tool. Page 24 of 35

25 You can download the audit and trace logs using the Cisco Unified Real-Time Monitoring Tool (RTMT). Before downloading the logs, there are a few configuration options that need to be setup. Also you will need to import the proper security certificates. Refer to [4] Chapter 8 Traces and Logs -> Preparation through View Trace and Log Central Options. To download the trace logs, using the Cisco Unified Real-Time Monitoring Tool (RTMT) refer to [4] Chapter 8, Traces and Logs -> Collect files through Collect Installation Logs. To download the audit logs, using the Cisco Unified Real-Time Monitoring Tool (RTMT) refer to [4] Chapter 8, Traces and Logs -> Collect audit logs through Download Audit Logs. Logging Protection If an authorized administrator wants to backup the logs to a syslog server using the Cisco Unified Real-Time Monitoring Tool (RTMT), then protection must be provided for the syslog server communications. The secure HTTPS/TLS communications protects the audit records while being archived to the storage area/syslog server. Refer to [4] Getting Started for the setup and installation instructions. In the evaluated configuration, the HTTPS connection is using the configured TLSv1.2 that is using TLS_RSA_WITH_AES_128_CBC_SHA ciphersuites. Endpoint Devices and User Association The TOE supports analog telephone adapter that acts as an interface between analog telephones and IP-based telephony networks, Cisco IP Phones and third party SIP endpoints. To configure the profiles and templates that define the services, features, and directory numbers that associate with a particular device refer to [5] Endpoint Devices Overview. o Device Profiles o A device profile defines the services, features, and directory numbers that associate with a particular device. You can configure a device profile and then you can assign the user device profile to a user, so that when the user logs in to a device, those features and services are available on that device. o SIP Profiles for End Points o A SIP profile comprises the set of SIP attributes that are associated with SIP endpoints. SIP profiles include information such as name, description, timing, retry, call pickup URI, and so on. The profiles contain some standard entries that cannot be deleted or changed. o Device Profiles and Templates o Cisco Unified Communications Manager also supports a default device profile. Cisco Unified Communications Manager uses the default device profile whenever a user logs on to a phone model for which no user device profile exists. To associate users to endpoints, first you must configure end users and application users. The end user can control devices that they are associated with, whereas applications that are identified as users can control devices, such as phones and CTI ports. Refer to [5] Associate Users with Endpoints. Page 25 of 35

26 Network Protocols and Cryptographic Settings Remote Administration Protocols The Authorized Administrates manages the TOE by connecting via a web browser. The remote administration sessions are protected by HTTPS/TLS. The evaluated configuration requires that when connecting to the TOE over HTTPS/TLS for administrative management, TLS1.2 is used with the following ciphersuites, TLS_RSA_WITH_AES_128_CBC_SHA and optionally any of the following ciphersuites: TLS_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA After the initial configuration, use the following procedures to into the server and log in to Cisco Unified Communications Manager Administration. Step 1 Start your preferred operating system browser. Step 2 In the address bar of the web browser, enter the following case-sensitive URL: CM-server-name>:{8443}/ccmadmin/showHome.do where: <Unified CM-server-name> equals the name or IP address of the server Note: You can optionally specify a port number. Step 3 A Security Alert dialog box displays. Click the appropriate button. Step 4 At the main Cisco Unified Communications Manager Administration window, enter the username and password that you specified during Cisco Unified Communications Manager installation and click Login. Note: For security purposes, Cisco Unified Communications Manager Administration logs you out after 30 minutes of inactivity, and you must log back in. If the HTTPS/TLS connection fails for an unknown reason, you can attempt to re-establish the connection and/or you will want to check the alert and trace logs for a possible cause. You may also need to use the Cisco Unified Serviceability application to start or restart services on the Cisco Unified Communications Manager nodes. Cisco Unified Serviceability is a web-based troubleshooting tool. Refer to [5] Getting Started. SIP Connections and Protocols The Assured Services SIP (AS-SIP) endpoints are SIP endpoints compliant with MLPP, DSCP, TLS/SRTP, and IPv6 requirements. AS-SIP provides for multiple endpoint interfaces on the TOE. The Third-Party AS-SIP Endpoint device type allows a third-party AS-SIP-compliant generic endpoint to be configured and used with CUCM [2]. In the evaluated configuration, the SIP connections are secured with TLS. For the SIP connections, TLS v1.2 is supported with the following ciphersuites: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH _AES_256_GCM_SHA384, Page 26 of 35