-
Cisco CallManager Security Guide, Release 4.1(2)
-
Index
-
Preface
-
Security Overview
-
Using Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)
-
Configuring the Cisco CTL Client
-
Using the Certificate Authority Proxy Function
-
Configuring the Phones for Security
-
Configuring a Secure Survivable Remote Site Telephony (SRST) Reference
-
Troubleshooting
-
Feedback
Table Of Contents
Configuring the Phones for Security
Phone Configuration Overview for Security
Installing, Upgrading, Deleting, or Troubleshooting Locally Significant Certificates in Phones
Configuring the Device Security Mode
Configuring the Security Device System Default for Supported Phone Models
Configuring the Device Security Mode for a Single Device
Using the Cisco Bulk Administration Tool to Configure the Device Security Mode
Device Security Mode Configuration Settings
Finding Phones for Authentication, Encryption, and LSC Status
Performing Phone Hardening Tasks
Configuring the Phones for Security
This chapter contains information on the following topics:
•
Phone Configuration Overview for Security
•
•
•
•
•
•
•
•
•
•
•
•
Phone Configuration Overview for Security
This section provides an overview of the tasks that you perform to configure security for supported phones:
•
•
•
Related Topics
•
•
•
•
•
Installing, Upgrading, Deleting, or Troubleshooting Locally Significant Certificates in Phones
To install, upgrade, delete, or troubleshoot locally significant certificates in phones, you must configure the CAPF settings in the Phone Configuration window of Cisco CallManager Administration. For information on how to configure CAPF settings, see the "Using the Certificate Authority Proxy Function" section.
Related Topics
•
•
•
•
Configuring the Device Security Mode
To configure the devices for authentication or encryption, perform one of the following tasks:
•
•
•
Tip
For information on the device security mode configuration settings, see the "Device Security Mode Configuration Settings" section.
Related Topics
•
•
•
•
•
Configuring the Security Device System Default for Supported Phone Models
Note
In Cisco CallManager Administration, the security device system default for all phone types displays as Non-Secure. To set the security device system default to Authenticated or Encrypted, perform the following procedure:
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Related Topics
•
•
•
Configuring the Device Security Mode for a Single Device
To configure the device security mode for a single device, perform the following procedure. This procedure assumes that you added the device to the database and installed a certificate in the phone, if a certificate does not already exist.
Configuring the Device Security Mode in the Phone Configuration window of Cisco CallManager Administration triggers a rebuild of the device configuration .xml file. After you configure the device security mode for the first time or if you change the device security mode, you must reset the device, so the phone requests the new configuration file.
Procedure
Step 1
Step 2
If you have not added the phone to the database, the phone does not display in the list. For information on adding a phone, refer to the Cisco CallManager Administration Guide.
Step 3
Step 4
If the phone type does not support security, this option does not display. You cannot configure authentication or encryption for the phone type.
Step 5
The Device Security Mode drop-down list box only displays if the phone supports authentication or encryption. For example, if the phone does not support encryption, the encryption option does not display in the drop-down list box.
Step 6
Step 7
Caution
Related Topics
•
•
•
Using the Cisco Bulk Administration Tool to Configure the Device Security Mode
You can use the Cisco Bulk Administration Tool that supports Cisco CallManager 4.1(2) to configure the device security mode for specific phone models that support encryption or authentication. For more information on how to perform this task, refer to the Bulk Administration Tool User Guide that supports this version of Cisco CallManager.
Related Topics
•
•
•
•
Device Security Mode Configuration Settings
The options in Table 5-1 exist for the device security mode.
Related Topics
•
•
•
•
Finding Phones for Authentication, Encryption, and LSC Status
To find a phone that is associated with the security features, you can choose one of the following criteria in the Phone Find/List window in Cisco CallManager Administration:
•
•
For information on how to find and list phones, refer to the Cisco CallManager Administration Guide.
Tip
Related Topics
•
•
Phone Hardening
To tighten security on the phone, you can perform tasks in the Phone Configuration window of Cisco CallManager Administration. This section contains information on the following topics:
•
•
•
•
Disabling the Gratuitous ARP Setting
By default, Cisco IP Phones accept Gratuitous ARP, or GARP, packets. GARPs, which are used by devices, announce the presence of the device on the network. However, attackers can use these packets to spoof a valid network device; for example, an attacker could send out a GARP that claims to be the default router. If you choose to do so, you can disable Gratuitous ARP in the Phone Configuration window of Cisco CallManager Administration.
Note
Disabling Web Access Setting
Disabling the web server functionality for the phone blocks access to the phone internal web pages, which provide statistics and configuration information. Features, such as Cisco Quality Report Tool, do not function properly without access to the phone web pages. Disabling the web server also affects any serviceability application, such as CiscoWorks, that relies on web access.
To determine whether the web services are disabled, the phone parses a parameter in the configuration file that indicates whether the services are disabled or enabled. If the web services are disabled, the phone does not open the HTTP port 80 for monitoring purposes and blocks access to the phone internal web pages.
Disabling the PC Voice VLAN Access Setting
By default, Cisco IP Phones forward all packets that are received on the switch port (the one that faces the upstream switch) to the PC port. If you choose to disable the PC Voice VLAN Access setting in the Phone Configuration window of Cisco CallManager Administration, packets received from the PC port that use voice VLAN functionality will drop. Various Cisco IP Phone models use this functionality differently.
•
•
•
Disabling the Setting Access Setting
By default, pressing the Settings button on a Cisco IP Phone provides access to a variety of information, including phone configuration information. Disabling the Setting Access setting in the Phone Configuration window of Cisco CallManager Administration prohibits access to all options that normally display when you press the Settings button on the phone; for example, the Contrast, Ring Type, Network Configuration, Model Information, and Status settings.
The preceding settings do not display on the phone if you disable the setting in Cisco CallManager Administration. If you disable this setting, the phone user cannot save the settings that are associated with the Volume button; for example, the user cannot save the volume.
Disabling this setting automatically saves the current Contrast, Ring Type, Network Configuration, Model Information, Status, and Volume settings that exist on the phone. To change these phone settings, you must enable the Setting Access setting in Cisco CallManager Administration.
Disabling the PC Port Setting
By default, Cisco CallManager enables the PC port on all Cisco IP Phones that have a PC port. If you choose to do so, you can disable the PC Port setting in the Phone Configuration window of Cisco CallManager Administration. Disabling the PC port proves useful for lobby or conference room phones.
Related Topics
•
•
•
Performing Phone Hardening Tasks
Caution
Perform the following procedure:
Procedure
Step 1
Step 2
Step 3
Step 4
•
•
•
•
•
Tip
Step 5
Step 6
Related Topics
•
•
•
•
