Cisco CallManager Security Guide, Release 4.1(2)
Configuring the Phones for Security
Downloads: This chapterpdf (PDF - 228.0KB) The complete bookPDF (PDF - 3.46MB) | Feedback

Configuring the Phones for Security

Table Of Contents

Configuring the Phones for Security

Phone Configuration Overview for Security

Installing, Upgrading, Deleting, or Troubleshooting Locally Significant Certificates in Phones

Configuring the Device Security Mode

Configuring the Security Device System Default for Supported Phone Models

Configuring the Device Security Mode for a Single Device

Using the Cisco Bulk Administration Tool to Configure the Device Security Mode

Device Security Mode Configuration Settings

Finding Phones for Authentication, Encryption, and LSC Status

Phone Hardening

Performing Phone Hardening Tasks


Configuring the Phones for Security


This chapter contains information on the following topics:

Phone Configuration Overview for Security

Installing, Upgrading, Deleting, or Troubleshooting Locally Significant Certificates in Phones

Configuring the Device Security Mode

Configuring the Security Device System Default for Supported Phone Models

Configuring the Device Security Mode for a Single Device

Using the Cisco Bulk Administration Tool to Configure the Device Security Mode

Device Security Mode Configuration Settings

Finding Phones for Authentication, Encryption, and LSC Status

Phone Hardening

Disabling the Gratuitous ARP Setting

Disabling Web Access Setting

Disabling the PC Voice VLAN Access Setting

Disabling the Setting Access Setting

Disabling the PC Port Setting

Performing Phone Hardening Tasks

Phone Configuration Overview for Security

This section provides an overview of the tasks that you perform to configure security for supported phones:

Installing or upgrading locally significant certificates (LSC) on supported phones; deleting or troubleshooting the certificates

Configuring supported phones for authentication or encryption through the Device Security Mode

Disabling phone settings in Cisco CallManager Administration to harden the phone

Related Topics

Installing, Upgrading, Deleting, or Troubleshooting Locally Significant Certificates in Phones

Configuring the Device Security Mode

Device Security Mode Configuration Settings

Finding Phones for Authentication, Encryption, and LSC Status

Phone Hardening

Performing Phone Hardening Tasks

Installing, Upgrading, Deleting, or Troubleshooting Locally Significant Certificates in Phones

To install, upgrade, delete, or troubleshoot locally significant certificates in phones, you must configure the CAPF settings in the Phone Configuration window of Cisco CallManager Administration. For information on how to configure CAPF settings, see the "Using the Certificate Authority Proxy Function" section.

Related Topics

CAPF Configuration Checklist

CAPF System Interactions and Requirements

Configuring the Device Security Mode

Finding Phones for Authentication, Encryption, and LSC Status

Phone Hardening

Performing Phone Hardening Tasks

Troubleshooting

Configuring the Device Security Mode

To configure the devices for authentication or encryption, perform one of the following tasks:

Configure the default device security mode for supported phone models.

Configure the device security mode for a single device in the Phone Configuration window of Cisco CallManager Administration.

Configure the device security mode for a supported phone model by using the Cisco Bulk Administration Tool.


Tip Before you configure the device security mode, the phone must contain a locally significant certificate or manufacture installed certificate.


For information on the device security mode configuration settings, see the "Device Security Mode Configuration Settings" section.

Related Topics

System Requirements

Interactions and Restrictions

Activating the Cisco CTL Provider Service

Configuring the Cisco CTL Client

Updating the CTL File

Configuring the Device Security Mode

Using the Certificate Authority Proxy Function

Troubleshooting

Configuring the Security Device System Default for Supported Phone Models


Note This procedure requires that you reset the devices and restart the Cisco CallManager service for the changes to take effect.


In Cisco CallManager Administration, the security device system default for all phone types displays as Non-Secure. To set the security device system default to Authenticated or Encrypted, perform the following procedure:

Procedure


Step 1 From Cisco CallManager Administration, choose System > Enterprise Parameters.

Step 2 In the Security Parameters section, locate Device Security Mode.

Step 3 From the drop-down list box, choose Authenticated or Encrypted. For more information, see Table 5-1.

Step 4 At the top of the Enterprise Parameters window, click Update.

Step 5 Reset all devices in the cluster; see "Resetting Devices, Restarting Services, or Rebooting the Server/Cluster" section.

Step 6 Restart the Cisco CallManager service for the changes to take effect.


Related Topics

System Requirements

Interactions and Restrictions

Configuring the Device Security Mode

Using the Certificate Authority Proxy Function

Configuring the Device Security Mode for a Single Device

To configure the device security mode for a single device, perform the following procedure. This procedure assumes that you added the device to the database and installed a certificate in the phone, if a certificate does not already exist.

Configuring the Device Security Mode in the Phone Configuration window of Cisco CallManager Administration triggers a rebuild of the device configuration .xml file. After you configure the device security mode for the first time or if you change the device security mode, you must reset the device, so the phone requests the new configuration file.

Procedure


Step 1 In Cisco CallManager Administration, choose Device > Phone.

Step 2 Specify the criteria to find the phone and click Find or click Find to display a list of all phones.

If you have not added the phone to the database, the phone does not display in the list. For information on adding a phone, refer to the Cisco CallManager Administration Guide.

Step 3 To open the Phone Configuration window for the device, click the device name.

Step 4 Locate the Device Security Mode drop-down list box.

If the phone type does not support security, this option does not display. You cannot configure authentication or encryption for the phone type.

Step 5 From the Device Security Mode drop-down list box, choose the option that you want to configure. See Table 5-1 for information on the options.

The Device Security Mode drop-down list box only displays if the phone supports authentication or encryption. For example, if the phone does not support encryption, the encryption option does not display in the drop-down list box.

Step 6 Click Update.

Step 7 Click Reset Phone.


Caution When you reset the phone, the system drops all calls that are occurring through a gateway.


Related Topics

System Requirements

Interactions and Restrictions

Configuring the Device Security Mode

Using the Certificate Authority Proxy Function

Using the Cisco Bulk Administration Tool to Configure the Device Security Mode

You can use the Cisco Bulk Administration Tool that supports Cisco CallManager 4.1(2) to configure the device security mode for specific phone models that support encryption or authentication. For more information on how to perform this task, refer to the Bulk Administration Tool User Guide that supports this version of Cisco CallManager.

Related Topics

System Requirements

Interactions and Restrictions

Configuring the Device Security Mode

Using the Certificate Authority Proxy Function

Bulk Administration Tool User Guide

Device Security Mode Configuration Settings

The options in Table 5-1 exist for the device security mode.

Table 5-1 Device Security Modes

Option
Description

Use System Default

The phone uses the value that you specified for the enterprise parameter, Device Security Mode.

Non-secure

No security features except image authentication exist for the phone. A TCP connection opens to Cisco CallManager.

Authenticated

Cisco CallManager provides integrity and authentication for the phone. A TLS connection that uses NULL/SHA opens.

Encrypted

Cisco CallManager provides integrity, authentication, and encryption for the phone. A TLS connection that uses AES128/SHA opens.


Related Topics

System Requirements

Interactions and Restrictions

Configuring the Device Security Mode

Using the Certificate Authority Proxy Function

Bulk Administration Tool User Guide

Finding Phones for Authentication, Encryption, and LSC Status

To find a phone that is associated with the security features, you can choose one of the following criteria in the Phone Find/List window in Cisco CallManager Administration:

Device Security Mode—Choosing this option returns a list of phones that support authentication or encryption. If you choose this option, you can also specify whether the device is Authenticated or Encrypted. After you click the Find button, the phone model, Device Security Mode, Device Name, Description, Directory Number, Owner User ID, and so on may display (if configured).

LSC Status—Choosing this option returns a list of phones that use CAPF to install, upgrade, delete, or troubleshoot locally significant certificates. If you choose this option, you can also specify the Certification Operation that is currently performed by CAPF; for example, Operation Pending, Success, Upgrade Failed, Delete Failed, or Troubleshoot Failed. After you click the Find button, the phone model, the LSC Status, Device Name, Description, Directory Number, and the Owner User ID display (if configured).

For information on how to find and list phones, refer to the Cisco CallManager Administration Guide.


Tip From the Phone Find/List window in Cisco CallManager Administration, you can also delete and reset devices.


Related Topics

Cisco CallManager Administration Guide

Using the Certificate Authority Proxy Function

Phone Hardening

To tighten security on the phone, you can perform tasks in the Phone Configuration window of Cisco CallManager Administration. This section contains information on the following topics:

Disabling the Gratuitous ARP Setting

Disabling Web Access Setting

Disabling the PC Voice VLAN Access Setting

Disabling the Setting Access Setting

Disabling the PC Port Setting

Disabling the Gratuitous ARP Setting

By default, Cisco IP Phones accept Gratuitous ARP, or GARP, packets. GARPs, which are used by devices, announce the presence of the device on the network. However, attackers can use these packets to spoof a valid network device; for example, an attacker could send out a GARP that claims to be the default router. If you choose to do so, you can disable Gratuitous ARP in the Phone Configuration window of Cisco CallManager Administration.


Note Disabling GARP does not prevent the phone from identifying its default router.


Disabling Web Access Setting

Disabling the web server functionality for the phone blocks access to the phone internal web pages, which provide statistics and configuration information. Features, such as Cisco Quality Report Tool, do not function properly without access to the phone web pages. Disabling the web server also affects any serviceability application, such as CiscoWorks, that relies on web access.

To determine whether the web services are disabled, the phone parses a parameter in the configuration file that indicates whether the services are disabled or enabled. If the web services are disabled, the phone does not open the HTTP port 80 for monitoring purposes and blocks access to the phone internal web pages.

Disabling the PC Voice VLAN Access Setting

By default, Cisco IP Phones forward all packets that are received on the switch port (the one that faces the upstream switch) to the PC port. If you choose to disable the PC Voice VLAN Access setting in the Phone Configuration window of Cisco CallManager Administration, packets received from the PC port that use voice VLAN functionality will drop. Various Cisco IP Phone models use this functionality differently.

Cisco IP Phone models 7940 and 7960 drop any packets tagged with the voice VLAN, in or out of the PC port.

Cisco IP Phone model 7970 drops any packet that contains an 802.1Q tag on any VLAN, in or out of the PC port.

Cisco IP Phone model 7912 cannot perform this functionality.

Disabling the Setting Access Setting

By default, pressing the Settings button on a Cisco IP Phone provides access to a variety of information, including phone configuration information. Disabling the Setting Access setting in the Phone Configuration window of Cisco CallManager Administration prohibits access to all options that normally display when you press the Settings button on the phone; for example, the Contrast, Ring Type, Network Configuration, Model Information, and Status settings.

The preceding settings do not display on the phone if you disable the setting in Cisco CallManager Administration. If you disable this setting, the phone user cannot save the settings that are associated with the Volume button; for example, the user cannot save the volume.

Disabling this setting automatically saves the current Contrast, Ring Type, Network Configuration, Model Information, Status, and Volume settings that exist on the phone. To change these phone settings, you must enable the Setting Access setting in Cisco CallManager Administration.

Disabling the PC Port Setting

By default, Cisco CallManager enables the PC port on all Cisco IP Phones that have a PC port. If you choose to do so, you can disable the PC Port setting in the Phone Configuration window of Cisco CallManager Administration. Disabling the PC port proves useful for lobby or conference room phones.

Related Topics

Interactions and Restrictions

Performing Phone Hardening Tasks

Cisco IP Phone Administration Guide for Cisco CallManager

Performing Phone Hardening Tasks


Caution The following procedure disables functionality for the phone.

Perform the following procedure:

Procedure


Step 1 In Cisco CallManager Administration, choose Device > Phone.

Step 2 Specify the criteria to find the phone and click Find or click Find to display a list of all phones.

Step 3 To open the Phone Configuration window for the device, click the device name.

Step 4 Locate the following product-specific parameters:

PC Port

Settings Access

Gratuitous ARP

PC Voice VLAN Access

Web Access


Tip To review information on these settings, click the i button that displays next to the parameters in the Phone Configuration window.


Step 5 From the drop-down list box for each parameter that you want to disable, choose Disabled.

Step 6 Click Update.


Related Topics

Interactions and Restrictions

Disabling the Gratuitous ARP Setting

Disabling Web Access Setting

Disabling the PC Voice VLAN Access Setting

Disabling the Setting Access Setting

Disabling the PC Port Setting