Cisco CP-7911G-CH1 Administration Guide - Page 179
Information About Configuring Secure SRST, Benefits of Secure SRST
View all Cisco CP-7911G-CH1 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 179 highlights
Configuring Secure SRST for SCCP and SIP Information About Configuring Secure SRST • When a Secure Real-Time Transport Protocol (SRTP) encrypted call is made between Cisco Unified IP Phone endpoints or from a Cisco Unified IP Phone to a gateway endpoint, a lock icon is displayed on the IP phones. The lock indicates security only for the IP leg of the call. Security of the PSTN leg is not implied. • Secure SCCP SRST is supported only within the scope of a single router. Information About Configuring Secure SRST • Benefits of Secure SRST, page 179 • Cisco IP Phones Clear-Text Fallback During Non-Secure SRST, page 179 • Signaling Security on Unify SRST - TLS, page 180 • Media Security on Unify SRST - SRTP, page 182 • Establishment of Secure Cisco Unified SRST to the Cisco Unified IP Phone, page 182 • Secure SRST Authentication and Encryption, page 184 Benefits of Secure SRST Secure Cisco Unified IP phones that are located at remote sites and that are attached to gateway routers can communicate securely with Cisco Unified Communications Manager using the WAN. But if the WAN link or Cisco Unified Communications Manager goes down, all communication through the remote phones becomes nonsecure. To overcome this situation, gateway routers can now function in secure SRST mode, which activates when the WAN link or Cisco Unified Communications Manager goes down. When the WAN link or Cisco Unified Communications Manager is restored, Cisco Unified Communications Manager resumes secure call-handling capabilities. Secure SRST provides new Cisco Unified SRST security features such as authentication, integrity, and media encryption. Authentication provides assurance to one party that another party is whom it claims to be. Integrity provides assurance that the given data has not been altered between the entities. Encryption implies confidentiality; that is, that no one can read the data except the intended recipient. These security features allow privacy for Cisco Unified SRST voice calls and protect against voice security violations and identity theft. SRST security is achieved when: • End devices are authenticated using certificates. • Signaling is authenticated and encrypted using Transport Layer Security (TLS) for TCP. • A secure media path is encrypted using Secure Real-Time Transport Protocol (SRTP). • Certificates are generated and distributed by a CA. Cisco IP Phones Clear-Text Fallback During Non-Secure SRST • Cisco Unified SRST versions prior to 12.3(14)T are not capable of supporting secure connections or have security enabled. If an SRST router is not capable of SRST as a fallback mode-that is, it is not capable of completing a TLS handshake with Cisco Unified Communications Manager-its certificate is not added to the configuration file of the Cisco IP phone. The absence of a Cisco Unified SRST router certificate causes the Cisco Unified IP phone to use nonsecure (clear-text) communication when in Cisco Unified SRST fallback mode. The capability to detect and fallback OL-13143-04 Cisco Unified SCCP and SIP SRST System Administrator Guide 179