Understanding Security Features for Cisco IP Phones
•
•
•
•
•
•
Note
Cisco IP Phone Administration Guide for Cisco CallManager, Cisco IP Phone 7961G/7961G-GE and 7941G/7941G-GE
1-14
Secure SRST reference—After you configure a SRST reference for security
and then reset the dependent devices in Cisco CallManager Administration,
the TFTP server adds the SRST certificate to the phone cnf.xml file and sends
the file to the phone. A secure phone then uses a TLS connection to interact
with the SRST-enabled router.
Media encryption—Uses SRTP to ensure that the audio media streams
between supported devices proves secure and that only the intended device
receives and reads the data. Includes creating a media master key pair for the
devices, delivering the keys to the devices, and securing the delivery of the
keys while the keys are in transport.
Signaling Encryption—Ensures that all SCCP signaling messages that are
sent between the device and the Cisco CallManager server are encrypted.
CAPF (Certificate Authority Proxy Function)—Implements parts of the
certificate generation procedure that are too processing-intensive for the
phone, and it interacts with the phone for key generation and certificate
installation. The CAPF can be configured to request certificates from
customer-specified certificate authorities on behalf of the phone, or it can be
configured to generate certificates locally.
Optional disabling of the web server functionality for a phone—You can
prevent access to a phone's web page, which displays a variety of operational
statistics for the phone.
Phone hardening—Additional security options, which you control from
Cisco CallManager Administration:
Disabling PC port
–
–
Disabling Gratuitous ARP
Disabling PC Voice VLAN access
–
Disabling access to the Setting menus, or providing restricted access that
–
allows access to the User Preferences menu and saving volume changes
only
Disabling access to web pages for a phone
–
You can view current settings for the PC Port Disabled, GARP Enabled,
and Voice VLAN enabled options by looking at the phone's Device
Security Configuration menu. For more information, see the
Configuration Menu" section on page
Chapter 1
An Overview of the Cisco IP Phone
4-15.
"Device
OL-6966-01