Cisco 7821 Administration Manual page 95

Feature
Customer-site certificate
installation
Device authentication
File authentication
Signaling Authentication
Manufacturing installed
certificate
Secure SRST reference
Media encryption
CAPF (Certificate Authority
Proxy Function)
Security profiles
Encrypted configuration files
Cisco IP Phone 7821, 7841, and 7861 Administration Guide for Cisco Unified Communications Manager 10.0 (SIP)
Description
Each Cisco IP Phone requires a unique certificate for device authentication.
Phones include a manufacturing installed certificate (MIC), but for additional
security, you can specify in Cisco Unified Communications Manager
Administration that a certificate be installed by using the Certificate Authority
Proxy Function (CAPF). Alternatively, you can install a Locally Significant
Certificate (LSC) from the Security Configuration menu on the phone.
Occurs between the Cisco Unified Communications Manager server and the
phone when each entity accepts the certificate of the other entity. Determines
whether a secure connection between the phone and a Cisco Unified
Communications Manager should occur; and, if necessary, creates a secure
signaling path between the entities by using TLS protocol. Cisco Unified
Communications Manager will not register phones unless they can be
authenticated by the Cisco Unified Communications Manager.
Validates digitally signed files that the phone downloads. The phone validates
the signature to make sure that file tampering did not occur after the file
creation. Files that fail authentication are not written to Flash memory on
the phone. The phone rejects such files without further processing.
Uses the TLS protocol to validate that no tampering has occurred to signaling
packets during transmission.
Each Cisco IP Phone contains a unique manufacturing installed certificate
(MIC), which is used for device authentication. The MIC is a permanent
unique proof of identity for the phone, and allows Cisco Unified
Communications Manager to authenticate the phone.
After you configure a SRST reference for security and then reset the
dependent devices in Cisco Unified Communications Manager
Administration, the TFTP server adds the SRST certificate to the phone
cnf.xml file and sends the file to the phone. A secure phone then uses a TLS
connection to interact with the SRST-enabled router.
Uses SRTP to ensure that the media streams between supported devices
proves secure and that only the intended device receives and reads the data.
Includes creating a media master key pair for the devices, delivering the keys
to the devices, and securing the delivery of the keys while the keys are in
transport.
Implements parts of the certificate generation procedure that are too
processing-intensive for the phone, and interacts with the phone for key
generation and certificate installation. The CAPF can be configured to request
certificates from customer-specified certificate authorities on behalf of the
phone, or it can be configured to generate certificates locally.
Defines whether the phone is nonsecure or encrypted.
Lets you ensure the privacy of phone configuration files.
Supported Security Features
81