Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
516
Views
5
Helpful
3
Replies

Phone Security / Encryption Questions

Ess Emque
Level 1
Level 1

‎12-08-2015 06:39 AM - edited ‎03-18-2019 11:43 AM

Hello all,

Sorry for the many questions, but I am confused with some of the security settings and I'm just starting to learn this. Hopefully you guys can answer some of them to get me better understand of it :) Thank you.

When I choose to make a secure device profile, I can have a few options on what to choose:

TFTP Encrypted Config:

What does enabling this option do? The doc say "When this check box is checked, Cisco Unified Communications Manager encrypts phone downloads from the TFTP server", but I don't really know what this means. Does this mean the SEPxxxx.xml gets encrypted?

Authentication Mode:

Where exactly is it used? Is it only for the very first install of the LSC? I think this is the bit that confuses me most. Here I can choose Null String, Existing Certificate etc. I can then apply the security profile to the phone, but then I have to initiate the actual install operation manually from the phone, where I can set all this stuff again. Does the stuff from this menu overwrite the information in the security profile?

For example

- If I choose "Existing Cerificate" in the security profile, but in the CAPF info, if I chose Null String, then what will happen?

- If I only assign a profile and don't configure anything under CAPF, will it still install the LSC? Or do you always need to start off the LSC install manually?

The document says 'The CAPF settings that are configured in the Phone Security Profile window interact with the CAPF parameters that are configured in the Phone Configuration window', but again, I don't understand what it means

SIP Phone Port:

When changing to encrypted, this stays at 5060. Should this be changed to 5061?

Thank you :)

Labels:
0 Helpful
3 Replies 3

Manish Gogna
Cisco Employee
Cisco Employee

‎12-08-2015 08:13 AM

Hi Ess,

Regarding the first query, After you enable the TFTP Encrypt Config option, configure the required parameters in Cisco Unified Communications Manager Administration and the phone and restart required services in Cisco Unified Serviceability, the TFTP server

1. Deletes all clear text configuration files on disk

2. Generates encrypted versions of the configuration files

If the phone supports encrypted phone configuration files and if you performed the necessary tasks for phone configuration file encryption, the phone requests an encrypted version of the configuration file.


Authentication related details are given here

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/8_6_1/secugd/sec-861-cm/secusccp.html


5061 is the default SIP secured port for incoming TLS messages specifies 5061, it does not really affect the encrypted config download.

Manish

- Do rate helpful posts -

Ess Emque
Level 1
Level 1
In response to Manish Gogna

‎12-15-2015 11:58 AM

Hello Manish,

Thank you so much for the great answer.

1. The TFTP encrypted option I now understand

2. I have read on the document you linked to for authentication, but I'm still confused on where exactly it works, as above. I don't think the document tells this too clearly.

3. Sorry the 5061 and TFTP questions were unrelated. My question about this is, do we need to change to 5061 manually when we change to TLS? The page seems to leave this at the 5060 default.

Thanks again and many thanks

Ess

0 Helpful

Manish Gogna
Cisco Employee
Cisco Employee
In response to Ess Emque

‎12-15-2015 07:54 PM

Hi Ess,

The following information is available regarding Authentication in the cucm security guide:

The Cisco Unified Communications Manager installation creates a self-signed certificate on the Cisco Unified Communications Manager and TFTP server. You may also choose to use a third-party, CA-signed certificate for Cisco Unified Communications Manager instead of the self-signed certificate. After you configure authentication, Cisco Unified Communications Manager uses the certificate to authenticate with supported Cisco Unified IP Phones.

Further details:

Image Authentication

This process prevents tampering with the binary image, the firmware load, prior to loading it on the phone. Tampering with the image causes the phone to fail the authentication process and reject the image. Image authentication occurs through signed binary files that automatically install when you install Cisco Unified Communications Manager. Likewise, firmware updates that you download from the web also provide signed binary images.

Device Authentication

This process validates the identity of the communicating device and ensures that the entity is who it claims to be. For a list of devices that are supported, see "Supported Phone Models" section.

Device authentication occurs between the Cisco Unified Communications Manager server and supported Cisco Unified IP Phones, SIP trunks, or JTAPI/TAPI/CTI applications (when supported). An authenticated connection occurs between these entities only when each entity accepts the certificate of the other entity. Mutual authentication describes this process of mutual certificate exchange.

Device authentication relies on the creation of the Cisco CTL file (for authenticating Cisco Unified Communications Manager server node and applications), as described in the "Configuring the Cisco CTL Client" section, and the Certificate Authority Proxy Function (for authenticating phones and JTAPI/TAPI/CTI applications), as described in the "Using the Certificate Authority Proxy Function" section.

Reference:

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/8_6_1/secugd/sec-861-cm/secuview.html#wpxref78652

Port 5061 is the default SIP secured port for incoming TLS messages.

Manish

0 Helpful
Customers Also Viewed These Support Documents