Specifications
1-12
Cisco Unified IP Phone 7906G and 7911G for Cisco Unified Communications Manager 8.0
OL-21033-01
Chapter 1 An Overview of the Cisco Unified IP Phone
Understanding Security Features for Cisco Unified IP Phones
Customer-site certificate
installation
Each Cisco Unified IP Phone requires a unique certificate for device authentication. Phones
include a manufacturing installed certificate (MIC), but for additional security, you can specify
in Cisco Unified Communications Manager Administration that a certificate be installed by using
the Certificate Authority Proxy Function (CAPF). Alternatively, you can install an Locally
Significant Certificate (LSC) from the Security Configuration menu on the phone. See
Configuring Security on the Cisco Unified IP Phone, page 3-12 for more information.
Device authentication Occurs between the Cisco Unified Communications Manager server and the phone when each
entity accepts the certificate of the other entity. Determines whether a secure connection between
the phone and a Cisco Unified Communications Manager should occur, and, if necessary, creates
a secure signaling path between the entities by using transport layer security (TLS) protocol.
Cisco Unified Communications Manager does not register phones configured in authenticated or
encrypted mode unless they can be authenticated by the Cisco Unified Communications Manager.
File authentication Validates digitally signed files that the phone downloads. The phone validates the signature to
make sure that file tampering did not occur after the file creation. Files that fail authentication
are not written to Flash memory on the phone. The phone rejects such files without further
processing.
Signaling Authentication Uses the TLS protocol to validate that no tampering has occurred to signaling packets during
transmission.
Manufacturing installed
certificate
Each Cisco Unified IP Phones 7906G and 7911G contains a unique MIC, which is used for device
authentication. The MIC is a permanent unique proof of identity for the phone, and allows
Cisco Unified Communications Manager to authenticate the phone.
Secure SRST reference After you configure a SRST reference for security and then reset the dependent devices in
Cisco Unified Communications Manager Administration, the TFTP server adds the SRST
certificate to the phone cnf.xml file and sends the file to the phone. A secure phone then uses a
TLS connection to interact with the SRST-enabled router.
Media encryption Uses SRTP to ensure that the media streams between supported devices proves secure and that
only the intended device receives and reads the data. Includes creating a media master key pair
for the devices, delivering the keys to the devices, and securing the delivery of the keys while the
keys are in transport.
Signaling Encryption Ensures that all SCCP and SIP signaling messages that are sent between the device and the
Cisco Unified Communications Manager server are encrypted.
CAPF (Certificate
Authority Proxy
Function)
Implements parts of the certificate generation procedure that are too processing-intensive for the
phone, and interacts with the phone for key generation and certificate installation. The CAPF can
be configured to request certificates from customer-specified certificate authorities on behalf of
the phone, or it can be configured to generate certificates locally.
Table 1-4 Overview of Security Features (continued)
Feature Description