Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1403
Views
5
Helpful
4
Comments

Implementing Endpoint hardening on CUCM

Muthurani Lavanya Paneerselvam
Level 9
Level 9

‎07-31-2014 03:57 AM - edited ‎03-12-2019 10:10 AM

Introduction

This document covers the configuration procedure to implement endpoint hardening for securing Cisco Unified Communications Manager devices against various forms of attacks and vulnerabilities. Deploying a VoIP infrastructure introduces a new set of challenges and Securing Unified Communications allows the phones to communicate over the secure real time protocol and prevent access from allowing unsecured devices.

Implementing endpoint hardening on CUCM

Endpoint hardening can provide greater protection from various forms of attacks.

To harden an endpoint from various forms of attacks and vulnerabilities, perform the following:

1. Navigate to the endpoint to be hardened on the Cisco Unified Communications Administration page: Device --> Phone

2. Under the Product Specific Configuration Layout section, enable or disable the following fields as required:

Based on your requirement you can disable the fields which are not required. Those that are not required can be disabled as part of endpoint hardening.

  • PC Port - Disabled

This prevents the users from connecting a computer to the network by way of this port, useful for disabling the phones connected in lobby/reception area. 

  • Settings Access - Disabled

Disabling access to the settings menu prevents a user from gathering information about the networking, including relevant IP addresses and VLAN information

  • Gratuitous ARP - Disabled
  • PC Voice VLAN Access – Disabled

Disabling the PC Port VLAN access, prevent users connected to the phone from sniffing voice traffic. This feature can be useful for administrators when troubleshooting, but in general should be disabled and enabled on an as-needed basis.

  • Video capabilities – Disable
  • Auto Line select - Disabled
  • Web Access - Disabled

3. Click --> Save.

4. Click --> Reset.

5. Repeat these steps for each endpoint that requires hardening.

By doing this we can increase the security of our setup and prevent our phones from attacks such as Gratuitous ARP poisoning.

 

Related Information

·         Cisco Unified Communications Manager Administration Guide, Release 8.5(1)

Labels:
Comments
Stephen Welsh
Level 4
Level 4
‎07-31-2014 04:28 AM

Great information,

I also recommend the following Webinar Series by Akhil Behl (Author of Securing Cisco IP Telephony Networks) and UnifiedFX

Endpoint Security & Compliance:

https://www.youtube.com/watch?v=tuvcWqWJ7jE&list=PLxsqZcpVKWYNTz77yhLTS7WW7w-7MB3kg

Muthurani Lavanya Paneerselvam
Level 9
Level 9
‎07-31-2014 06:49 PM

Thank you Stepenwelsh. Also thanks for sharing the link, good one.

Regards

Lavanya

ak3ac3_cisco
Community Member
‎03-30-2015 05:29 AM

Regarding "Settings Access - Disabled," user will not be able to change their ring volume.  Set it to "Restricted," so users can still change the ring volume but does not give them the ability to view the "Network Settings."

 

- CUCM 8.2

- 7900 phones

Muthurani Lavanya Paneerselvam
Level 9
Level 9
‎04-01-2015 11:49 PM

Hello Ace

Yes you are correct, this works.  Thanks for sharing this info.

Regards

Lavanya

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents