Cisco Systems OL-5109-01 User Manual

CHAPTER

Phone Hardening

To tighten security on the phone, you can perform tasks in the Phone Configuration window of Cisco CallManager Administration.

This chapter contains information on the following topics:

• Disabling the Gratuitous ARP Setting, page 4-1

• Disabling Web Access Setting, page 4-2

• Disabling the PC Voice VLAN Access Setting, page 4-2

• Disabling the Setting Access Setting, page 4-3

• Disabling the PC Port Setting, page 4-3

• Performing Phone Hardening Tasks, page 4-4

Disabling the Gratuitous ARP Setting

By default, Cisco IP Phones accept Gratuitous ARP, or GARP, packets. GARPs, which are used by devices, announce the presence of the device on the network. However, attackers can use these packets to spoof a valid network device; for example, an attacker could send out a GARP that claims to be the default router. If you choose to do so, you can disable Gratuitous ARP in the Phone Configuration window of Cisco CallManager Administration.

Note Disabling GARP does not prevent the phone from identifying its default router.

Cisco IP Phone Authentication and Encryption for Cisco CallManag er 4.0(1)

OL-5109-01

4-1

Disabling Web Access Setting

Disabling the PC Voice VLAN Access Setting

By default, Cisco IP phones forward all packets that are received on the switch port (the one that faces the upstream switch) to the PC port. If you choose to disable the PC Voice VLAN Access setting in the Phone Configuration window of Cisco CallManager Ad ministrati on, pack ets recei ved from the PC port that use voice VLAN functionality will drop. This functionality allows a device that is attached to the PC port to use 802.1Q (if available) but not ha ve access to the voice VLAN.

Cisco IP Phone Authentication and Encryption for Cisco CallManager 4.0(1)

4-2

OL-5109-01

+ 4 hidden pages