Understanding Security Features for Cisco Unified IP Phones
Table 1-6
Overview of Security Features (continued)
Feature
CAPF (Certificate Authority Proxy
Function)
Security profiles
Encrypted configuration files
Optional disabling of the web
server functionality for a phone
Phone hardening
802.1X Authentication
Secure SIP Failover for SRST
Signaling encryption
Related Topics
•
•
Cisco Unified IP Phone 8961, 9951, and 9971 Administration Guide for Cisco Unified Communications Manager 8.5 (SIP)
1-18
Description
Implements parts of the certificate generation procedure that are too
processing-intensive for the phone, and interacts with the phone for key generation and
certificate installation. The CAPF can be configured to request certificates from
customer-specified certificate authorities on behalf of the phone, or it can be
configured to generate certificates locally.
Defines whether the phone is nonsecure, authenticated, encrypted, or protected. See
Table
1-6, which provides an overview of the security features that the Cisco Unified
IP Phone 9971 supports. For more information about these features and about
Cisco Unified Communications Manager and Cisco Unified IP Phone security, refer to
the Cisco Unified Communications Manager Security Guide.
Lets you ensure the privacy of phone configuration files.
For security purposes, you can prevent access to a phone's web page (which displays
a variety of operational statistics for the phone) and user options pages. For more
information, see the
Additional security options, which you control from Cisco Unified Communications
Manager Administration:
Disabling PC port
•
Disabling Gratuitous ARP (GARP)
•
Disabling PC Voice VLAN access
•
Disabling access to the Setting menus, or providing restricted access that allows
•
access to the Preferences menu and saving volume changes only
Disabling access to web pages for a phone
•
Disabling Bluetooth Accessory Port
•
The Cisco Unified IP Phone can use 802.1X authentication to request and gain access
to the network. See the
Phones" section on page 1-22
After you configure an SRST reference for security and then reset the dependent
devices in Cisco Unified CM Administration, the TFTP server adds the SRST
certificate to the phone cnf.xml file and sends the file to the phone. A secure phone then
uses a TLS connection to interact with the SRST-enabled router.
Ensures that all SCCP and SIP signaling messages that are sent between the device and
the Cisco Unified CM server are encrypted.
Identifying Secure (Encrypted) Phone Calls, page 1-19
Security Restrictions, page 1-23
Chapter 1
"Enabling and Disabling Web Page Access" section on page
"Supporting 802.1X Authentication on Cisco Unified IP
for more information.
An Overview of the Cisco Unified IP Phone
OL-20861-01
11-3.