Cisco Systems 7970G

1-15

Cisco Unified IP Phone Administration Guide for Cisco Unified CallManager 5.1 (SIP), Cisco Unified IP Phones

OL-11524-01

Chapter1 An Overview of the Cisco Unified IP Phone

Understanding Security Features for Cisco Unified IP Phones

Table1-3 Overview of Security Features

Feature Description

Image authentication Signed binary files (with the extension .sbn) prevent tampering with

the firmware image before it is loaded on a phone. Tampering with

the image causes a phone to fail the authentication process and

reject the new image.

Customer-site certificate

installation

Each Cisco Unified IP Phone requires a unique certificate for device

authentication. Phones include a manufacturing installed

certificate, but for additional security, you can specify in Cisco

UnifiedCallManager Administration that a certificate be installed

by using the CAPF. Alternatively, you can initiate the installation

of an LSC from the Security Configuration menu on the phone.

Device authentication Occurs between the Cisco Unified CallManager server and the

phone when each entity accepts the certificate of the other entity.

Determines whether a secure connection between the phone and a

Cisco UnifiedCallManager should occur, and, if necessary, creates

a secure signaling path between the entities using TLS protocol.

Cisco UnifiedCallManager will not register phones unless they can

be authenticated by the Cisco UnifiedCallManager.

File authentication Validates digitally-signed files that the phone downloads. The

phone validates the signature to make sure that file tampering did

not occur after the file creation. Files that fail authentication are not

written to Flash memory on the phone. The phone rejects such files

without further processing.

Signaling Authentication Uses the TLS protocol to validate that no tampering has occurred to

signaling packets during transmission.

Manufacturing installed

certificate

Each Cisco Unified IP Phone contains a unique manufacturing

installed certificate (MIC), which is used for device authentication.

The MIC is a permanent unique proof of identity for the phone, and

allows Cisco Unified CallManager to authenticate the phone.

Media encryption Uses SRTP to ensure that the media streams between supported

devices proves secure and that only the intended device receives

and reads the data. Includes creating a media master key pair for the

devices, delivering the keys to the devices, and securing the

delivery of the keys while the keys are in transport.