Are you ready for PCI compliance changes June 2018?

PCI DSS Article Number 1153 released October 2012 is pretty clear about whether or not VoIP is in or out of scope for PCI compliance and a lot of companies have designed their UC solutions that need to be PCI compliant around these guidelines.

However, things are changing once again. PCI DSS 3 comes into effect June 31 2018 and has introduced quite a significant change in security requirements.

In simple terms in order to be PCI DSS 3 compliant you must not offer nor allow the use of any level lower than TLS 1.2 on their network. You must therefore be able to disable TLS 1.0, 1.1 and SSL 3.0 and lower protocols from your network and admin portals.

What is the risk?

SSL/TLS encrypts a channel between two endpoints (for example, between a web browser and web server) to provide privacy and reliability of data transmitted over the communications channel.  Since the release of SSL v3.0, several vulnerabilities have been identified, most recently in late 2014 when researchers published details on a security vulnerability (CVE-2014-3566) that may allow attackers to extract data from secure connections.  More commonly referred to as POODLE (Padding Oracle On Downgraded Legacy Encryption), this vulnerability is a man-in-the-middle attack where it’s possible to decrypt an encrypted message secured by SSL v3.0.

The SSL protocol (all versions) cannot be fixed; there are no known methods to remediate vulnerabilities such as POODLE.  SSL and early TLS no longer meet the security needs of entities implementing strong cryptography to protect payment data over public or untrusted communications channels.  Additionally, modern web browsers will begin prohibiting SSL connections in the very near future, preventing users of these browsers from accessing web servers that have not migrated to a more modern protocol.

Remediation

The best response is to disable SSL entirely and migrate to a more modern encryption protocol, which at the time of publication is a minimum of TLS v1.1, although entities are strongly encouraged to consider TLS v1.2.  Note that not all implementations of TLS v1.1 are considered secure – refer to NIST SP 800-52 rev 1 for guidance on secure TLS configurations.

How does this affect VoIP and IP Telephony

The image below outlines the TLS relationships between entities in a VoIP solutions. This scenario is not restricted to Cisco solutions but all vendors. Phones use TLS to draw down load files and configuration information. The call control uses TLS to communicate with other control elements within the cluster, and the administrator will use TLS to create a secure channel to manage and modify the UC components.

CollabTLS

From a Cisco perspective there will be two versions of Cisco Unified Communications Manager and IM&P that will only support TLS 1.2 namely CUCM 12 and CUCM 11.5.1(su3). For pure PCI compliance i.e. TLS 1.1 and TLS 1.0 disabled, you must be on these versions.

The range of legacy phones (79XX etc) will not be TLS 1.2 compliant and will need to be upgraded to the newer 78XX and 88XX range. IP Communicator and the ISR G2 will also not be TLS 1.2 compliant.

The following table lists the versions of software that will be TLS 1.2 (only) compliant and what version you should get to. Note some products will require either a Software change or some will require hardware uplift.

Picture1

Bear in mind that these regulations only affect scenarios there PCI compliance in required for VoIP networks.

Advertisements

Have you room for a Spark Kit !!!

Cisco recently announced two new additions to their in room conferencing portfolio. The first covered here is Spark Room Kit and then Spark Room Kit Plus. These systems are designed to be used in scenarios where you are retrofitting an existing room and already have a screen installed.

Picture1

Common features across both platforms include 4K UHD presentation support, H.265 on Main Video Channel. These systems are optimised for LG 4K screens but will work perfectly on all others.

Room kits can be configured to work with both on-prem CUCM deployments and Cisco Spark (not both simultaneously) VCS, Third Party Call Control or as a standalone unit. H.323 is also supported.

On-prem deployments need Cisco Unified Communication Manager ver 9.1(2) or later with a device pack loaded.

The Spark Room kit is optimised for 7 people with a room size up to 6 meters, and the Room Kit plus for a slightly larger room with 14 people, for rooms up to 9 meters.

Both Room Kit and Room Kit Plus use speaker tracking technology. This includes Best Overview and tracking the active speaker. These same features are in SpeakerTrack for SX80 and MX700/800, but the key difference is that the Room Kit cameras have no moving parts – all pan/tilt/zoom is digital as a result, tracking is much faster and more accurate

The kits come with a touch 10 unit and both support WiFi. The small remote control is not supported on Room Kits. Room Kit uses one power supply plus one PoE injector, Room Kit Plus uses two power supplies, one for the Quad Camera unit, and one for the codec, it does not include a PoE injector.

Picture1

The Spark Room kit has a single camera, with an 83 degree horizontal field of view this is the same as the HFOV for the SX10 – one of the widest in the industry. In practical terms, this means that the farthest participant from the camera should be 5 meters or less. Digital zoom is maximum 3X.

Picture1The Spark Room Kit plus has four cameras, one with an 83 degree horizontal field of view and is an overview camera that is the same camera as on the Room Kit. The plus includes three additional cameras which deliver speaker tracking and people can be seated as far away as 10 meters and they will be tracked. Digital zoom is effectively about 6X. Each camera can zoom 2.63X.

The room kit and Room kit plus implement people count through an exposed API. This is currently on-prem only, and needs CE9.1 software loaded.

Integrating Cisco Spark with workflows

Cisco Spark has been designed from the outset with business flow and process integration from the outset. It was quickly realised that a standalone business messaging tool would have zero value if it couldn’t be directly integrated with a business flow.

The term business flow refers to the sequence of steps carried out to complete a defined task. For example and inbound order will trigger a stock check, then stock pick, then invoice and then invoke logistics for delivery. If a issue develops at any stage in the business flow it can impact customer satisfaction and in turn effect sales.

Embedding a collaboration “umbrella” into the flow will greatly increase the speed of resolution at any point within the flow. If there is no stock to fullfill the order then perhaps a messaging session between stock management, purchasing and logistics could quickly identify and resolve the issue as the appropriate people are working the issue.

Cisco Spark has three levels of complexity of integration into business flows. The basic and easiest level to implement is through application integrations and BOT’s. The second is to leverage one of the many API broker services on the market today. The third is to directly embed the extensive array of Cisco Spark API’s into your application.

The first integration level can be done by pretty much anybody who is mildly IT capable. Step 1 is to visit http://depot.ciscospark.com. Using your Spark account you can directly integrate any of the included applications into a Spark space. You can also add existing Spark BOTS into any of your Spark spaces. From here you can also begin the development of your own BOT.

Examples of API integration or broker services are built.io, zapier.io, API.io, APIANT.com. IFTTT to name but a few. All of these integrators offer the ability for any application that uses an API to communicate, to integrate with Cisco Spark.

The third level and perhaps the most complex is to directly embed the Cisco Spark API calls within your application. A full description of the API’s is provided here: http://developer.ciscospark.com. The documentation is very easy to follow and quite comprehensive.

Getting to grips with Cisco Spark

In December 2015 Cisco announced its intention to launch a new collaboration tool. This new tool was to be aimed at the enterprise messaging space which Cisco typically do not play. Cisco had launched Webex Social and Quad with limited success.

The messaging product range today can broadly be divided into two categories instant messaging and Enterprise messaging. Both categories offer quite different user experiences and features. Slide09

Classic IM&P tools available today include Lync, Watsapp, Jabber, Audium etc.. These tools include access to contacts and content sharing as well as presence. They are designed for synchronous communication.

Enterprise messaging tools include classic email and a range of new tools such as Slack, Hangouts, 8×8 etc. These are targeted at work groups teams and the management of business flows and projects. Within these tools the content can be stored recalled and shared.

Cisco Spark is a product that fits comfortably as an enterprise messaging application. Spark however has two additional capabilities which make it particularly useful for modern enterprises. Spark encrypts all content on the local application, in flight and in the data centre. The second is its API capabilities.

Spark is 100% cloud centric. There are Spark apps available on Google play, Apps store and also has a web interface at https://web.ciscospark.com.

As Spark uses an encrypted outbound connection some enterprises may need to open ports. Network connectivity can be verified using the following tool https://mediatest.ciscospark.com. This tool becomes more relevant when you consider the UC capabilities available within Spark this includes both Spark Calling and Spark Hybrid services to be covered in another post.

Slide1

Cisco Spark comes with two subscription models. The first is free which includes the ability to create unlimited rooms, 1:1 messaging, file sharing, and the ability to create a three party call using Spark calling.

There are subscriptions plans available that cover Message and Message and Meet. The key differences between the free and subscription versions are administrator portal access and room moderator.

To get started using Spark download the app here https://www.ciscospark.com/index.html

Deploying Cisco UC in a VDI environment

More and more customers are looking at deploying hosted virtual desktops as a way to manage security and escalating costs of standard thick desktops. Running UC in a virtual environment causes challenges in several ways.

Firstly if the UC client is running in softphone mode on the HVD (Hosted Virtual Desktop) the media will pass between both HVD’s and then down to the local client and be embedded in the display protocol. This is what’s termed the hairpin problem see below

Slide1

Some desktop virtualisation vendors have looked at the problem from the perspective of the display protocol and given priority to rich media traffic which goes some way to solve the issue but does not always succeed as it tends to ignore video.

Cisco has a solution which allows users with a Citrix or VMWare HVD infrastructure to run Cisco Collaboration such as Jabber in softphone mode on a local thin client. The client can run SUSE linux, Windows Embedded or eLux Unicon. More client variants to follow.

When implemented as part of Cisco Virtualization Experience Infrastructure (VXI), you can provide a superior virtual workspace experience that is collaborative, mobile, and highly secure for all users. The solutions works with Citrix XenDesktop, Citrix XenApp for Published Desktops and VMware View. It will deliver High-definition audio and video using local media processing as the media does not traverse the HVD but passed directly between the two thin clients. As the media is passed between the clients outside of the display protocol we can give improved quality of service (QoS) using QoS marking for voice, video, and data traffic.

The implementation requires three software components:

  • A VXME agent running on the HVD on the data centre
  • A VXME client running on the local thin client
  • Cisco Jabber 10.0 or greater. The versions of VXME agent and client must match the version of Jabber deployed.

Local audio and video can be delivered through USB attached devices such as Logitech or Plantronics devices. Jabber includes the required drivers.

VXME can also run in CTI Deskphone mode allowing Jabber to control a deskphone.

From a licensing perspective, VXME is regarded as an endpoint on Communications manager. Therefore the minimum license required to enable VXME is a UCL Enhanced license. If the user has VXME running Jabber softphone as well as a deskphone the license required is a UCL Enhanced plus.

There is no charge from Cisco for the VXME agent and VXME client software.

New Additions to the 88xx range

There have been two new additions to the Cisco 8800 range in the last few months. These include two new phone namely the 8845 and 8865. Both devices have the same form factor as the existing 8800 series phones, however they both support HD video.

1430506034187The key product features are as follows:

  • Fully featured 720P video solution for daily use
  • USB charging ports
  • High end wideband audio experience 
  • Bluetooth support on 8845 and 8865
  • WiFi support on 8865
  • Full color WVGA display with an enhanced UserExperience
  • Gigabit Ethernet switch

Side USB expansion connector allows for additional Peripherals such as the Key Expansion Module.

Cisco 8845 and 8865 Camera Resolution and Bit Rate 

720p @ 15fps requires 790 kbps or higher,  720p @ 30fps requires 1360 kbps or higher

The price point for both fall into the older 8900 range bracket.

Additional information is available here http://www.cisco.com/c/en/us/products/collaboration-endpoints/ip-phone-8865/index.html#

Cisco 78XX Phone range Battlecard

Cisco’s recent rationalisation of the IP Phone models have seen the introduction of two new ranges into the portfolio. The first is the 88XX range which will be covered in another post and the second is the 78XX range. When looking a phone ranges and models it can be difficult to separate the models based on features and capabilities. This may help.

Below is a simple diagram outlining the main difference between the units.

Slide1

 

SX10 retrofit those older VC rooms

Cisco recently announce the SX10 a small and neat unit that sits on top of an existing 1080p capable TV or monitor and is a full UC endpoint. The device registers directly to Cisco Unified Communications manager (not VCS) and as its a Communications Manager endpoint it requires a Telepresence Endpoint License.

SX10-2

The unit ships with both a standard VESA bracket for easy attachment to an existing flatscreen, or a small wall bracket is a VESA mount id not possible. Of key importance is the power requirements. The unit runs from a POE enabled switch and in standby mode will consume 5w. In normal operation it will draw 12w. A power supply unit is also supplied in case POE is not available. The units optics has a field of view of 83º which make it ideal for small to medium rooms.

Installation is simple and only required a HDMI cable to connect the monitor or screen and an ethernet cable for network access.

SX10

The unit supports intelligent proximity and while it only ships with a small remote control it can be used with a newer Touch 10 tablet or an app on an IPhone or Android device. This is an inexpensive option for situations where a replacement of ageing VC kit is under consideration and cost is a consideration.

Additional information on the SX10 can be found here: http://www.cisco.com/c/en/us/support/collaboration-endpoints/telepresence-sx10-quick-set/model.html

Cisco 88XX phone range battlecard

Cisco’s recent rationalisation of the IP Phone models have seen the introduction of two new ranges into the portfolio. The first is the 78XX range which will be covered in another post and the second is the 88XX range. When looking a phone ranges and models it can be difficult to separate the models based on features and capabilities. This may help.

Below is a simple diagram outlining the main difference between the units.

Slide1

 

Firstly all units have 4 lines unlike the 78XX range. These phones are therefore more suited to the Knowledge worker who will have Jabber and perhaps an iPhone or Tablet. All units are GigE. The 8851 and 8861 support Intelligent Proximity (covered in Steve Metcalfe’s blog here), Bluetooth, The ability to add a Key Expansion Module and a powered USB port.

The powered USB outlet on the 8851 enhances the usability of call handling by enabling wired or wireless headsets, as well as provides up to 500-mA power output at 5V or 2.5W for smartphone charging. The 8861 also has this USB port, however it supports a second powered USB port at the back. The back USB port (in yellow) provides 500mA power output and is upgradeable to support up to 2.1A power output at 5V or 10.5W.

The 8861 is the only model in the range that supports IEEE 802.11a, 802.11b, 802.11g, 802.11n, and 802.11ac WiFi.