Cisco 8832 Administration Manual page 79

Cisco IP Conference Phone Administration
Cisco Unified Communications Manager Release 8.5(1) and later includes Security by Default, which provides
the following security features for Cisco IP Phones without running the CTL client:
• Signing of the phone configuration files
• Phone configuration file encryption
• HTTPS with Tomcat and other Web services
Note
Secure signaling and media features still require you to run the CTL client and use hardware eTokens.
Implementing security in the Cisco Unified Communications Manager system prevents identity theft of the
phone and Cisco Unified Communications Manager server, prevents data tampering, and prevents call signaling
and media stream tampering.
To alleviate these threats, the Cisco IP telephony network establishes and maintains secure (encrypted)
communication streams between a phone and the server, digitally signs files before they are transferred to a
phone, and encrypts media streams and call signaling between Cisco IP Phones.
A Locally Significant Certificate (LSC) installs on phones after you perform the necessary tasks that are
associated with the Certificate Authority Proxy Function (CAPF). You can use Cisco Unified Communications
Manager Administration to configure an LSC, as described in the Cisco Unified Communications Manager
Security Guide. Alternatively, you can initiate the installation of an LSC from the Security Setup menu on
the phone. This menu also lets you update or remove an LSC.
A LSC cannot be used as the user certificate for EAP-TLS with WLAN authentication.
The phones use the phone security profile, which defines whether the device is nonsecure or secure. For
information about applying the security profile to the phone, see the documentation for your particular Cisco
Unified Communications Manager release.
If you configure security-related settings in Cisco Unified Communications Manager Administration, the
phone configuration file contains sensitive information. To ensure the privacy of a configuration file, you
must configure it for encryption. For detailed information, see the documentation for your particular Cisco
Unified Communications Manager release.
Implementing security in the Cisco Unified Communications Manager system prevents identity theft of the
phone and Cisco Unified Communications Manager server, prevents data tampering, and prevents call signaling
and media stream tampering.
The following table provides an overview of the security features that the Cisco IP Conference Phone 8832
supports. For more information about these features, Cisco Unified Communications Manager, and Cisco IP
Phone security, see the documentation for your particular Cisco Unified Communications Manager release.
Table 10: Overview of Security Features
Feature
Image authentication
Cisco IP Conference Phone 8832 Administration Guide for Cisco Unified Communications Manager
Supported Security Features
Description
Signed binary files (with the extension .sbn) prevent
tampering with the firmware image before it is loaded
on a phone. Tampering with the image causes a phone
to fail the authentication process and reject the new
image.
69