Supported Security Features - Cisco 8800 Series Administration Manual

Supported Security Features

Supported Security Features
Security features protect against several threats, including threats to the identity of the phone and to data.
These features establish and maintain authenticated communication streams between the phone and the Cisco
Unified Communications Manager server, and ensure that the phone uses only digitally signed files.
Cisco Unified Communications Manager Release 8.5(1) and later includes Security by Default, which provides
the following security features for Cisco IP Phones without running the CTL client:
• Signing of the phone configuration files
• Phone configuration file encryption
• HTTPS with Tomcat and other Web services
Note Secure signaling and media features still require you to run the CTL client and use hardware eTokens.
Implementing security in the Cisco Unified Communications Manager system prevents identity theft of the
phone and Cisco Unified Communications Manager server, prevents data tampering, and prevents call signaling
and media stream tampering.
To alleviate these threats, the Cisco IP telephony network establishes and maintains secure (encrypted)
communication streams between a phone and the server, digitally signs files before they are transferred to a
phone, and encrypts media streams and call signaling between Cisco IP Phones.
A Locally Significant Certificate (LSC) installs on phones after you perform the necessary tasks that are
associated with the Certificate Authority Proxy Function (CAPF). You can use Cisco Unified Communications
Manager Administration to configure an LSC, as described in the Cisco Unified Communications Manager
Security Guide. Alternatively, you can initiate the installation of an LSC from the Security Setup menu on
the phone. This menu also lets you update or remove an LSC.
The phones use the phone security profile, which defines whether the device is nonsecure or secure. For
information about applying the security profile to the phone, see the documentation for your particular Cisco
Unified Communications Manager release.
If you configure security-related settings in Cisco Unified Communications Manager Administration, the
phone configuration file contains sensitive information. To ensure the privacy of a configuration file, you
must configure it for encryption. For detailed information, see the documentation for your particular Cisco
Unified Communications Manager release.
The Cisco IP Phone 8800 Series complies with Federal Information Processing Standard (FIPS). To function
correctly, FIPS mode requires a key size of 2048 bits or greater. If the certificate is not 2048 bits or greater,
the phone will not register with Cisco Unified Communications Manager and Phone failed to
register. Cert key size is not FIPS compliant displays on the phone.
If the phone has an LSC, you need to update the LSC key size to 2048 bits or greater before enabling FIPS.
The following table provides an overview of the security features that the phones support. For more information,
see the documentation for your particular Cisco Unified Communications Manager release.
For view the current security settings on a phone, including Security mode, Trust list, and 802.1X
Authentication, press Applications
Cisco IP Phone 8800 Series Administration Guide for Cisco Unified Communications Manager
132
and choose Admin Settings > Security setup.