Fingerprint verification in Proximity v3.1.0

lbarrett@laingorourke.com.au · ‎06-16-2021

Hi,

Can you please assist with the following queries regarding the fingerprint verification introduced in v3.1.0 of the Cisco Proximity client.

What are the implications for host fingerprint verification when the VC endpoint is running software before CE9.14.3?
Can the fingerprints be implicitly trusted administratively (e.g. via CA trusts) or does a fingerprint verification need to be manually performed on each proximity client for each VC endpoint?

Thanks in advance

Regards

Lawrence

mneergaa · ‎08-05-2021

Apologies for the belated reply.

1. To actually verify the fingerprint, you'd have to calculate it yourself (not really feasible for an end user) or have someone e.g. write the fingerprint down on a post-it placed by the touch panel. If the users can't verify the fingerprint, the security implication is that the data sent between the client and the Cisco endpoint could possibly be intercepted or modified by a third party with access to your network.

2. You could conceivably build a service that gets the fingerprints from all the endpoints and creates a database of endpoints, then distribute the list to all clients. This, however, would be a lot of work, and likely not perfect in any case. If the system is connected to the Webex cloud and using cloud proximity, you get this fingerprint through the cloud, and don't have to worry about that part. It is possible to use Webex Edge to enable on-prem calling with a subset of cloud features as well.