Image
authentication
|
Signed
binary files (with the extension .sbn) and encrypted
binary files (with the extension .sebn) prevent tampering with the firmware
image before the image is loaded on a device.
Tampering
with the image causes a device to fail the authentication process and reject the
new image.
|
Customer-site certificate installation
|
Each
device requires a unique certificate for
device authentication.
Devices include a manufacturing
installed certificate (MIC), but for additional security, you can specify in
Cisco Unified Communications Manager Administration that a certificate be installed through use of the Certificate Authority Proxy Function (CAPF). Alternatively, you can
install a Locally Significant Certificate (LSC) from the Enterprise security
menu on the device.
|
Device
authentication
|
Occurs
between the
Cisco Unified Communications Manager server and the device when each
entity accepts the certificate of the other entity. Determines whether a secure
connection between the device and a Cisco Unified Communications Manager should
occur; if necessary, creates a secure signaling path between the entities
through TLS protocol. Cisco Unified Communications Manager does not register
devices unless it can authenticate them.
|
File
authentication
|
Validates digitally signed files that the device downloads. The
device validates the signature to make sure that file tampering did not occur
after file creation. Files that fail authentication are not written to flash
memory on the device. The device rejects such files without further processing.
|
File
encryption
|
Encryption prevents disclosure of sensitive information while the file is in transit to the device. In addition, the device validates the
signature to make sure that file tampering did not occur after file creation.
Files that fail authentication are not written to flash memory on the device.
The device rejects such files without further processing.
|
Signaling authentication
|
Uses the
TLS protocol to validate that no tampering to signaling packets has occurred
during transmission.
|
Manufacturing installed certificate
|
Each
device contains a unique
manufacturing installed certificate (MIC), which is used for device
authentication. The MIC provides permanent unique proof of identity for the
device and allows Cisco Unified Communications Manager to authenticate the
device.
|
Media
encryption
|
Uses
SRTP to ensure that media streams between supported devices prove secure and
that only the intended device receives and reads the data. Includes creation of a
media master key pair for the devices, delivery of the keys to the devices, and
securing the delivery of the keys while the keys are in transport.
|
CAPF
(Certificate Authority Proxy Function)
|
Implements parts of the certificate generation procedure that
are too processing-intensive for the device, and interacts with the device for
key generation and certificate installation. The CAPF can be configured to
request certificates from customer-specified certificate authorities on behalf
of the device, or it can be configured to generate certificates locally.
|
Security
profile
|
Defines
whether the device is nonsecure, authenticated, encrypted, or protected. Other
entries in this table describe security features. For more information about
these features, see the
Cisco Unified Communications Manager Security Guide.
|
Encrypted configuration files
|
Lets you
ensure the privacy of device configuration files.
|
Optional
web server disabling for a phone
|
For
security purposes, you can prevent access to the web pages for a device (which
display a variety of operational statistics for the device).
|
Phone
hardening
|
Additional security options, which you control from Cisco Unified Communications Manager Administration:
- Disable PC port
- Disable Gratuitous ARP
(GARP)
- Disable PC Voice VLAN
access
- Provide restricted access
to the web applications
- Disable Bluetooth
Accessory Port
- Disable access to web
pages for a device
- Require a screen lock
- Control access to Google
Play
- Control access to
installation of applications from unknown sources
|
802.1X
Authentication
|
The
device can use 802.1X
authentication to request and gain access to the network.
|
Secure
SIP Failover for SRST
|
After
you configure a Survivable Remote Site Telephony (SRST) reference for security
and then reset the dependent devices in Cisco Unified Communications Manager
Administration, the TFTP server adds the SRST certificate to the device cnf.xml
file and sends the file to the device. A secure device then uses a TLS connection
to interact with the SRST-enabled router.
|
Signaling encryption
|
Ensures
that all SIP signaling messages that are sent between the device and
the
Cisco Unified Communications Manager server are encrypted.
|
AES 256 Encryption
|
When connected to Cisco Unified Communications Manager Release 10.5(2) and later, DX Series devices support AES 256 encryption support for TLS and SIP for signaling and media encryption. This enables the devices to initiate and support TLS 1.2 connections using AES-256 based ciphers that conform to SHA-2 (Secure Hash Algorithm) standards and are Federal Information Processing Standards (FIPS) compliant.
|