Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Securing IP Phone

Hi All,

I need to place hotdial 7912 phones on a public access premises. Everybody can unplug network cable from the phone and then do everything - arp spoofing and so on.

As I know 802.1x is not supported for wired IP phones.

How can I prevent intrusion into my network?

IP phones are in a separate VLAN but it?s in trunk mode to a data network.

How can I prevent intrusion?

The best choice is to abandon IP phones and use ATAs. But nobody can said how can I use SIP ATA with Callmanager.

Hall of Fame Super Silver

Re: Securing IP Phone

How about creating an ACL that does not allow access to your network, and only allow routing to the internet or wahever you want to allow?

Do you need the users to be able to plug into this phone?

Also, CCM SRND has some nice suggestions.



Community Member

Re: Securing IP Phone

ACLs have been allready setup but it's not the best choice The peer-to-peer nature of VoIP traffic doesn't allow me to restrict data flow from this phone only to one or two predefined hosts and ports with a help of ACLs.

Also Intruder can access to a network via unplugged phone's cable and analyze broadcast/multicast traffic. Based on collected data intruder can organize ARP spoofing or something else.

That's why ATA+analog phone or IP phone with 802.1x authentication is the best choice.

Can somebody tell me how can I connect SIP ATA to as CallManager?

I see only one way to do it. SIP ATAs are registering on a GNU IP PBX Asterisk and Asterisk is connected to a CCM via SIP trunk.

Community Member

Re: Securing IP Phone

Setup port security on switch behind phone, with a very long timeout.

Community Member

Re: Securing IP Phone

Heh, first of all Intruder can find MAC address of IP phone on the back of the IP Phone.

So Intruder can remember Phone's MAC and then assign MAC address to his notebook :-)

MAC address is unique only as technical not a security ID.

Re: Securing IP Phone

I have heard that this one is coming (802.1x for phones)


Re: Securing IP Phone

also, cisco clean access will be able to help you here. network admission/control is available for ip phones along with most other device types.

clean access is an excellent supplement to a network security architecture.

please see the following link for more info on clean access:

Community Member

Re: Securing IP Phone


I did it in a strange way.

Analog phones are connected to SIP ATAs Linksys SPA1001.

ATA's dialplan is configured for hotdial.

ATAs are registered on GNU IP PBX Asterisk with ooh323.

calls from Asterisk to CCM are placing via H323.

Asterisk is configured on CCM as H323 gatewy.

The scheme is too weird but it works!

Re: Securing IP Phone


You could also achieve this via a Cisco Ip2IpGW. Here is a high-level summary of what would need to be done. This might be better than maintaining a separate Asterisk server due to you might be able to reuse an existing router.

* Setup the phone or ata to CCM.

* Setup ACL to allow only Skinny traffic to CCM and RTP traffic to the IOS routers IP.

* Setup a router running Ip2IpGW or older H323 Proxy IOS. (This could be an existing router you have)

* Setup the router as an IOS H323 Gw in CCM. Setup the correct inbound CSS for calls coming back from the gateway. (You are essentially going to loop the calls out to the GW and then proxy the RTP.

* Setup a generic route to point to the IOS H323 GW.

* Setup the GW with a h323 dial-peer back to CCM, setup Voice services voip and configure Flow-through on the GW to enable proxy of the RTP streams.

* Setup the CSS for the phone to only have a partition with the Generic route to the H323 GW.

If you need two way calling to the phone then you need additional steps for making sure that the call goes to the GW first then to the Phone or ATA. I could post them if you like.

Also IP2IPGW has some limitations on the max amount of flow-through calls. Here is a link on the Q&A for it.

Please rate any helpful posts



Re: Securing IP Phone

Additionally if you are worried about the ports for the CCM call signaling and GW RTP being affected by malicious DOS traffic, then you could apply the recommendations of the SRND. Essentially create a QoS map for the phone's switch interface. Limit the call signaling traffic to 32k and the voice RTP to 128k with a policer. From there drop or DSCP police down the excess traffic. This will all but limit your security hole to port exploits, TCP 2000-2002 on CCM and UDP 16384-32768 on the router.

Here is the link to the QoS SRND that explains the DoS Mitigation strategies for Voice enabled networks.

Please rate any helpful posts



CreatePlease to create content