DescriptionFeature
Each Cisco IP Phone requires a unique certificate for device authentication.
Phones include a manufacturing installed certificate (MIC), but for additional
security, you can specify in Cisco Unified Communications Manager
Administration that a certificate be installed by using the Certificate Authority
Proxy Function (CAPF). Alternatively, you can install a Locally Significant
Certificate (LSC) from the Security Configuration menu on the phone.
Customer-site certificate
installation
Occurs between the Cisco Unified Communications Manager server and the
phone when each entity accepts the certificate of the other entity. Determines
whether a secure connection between the phone and a Cisco Unified
Communications Manager should occur; and, if necessary, creates a secure
signaling path between the entities by using TLS protocol. Cisco Unified
Communications Manager will not register phones unless they can be
authenticated by the Cisco Unified Communications Manager.
Device authentication
Validates digitally signed files that the phone downloads. The phone validates
the signature to make sure that file tampering did not occur after the file
creation. Files that fail authentication are not written to Flash memory on
the phone. The phone rejects such files without further processing.
File authentication
Uses the TLS protocol to validate that no tampering has occurred to signaling
packets during transmission.
Signaling Authentication
Each Cisco IP Phone contains a unique manufacturing installed certificate
(MIC), which is used for device authentication. The MIC is a permanent
unique proof of identity for the phone, and allows Cisco Unified
Communications Manager to authenticate the phone.
Manufacturing installed
certificate
After you configure a SRST reference for security and then reset the
dependent devices in Cisco Unified Communications Manager
Administration, the TFTP server adds the SRST certificate to the phone
cnf.xml file and sends the file to the phone. A secure phone then uses a TLS
connection to interact with the SRST-enabled router.
Secure SRST reference
Uses SRTP to ensure that the media streams between supported devices
proves secure and that only the intended device receives and reads the data.
Includes creating a media master key pair for the devices, delivering the keys
to the devices, and securing the delivery of the keys while the keys are in
transport.
Media encryption
Implements parts of the certificate generation procedure that are too
processing-intensive for the phone, and interacts with the phone for key
generation and certificate installation. The CAPF can be configured to request
certificates from customer-specified certificate authorities on behalf of the
phone, or it can be configured to generate certificates locally.
CAPF (Certificate Authority
Proxy Function)
Defines whether the phone is nonsecure or encrypted.Security profiles
Lets you ensure the privacy of phone configuration files.Encrypted configuration files
Cisco IP Phone 7800 Series Administration Guide for Cisco Unified Communications Manager
98
Supported Security Features
To Next Page
Loading...
