Cisco Unified Communications Manager Security Guide, Release 8.0(2)
Phone Security Overview
Downloads: This chapterpdf (PDF - 388.0KB) The complete bookPDF (PDF - 5.04MB) | Feedback

Phone Security Overview

Table Of Contents

Phone Security Overview

Understanding How Security Works for Phones

Trusted Devices

Supported Phone Models

Viewing Security Settings on the Phone

Phone Security Configuration Checklist

Where to Find More Information


Phone Security Overview


This chapter contains information on the following topics:

Understanding How Security Works for Phones

Supported Phone Models

Viewing Security Settings on the Phone

Phone Security Configuration Checklist

Where to Find More Information

Understanding How Security Works for Phones

At installation, Cisco Unified Communications Manager boots up in nonsecure mode. When the phones boot up after the Cisco Unified Communications Manager installation, all devices register as nonsecure with Cisco Unified Communications Manager.

After you upgrade from Cisco Unified Communications Manager 4.0(1) or a later release, the phones boot up in the device security mode that you enabled prior to the upgrade; all devices register by using the chosen security mode.

The Cisco Unified Communications Manager installation creates a self-signed certificate on the Cisco Unified Communications Manager and TFTP server. You may also choose to use a third-party, CA-signed certificate for Cisco Unified Communications Manager instead of the self-signed certificate. After you configure authentication, Cisco Unified Communications Manager uses the certificate to authenticate with supported Cisco Unified IP Phones. After a certificate exists on the Cisco Unified Communications Manager and TFTP server, Cisco Unified Communications Manager does not reissue the certificates during each Cisco Unified Communications Manager upgrade. You must create a new CTL file with the new certificate entries.


Tip For information on unsupported or nonsecure scenarios, see the "Interactions and Restrictions" section on page 1-7.


Cisco Unified Communications Manager maintains the authentication and encryption status at the device level. If all devices that are involved in the call register as secure, the call status registers as secure. If one device registers as nonsecure, the call registers as nonsecure, even if the phone of the caller or recipient registers as secure.

Cisco Unified Communications Manager retains the authentication and encryption status of the device when a user uses Cisco Extension Mobility. Cisco Unified Communications Manager also retains the authentication and encryption status of the device when shared lines are configured.


Tip When you configure a shared line for an encrypted Cisco Unified IP Phone, configure all devices that share the lines for encryption; that is, ensure that you set the device security mode for all devices to encrypted by applying a security profile that supports encryption.


Trusted Devices

Cisco Unified Communications Manager allows Security icons to be enabled by phone model on Cisco Unified IP Phones. The Security icon indicates whether the call is secure and the connected device is trusted.

A Trusted Device represents a Cisco device or a third-party device that has passed Cisco security criteria for trusted connections. This includes, but is not limited to, signaling/media encryption, platform hardening, and assurance. If a device is trusted, a Security icon displays and a secure tone plays on supported devices. Also, the device may provide other features or indicators that are related to secure calls.

Cisco Unified Communications Manager determines whether a device is trusted when you add it to your system. The security icon displays for information purposes only, and the administrator cannot configure it directly.

Cisco Unified Communications Manager also indicates whether a gateway is trusted by displaying an icon and a message in Cisco Unified Communications Manager Administration.

This section describes the behavior of the security icon for trusted devices on both the Cisco Unified IP Phones and in Cisco Unified Communications Manager Administration.

Cisco Unified Communications Manager Administration

The following windows in Cisco Unified Communications Manager Administration indicate whether a device is trusted:

Gateway Configuration

For each gateway type, the Gateway Configuration window (Device > Gateway) displays either Device is trusted or Device is not trusted, along with a corresponding icon.

The system determines whether the device is trusted, based on the device type. You cannot configure whether the device is trusted.

Phone Configuration

For each phone device type, the Phone Configuration window (Device > Phone) displays either Device is trusted or Device is not trusted, along with a corresponding icon.

The system determines whether the device is trusted, based on the device type. You cannot configure whether the device is trusted.

Cisco Unified IP Phones

The type of device that a user calls affects the security icon that displays on the phone. The system consider the following three criteria to determine whether the call is secure:

Are all devices on the call trusted?

Is the signaling secure (authenticated and encrypted)?

Is the media secure?

Before a supported Cisco Unified IP Phone displays the Lock Security icon, be aware that all three of these criteria must be met. For calls that involve a device that is not trusted, regardless of signaling and media security, the overall status of the call will stay unsecure, and the phone will not display the Lock icon. For example, if you include an untrusted device in a conference, the system considers its call leg, as well as the conference itself, to be unsecure.

Supported Phone Models

For a list of security features that are supported on your phone, refer to the phone administration and user documentation that supports this Cisco Unified Communications Manager release or the firmware documentation that supports your firmware load.

You can also use Cisco Unified Reporting to list the phones that support a particular feature. For more information about using Cisco Unified Reporting, see the Cisco Unified Reporting Administration Guide.

Viewing Security Settings on the Phone

You can configure and view certain security-related settings on phones that support security; for example, you can view whether a phone has a locally significant certificate or manufacture-installed certificate installed. For additional information on the security menu and icons, refer to the Cisco Unified IP Phone administration and user documentation that supports your phone model and this version of Cisco Unified Communications Manager.

When Cisco Unified Communications Manager classifies a call as authenticated or encrypted, an icon displays on the phone to indicate the call state. To determine when Cisco Unified Communications Manager classifies the call as authenticated or encrypted, refer to the "Security Icons" section on page 1-6 and the "Interactions and Restrictions" section on page 1-7.

Phone Security Configuration Checklist

Table 5-1 describes the tasks to configure security for supported phones.

Table 5-1 Phone Security Configuration Checklist 

Configuration Steps
Related Procedures and Topics

Step 1 

If you have not already done so, configure the Cisco CTL Client and ensure that the Cisco Unified Communications Manager security mode equals Mixed Mode.

Configuring the Cisco CTL Client, page 4-1

Step 2 

If the phone does not contain a locally significant certificate (LSC) or manufacture-installed certificate (MIC), install a LSC by using the Certificate Authority Proxy Function (CAPF).

Using the Certificate Authority Proxy Function, page 8-1

Step 3 

Configure phone security profiles.

Configuring a Phone Security Profile, page 6-1

Step 4 

Apply a phone security profile to the phone.

Applying a Phone Security Profile, page 6-10

Step 5 

If a phone that is running SIP supports digest authentication, configure the digest credentials in the End User Configuration window.

Configuring Digest Credentials in the End User Configuration Window, page 10-3

End User Digest Credential Configuration Settings, page 10-3

Step 6 

After you configure digest credentials, choose the Digest User from the Phone Configuration window.

Configuring the Digest User in the Phone Configuration Window, page 10-4

Step 7 

On Cisco Unified IP Phone 7960G or 7940G (SIP only), enter the digest authentication username and password (digest credentials) that you configured in the End User Configuration window.

This document does not provide procedures on how to enter the digest authentication credentials on the phone. For information on how to perform this task, refer to the Cisco Unified IP Phone administration guide that supports your phone model and this version of Cisco Unified Communications Manager.

Step 8 

Encrypt the phone configuration file, if the phone supports this functionality.

Configuring Encrypted Phone Configuration Files, page 9-1

Step 9 

To harden the phone, disable phone settings.

Phone Hardening, page 11-1

Where to Find More Information

Related Topics

Interactions and Restrictions, page 1-7

Authentication, Integrity, and Authorization Overview, page 1-17

Encryption Overview, page 1-22

Configuration Checklist Overview, page 1-25

Using the Certificate Authority Proxy Function, page 8-1

Phone Security Configuration Checklist

Configuring a Phone Security Profile, page 6-1

Configuring Encrypted Phone Configuration Files, page 9-1

Phone Hardening, page 11-1

Related Cisco Documentation

Cisco Unified IP Phone Administration Guide for Cisco Unified Communications Manager

Troubleshooting Guide for Cisco Unified Communications Manager