Cisco Unified CallManager Security Guide, Release 4.2(3)
Configuring the Phones for Security
Downloads: This chapterpdf (PDF - 233.0KB) The complete bookPDF (PDF - 2.03MB) | Feedback

Configuring the Phones for Security

Table Of Contents

Configuring the Phones for Security

Phone Configuration Overview for Security

Installing, Upgrading, Deleting, or Troubleshooting Locally Significant Certificates in Phones

Configuring the Device Security Mode

Configuring the Security Device System Default for Supported Phone Models

Configuring the Device Security Mode for a Single Device

Using the Bulk Administration Tool to Configure the Device Security Mode

Device Security Mode Configuration Settings

Finding Phones for Authentication, Encryption, and LSC Status

Phone Hardening

Performing Phone-Hardening Tasks


Configuring the Phones for Security


This chapter contains information on the following topics:

Phone Configuration Overview for Security

Installing, Upgrading, Deleting, or Troubleshooting Locally Significant Certificates in Phones

Configuring the Device Security Mode

Configuring the Security Device System Default for Supported Phone Models

Configuring the Device Security Mode for a Single Device

Using the Bulk Administration Tool to Configure the Device Security Mode

Device Security Mode Configuration Settings

Finding Phones for Authentication, Encryption, and LSC Status

Phone Hardening

Disabling the Gratuitous ARP Setting

Disabling Web Access Setting

Disabling the PC Voice VLAN Access Setting

Disabling the Setting Access Setting

Disabling the PC Port Setting

Performing Phone-Hardening Tasks

Phone Configuration Overview for Security

When you perform a new installation of Cisco Unified CallManager, the Cisco Unified CallManager cluster boots up in nonsecure mode; when the phones boot up after the Cisco Unified CallManager installation, all devices register as nonsecure with Cisco Unified CallManager.

After you upgrade from Cisco Unified CallManager 4.0(1) or a later release, the phones boot up in the security mode that you enabled prior to the upgrade; all devices register by using the chosen security mode.

The Cisco Unified CallManager installation creates a self-signed certificate on corresponding Cisco Unified CallManager and TFTP servers. After you configure the cluster for authentication, Cisco Unified CallManager uses this self-signed certificate to authenticate with supported Cisco Unified IP Phones. After a self-signed certificate exists on the Cisco Unified CallManager and TFTP servers, Cisco Unified CallManager does not reissue the certificates during each Cisco Unified CallManager upgrade.


Tip For information on unsupported or nonsecure scenarios, see the "Restrictions" section on page 1-6.


Cisco Unified CallManager maintains the authentication and encryption status at the device level. If all devices that are involved in the call register as secure, the call status registers as secure. If one of the devices registers as nonsecure, the call registers as nonsecure, even if the phone of the caller or recipient registers as secure.

Cisco Unified CallManager retains the authentication and encryption status of the device when a user uses Cisco Extension Mobility. Cisco Unified CallManager also retains the authentication and encryption status of the device when shared lines are configured.

Table 5-1 provides a list of supported features on various Cisco Unified IP Phones.


Tip Although you can configure the features in Cisco Unified CallManager Administration, the features may not work on the phone until you install a compatible firmware load.

For the latest list of supported phones and features, refer to the phone administration and user documentation that supports this release of Cisco Unified CallManager, the Cisco Unified CallManager release notes, Cisco CallManager service release readme documents, and the firmware documentation that supports your firmware load.


Table 5-1 Cisco Unified IP Phone Features 

Cisco Unified IP Phone Model
Supported Feature

Cisco Unified IP Phone models 7970 and 7971

Image authentication, file authentication, device authentication, signaling encryption, media encryption, manufacture- installed certificates, factory reset, and phone hardening, such as web server disabling

Tip The Cisco Unified IP Phone 7970 and 7971 default firmware loads in this release of Cisco Unified CallManager do not support secure SRST or locally significant certificates. Although you can configure locally significant certificates and secure SRST for these phone models in Cisco Unified CallManager Administration, you must upgrade to the compatible firmware load(s) for these settings to take effect. The system ignores the configuration for the LSC and the secure SRST until you install the compatible firmware load(s).

Cisco Unified IP Phone models 7960 and 7940

Image authentication, file authentication, device authentication, signaling encryption, media encryption, locally significant certificates, factory resets, and phone hardening, such as web server disabling

Cisco Unified IP Phone models 7912, 7905G, and 7902

Image authentication, factory resets, and some phone hardening, such as web server disabling, Gratuitous ARP setting disabling, and Setting Access setting disabling

Cisco Unified IP Phone model 7910

Image authentication



Tip When you configure a shared line for an encrypted Cisco Unified IP Phone, configure all devices that share the lines for encryption; that is, ensure that you set the device security mode for all devices to encrypted.


You can configure and view certain security-related settings on phones that support security; for example, from supported phones, you can view whether a phone has a locally significant certificate or manufacture-installed certificate installed. For additional information on the security menu and icons, refer to the Cisco IP Phone administration and user documentation that supports your phone model and this version of Cisco Unified CallManager.

Likewise, when Cisco Unified CallManager classifies a call as authenticated or encrypted, an icon displays on the phone to indicate the call state. To determine when Cisco Unified CallManager classifies the call as authenticated or encrypted, refer to the "Restrictions" section on page 1-6.

You perform the following tasks to configure security for supported phones:

Installing or upgrading locally significant certificates (LSC) on supported phones; deleting or troubleshooting the certificates

Configuring supported phones for authentication or encryption through the Device Security Mode

Disabling phone settings in Cisco Unified CallManager Administration to harden the phone

Related Topics

Installing, Upgrading, Deleting, or Troubleshooting Locally Significant Certificates in Phones

Configuring the Device Security Mode

Device Security Mode Configuration Settings

Finding Phones for Authentication, Encryption, and LSC Status

Phone Hardening

Performing Phone-Hardening Tasks

Installing, Upgrading, Deleting, or Troubleshooting Locally Significant Certificates in Phones

To install, upgrade, delete, or troubleshoot locally significant certificates in phones, you must configure the CAPF settings in the Phone Configuration window of Cisco Unified CallManager Administration. For information on how to configure CAPF settings, see the "Using the Certificate Authority Proxy Function" section.

Related Topics

CAPF Configuration Checklist

CAPF System Interactions and Requirements

Configuring the Device Security Mode

Finding Phones for Authentication, Encryption, and LSC Status

Phone Hardening

Performing Phone-Hardening Tasks

Troubleshooting, page 9-1

Configuring the Device Security Mode

To configure the devices for authentication or encryption, perform one of the following tasks:

Configure the system default device security mode for supported phone models.

Configure the device security mode for a single device in the Phone Configuration window of Cisco Unified CallManager Administration.

Configure the device security mode for a supported phone model by using the Cisco Bulk Administration Tool.


Tip Before you configure the device security mode, the phone must contain a locally significant certificate or manufacture-installed certificate.

When the cluster security mode equals nonsecure, the device security mode is nonsecure in the phone configuration file, even though Cisco Unified CallManager Administration may indicate that the device security mode is authenticated or encrypted. Under these circumstances, the phone attempts nonsecure connections with the SRST-enabled gateway and the Cisco Unified CallManager servers in the cluster.

When the cluster security mode equals nonsecure, the security-related configuration in Cisco Unified CallManager Administration is ignored; for example, the device security mode and so on. The configuration is not deleted in Cisco Unified CallManager Administration, but security is not provided.


For information on the device security mode configuration settings, see the "Device Security Mode Configuration Settings" section.

Related Topics

Phone Configuration Overview for Security

Interactions and Restrictions, page 1-6

Activating the Cisco CTL Provider Service

Configuring the Cisco CTL Client

Updating the CTL File

Device Security Mode Configuration Settings

Using the Certificate Authority Proxy Function

Troubleshooting, page 9-1

Configuring the Security Device System Default for Supported Phone Models


Note This procedure requires that you reset the devices and restart the Cisco CallManager service for the changes to take effect.


In Cisco Unified CallManager Administration, the security device system default for all phone types displays as Non-Secure. To set the security device system default to Authenticated or Encrypted, perform the following procedure:

Procedure


Step 1 From Cisco Unified CallManager Administration, choose System > Enterprise Parameters.

Step 2 In the Security Parameters section, locate Device Security Mode.

Step 3 From the drop-down list box, choose Authenticated or Encrypted. For more information, see Table 5-2.

Step 4 At the top of the Enterprise Parameters window, click Update.

Step 5 Reset all devices in the cluster; see "Resetting the Devices, Restarting Services, or Rebooting the Server/Cluster" section on page 1-11.

Step 6 Restart the Cisco CallManager service for the changes to take effect.


Related Topics

System Requirements, page 1-5

Interactions and Restrictions, page 1-6

Configuring the Device Security Mode

Using the Certificate Authority Proxy Function

Configuring the Device Security Mode for a Single Device

To configure the device security mode for a single device, perform the following procedure. This procedure assumes that you added the device to the database and installed a certificate in the phone, if a certificate does not already exist.

Configuring the Device Security Mode in the Phone Configuration window of Cisco Unified CallManager Administration triggers a rebuild of the device configuration .xml file. After you configure the device security mode for the first time or if you change the device security mode, you must reset the device, so the phone requests the new configuration file.

Procedure


Step 1 In Cisco Unified CallManager Administration, choose Device > Phone.

Step 2 Specify the criteria to find the phone and click Find or click Find to display a list of all phones.

If you have not added the phone to the database, the phone does not display in the list. For information on adding a phone, refer to the Cisco CallManager Administration Guide.

Step 3 To open the Phone Configuration window for the device, click the device name.

Step 4 Locate the Device Security Mode drop-down list box.

If the phone type does not support security, this option does not display. You cannot configure authentication or encryption for the phone type.

Step 5 From the Device Security Mode drop-down list box, choose the option that you want to configure. See Table 5-2 for information on the options.

The Device Security Mode drop-down list box only displays if the phone supports authentication or encryption. For example, if the phone does not support encryption, the encryption option does not display in the drop-down list box.

Step 6 Click Update.

Step 7 Click Reset Phone.


Caution When you reset the phone, the system drops all calls that are occurring through a gateway.


Related Topics

Phone Configuration Overview for Security

Interactions and Restrictions, page 1-6

Device Security Mode Configuration Settings

Using the Certificate Authority Proxy Function

Using the Bulk Administration Tool to Configure the Device Security Mode

You can use the Bulk Administration Tool that supports this release of Cisco Unified CallManager to configure the device security mode for specific phone models that support encryption or authentication. For more information on how to perform this task, refer to the Bulk Administration Guide that supports this version of Cisco Unified CallManager.

Related Topics

Phone Configuration Overview for Security

Interactions and Restrictions, page 1-6

Device Security Mode Configuration Settings

Using the Certificate Authority Proxy Function

Cisco Unified CallManager Bulk Administration Guide

Device Security Mode Configuration Settings

The options in Table 5-2 exist for the device security mode.

Table 5-2 Device Security Modes

Option
Description

Use System Default

The phone uses the value that you specified for the enterprise parameter, Device Security Mode.

Non-secure

No security features except image authentication exist for the phone. A TCP connection opens to Cisco Unified CallManager.

Authenticated

Cisco Unified CallManager provides integrity and authentication for the phone. A TLS connection that uses NULL/SHA opens.

Encrypted

Cisco Unified CallManager provides integrity, authentication, and encryption for the phone. A TLS connection that uses AES128/SHA opens.


Related Topics

Phone Configuration Overview for Security

Interactions and Restrictions, page 1-6

Configuring the Device Security Mode

Using the Certificate Authority Proxy Function

Cisco Unified CallManager Bulk Administration Guide

Finding Phones for Authentication, Encryption, and LSC Status

To find a phone that is associated with the security features, you can choose one of the following criteria in the Phone Find/List window in Cisco Unified CallManager Administration:

Device Security Mode—Choosing this option returns a list of phones that support authentication or encryption. If you choose this option, you can also specify whether the device is Authenticated or Encrypted. After you click the Find button, the phone model, Device Security Mode, Device Name, Description, Directory Number, Owner User ID, and so on may display (if configured).

LSC Status—Choosing this option returns a list of phones that use CAPF to install, upgrade, delete, or troubleshoot locally significant certificates. If you choose this option, you can also specify the Certification Operation that is currently performed by CAPF; for example, Operation Pending, Success, Upgrade Failed, Delete Failed, or Troubleshoot Failed. After you click the Find button, the phone model, the LSC Status, Device Name, Description, Directory Number, and the Owner User ID display (if configured).

For information on how to find and list phones, refer to the Cisco Unified CallManager Administration Guide.


Tip From the Phone Find/List window in Cisco Unified CallManager Administration, you can also delete and reset devices.


Related Topics

Cisco Unified CallManager Administration Guide

Using the Certificate Authority Proxy Function

Phone Hardening

To tighten security on the phone, you can perform tasks in the Phone Configuration window of Cisco Unified CallManager Administration. This section contains information on the following topics:

Disabling the Gratuitous ARP Setting

Disabling Web Access Setting

Disabling the PC Voice VLAN Access Setting

Disabling the Setting Access Setting

Disabling the PC Port Setting

Disabling the Gratuitous ARP Setting

By default, Cisco Unified IP Phones accept Gratuitous ARP packets. These packets, which are used by devices, announce the presence of the device on the network. However, attackers can use these packets to spoof a valid network device; for example, an attacker could send out a packet that claims to be the default router. If you choose to do so, you can disable the Gratuitous ARP setting in the Phone Configuration window of Cisco Unified CallManager Administration.


Note Disabling this setting does not prevent the phone from identifying its default router.


Disabling Web Access Setting

Disabling the web server functionality for the phone blocks access to the phone internal web pages, which provide statistics and configuration information. Features, such as Cisco Quality Report Tool, do not function properly without access to the phone web pages. Disabling the web server also affects any serviceability application, such as CiscoWorks, that relies on web access.

To determine whether the web services are disabled, the phone parses a parameter in the configuration file that indicates whether the services are disabled or enabled. If the web services are disabled, the phone does not open the HTTP port 80 for monitoring purposes and blocks access to the phone internal web pages.

Disabling the PC Voice VLAN Access Setting

By default, Cisco Unified IP Phones forward all packets that are received on the switch port (the one that faces the upstream switch) to the PC port. If you choose to disable the PC Voice VLAN Access setting in the Phone Configuration window of Cisco Unified CallManager Administration, packets received from the PC port that use voice VLAN functionality will drop. Various Cisco Unified IP Phone models use this functionality differently.

Cisco Unified IP Phone models 7940 and 7960 drop any packets tagged with the voice VLAN, in or out of the PC port.

Cisco Unified IP Phone model 7970 drops any packet that contains an 802.1Q tag on any VLAN, in or out of the PC port.

Cisco Unified IP Phone model 7912 cannot perform this functionality.

Disabling the Setting Access Setting

By default, pressing the Settings button on a Cisco Unified IP Phone provides access to a variety of information, including phone configuration information. Disabling the Setting Access setting in the Phone Configuration window of Cisco Unified CallManager Administration prohibits access to all options that normally display when you press the Settings button on the phone; for example, the Contrast, Ring Type, Network Configuration, Model Information, and Status settings.

The preceding settings do not display on the phone if you disable the setting in Cisco Unified CallManager Administration. If you disable this setting, the phone user cannot save the settings that are associated with the Volume button; for example, the user cannot save the volume.

Disabling this setting automatically saves the current Contrast, Ring Type, Network Configuration, Model Information, Status, and Volume settings that exist on the phone. To change these phone settings, you must enable the Setting Access setting in Cisco Unified CallManager Administration.

Disabling the PC Port Setting

By default, Cisco Unified CallManager enables the PC port on all Cisco Unified IP Phones that have a PC port. If you choose to do so, you can disable the PC Port setting in the Phone Configuration window of Cisco Unified CallManager Administration. Disabling the PC port proves useful for lobby or conference room phones.

Related Topics

Phone Configuration Overview for Security

Performing Phone-Hardening Tasks

Cisco Unified IP Phone Administration Guide for Cisco Unified CallManager

Performing Phone-Hardening Tasks


Caution The following procedure disables functionality for the phone.

Perform the following procedure:

Procedure


Step 1 In Cisco Unified CallManager Administration, choose Device > Phone.

Step 2 Specify the criteria to find the phone and click Find or click Find to display a list of all phones.

Step 3 To open the Phone Configuration window for the device, click the device name.

Step 4 Locate the following product-specific parameters:

PC Port

Settings Access

Gratuitous ARP

PC Voice VLAN Access

Web Access


Tip To review information on these settings, click the i button that displays next to the parameters in the Phone Configuration window.


Step 5 From the drop-down list box for each parameter that you want to disable, choose Disabled.

Step 6 Click Update.


Related Topics

Phone Configuration Overview for Security

Disabling the Gratuitous ARP Setting

Disabling Web Access Setting

Disabling the PC Voice VLAN Access Setting

Disabling the Setting Access Setting

Disabling the PC Port Setting