C H A P T E R 9

Phone Hardening

To tighten security on the phone, you can perform tasks in the Phone Configuration window in Cisco CallManager Administration. This chapter contains information on the following topics:

Disabling the Gratuitous ARP Setting, page 9-1

Disabling Web Access Setting, page 9-1

Disabling the PC Voice VLAN Access Setting, page 9-2

Disabling the Setting Access Setting, page 9-2

Disabling the PC Port Setting, page 9-2

Configuring Phone Hardening, page 9-3

Where to Find More Information, page 9-3

Disabling the Gratuitous ARP Setting

By default, Cisco IP Phones accept Gratuitous ARP packets. Gratuitous ARP packets, which devices use, announce the presence of the device on the network. However, attackers can use these packets to spoof a valid network device; for example, an attacker could send out a packet that claims to be the default router. If you choose to do so, you can disable Gratuitous ARP in the Phone Configuration window of Cisco CallManager Administration.

Note Disabling this functionality does not prevent the phone from identifying its default router.

Disabling Web Access Setting

Disabling the web server functionality for the phone blocks access to the phone internal web pages, which provide statistics and configuration information. Features, such as Cisco Quality Report Tool, do not function properly without access to the phone web pages. Disabling the web server also affects any serviceability application, such as CiscoWorks, that relies on web access.

To determine whether the web services are disabled, the phone parses a parameter in the configuration file that indicates whether the services are disabled or enabled. If the web services are disabled, the phone does not open the HTTP port 80 for monitoring purposes and blocks access to the phone internal web pages.

Cisco CallManager Security Guide

 

OL-8356-01

9-1

 

 

 

Page 1
Image 1
Cisco Systems OL-8356-01 manual Disabling the Gratuitous ARP Setting, Disabling Web Access Setting