Supported Security Features


The following table provides an overview of the security features that the Cisco Unified IP Phones support. For more information about these features and about Cisco Unified Communications Manager and Cisco Unified IP Phone security, see Cisco Unified Communications Manager Security Guide


For information about current security settings on a phone, choose Settings > Security Configuration and choose Settings > Device Configuration > Security Configuration.

 

Note Most security features are available only if a certificate trust list (CTL) is installed on the phone. For more information about the CTL, see Configuring the Cisco CTL Clientchapter in Cisco Unified Communications Manager Security Guide.


Feature

Description


Image authentication 


Signed binary files (with the extension .sbn) prevent tampering with the  firmware image before it is loaded on a phone. Tampering with the image  causes a phone to fail the authentication process and reject the new image. 

 
Customer-site certificate installation


Each Cisco Unified IP Phone requires a unique certificate for device  authentication. Phones include a manufacturing installed certificate (MIC), but  for additional security, you can specify in Cisco Unified Communications  Manager Administration that a certificate be installed by using the Certificate  Authority Proxy Function (CAPF). Alternatively, you can install a Locally  Significant Certificate (LSC) from the Security Configuration menu on the  phone.


Device authentication 


Occurs between the Cisco Unified Communications Manager server and the  phone when each entity accepts the certificate of the other entity. Determines  whether a secure connection between the phone and a Cisco Unified  Communications Manager should occur, and if necessary, creates a secure  signaling path between the entities by using TLS protocol. Cisco Unified  Communications Manager will not register phones unless they can be  authenticated by the Cisco Unified Communications Manager. 


File authentication 


Validates digitally signed files that the phone downloads. The phone validates  the signature to make sure that file tampering did not occur after file creation.  Files that fail authentication are not written to Flash memory on the phone.  The phone rejects such files without further processing.         


Signaling Authentication


Uses the TLS protocol to validate that no tampering has occurred to signaling  packets during transmission. 


Manufacturing installed  certificate


Each Cisco Unified IP Phone contains a unique manufacturing installed  certificate (MIC), which is used for device authentication. The MIC is a  permanent, unique proof of identity for the phone, and allows Cisco Unified  Communications Manager to authenticate the phone. 


Secure SRST reference


After you configure an SRST reference for security and then reset the dependent  devices in Cisco Unified Communications Manager Administration, the TFTP  server adds the SRST certificate to the phone cnf.xml file and sends the file to  the phone. A secure phone then uses a TLS connection to interact with the  SRST-enabled router. 


Media encryption

 Uses SRTP to ensure that the media streams between supported devices proves  secure and that only the intended device receives and reads the data. Includes  creating a media master key pair for the devices, delivering the keys to the  devices, and securing the delivery of the keys while the keys are in transport.


Signaling encryption


Ensures that all SCCP and SIP signaling messages that are sent between the device and the Cisco Unified Communications Manager server are encrypted.


CAPF (Certificate Authority Proxy Function)


Implements parts of the certificate generation procedure that are too processing-intensive for the phone, and interacts with the phone for key generation and certificate installation. The CAPF can be configured to request certificates from customer-specified certificate authorities on behalf of the phone, or it can be configured to generate certificates locally. 


Security profiles


Defines whether the phone is nonsecure, authenticated, encrypted, or protected


Encrypted configuration files


Lets you ensure the privacy of phone configuration files. 


Optional disabling of the web server functionality for a phone


You can prevent access to a phone’s web page, which displays a variety of operational statistics for the phone.


Phone hardening


Additional security options, which you control from Cisco Unified Communications Manager Administration: 

  • Disabling PC port 
  • Disabling Gratuitous ARP (GARP) 
  • Disabling PC Voice VLAN access 
  • Disabling access to the Setting menus, or providing restricted access that allows access to the User Preferences menu and saving volume changes only 
  • Disabling access to web pages for a phone You can view current settings for the PC Port Disabled, GARP Enabled, and Voice VLAN enabled options by looking at the phones Security Configuration menu.



802.1X Authentication


The Cisco Unified IP Phone can use 802.1X authentication to request and gain access to the network.


 

Related Topics

Security Profiles

Security Restrictions

Authenticated, Encrypted, and Protected Phone Calls

Device Configuration Menu

802.1X Authentication

Cisco Unified IP Phone Security

Security Configuration Menu