McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 123

↗ View in doc context
page
123
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::115

C H A P T E R 9 TFTP Encryption • TFTP Encrypted Configuration Files Overview, on page 105 • Encryption for Phone Configuration File Task Flow, on page 107 • Disable TFTP Encrypted Configuration Files, on page 110 TFTP Encrypted Configuration Files Overview TFTP configuration protects your data during device registration by encrypting the configuration file that the phone downloads from the TFTP server during the registration process. This file contains confidential information such as usernames, passwords, IP addresses, port details, phone SSH credentials, and so on. If this feature is not configured, the configuration file is sent in cleartext. Deploying this feature ensures that an attacker cannot intercept this information during the registration process. This information is unencrypted and sent in cleartext. Hence, we recommend that you encrypt the TFTP configuration file in order to protect your data. If you have enabled the digest authentication option for SIP phones and disabled the TFTP encrypted configuration option, the digest credentials are sent in the cleartext. Warning After TFTP configuration, the TFTP server: • Deletes all the cleartext configuration files on disk • Generates encrypted versions of the configuration files If the phone supports encrypted phone configuration files and you have performed the tasks for phone configuration file encryption, the phone requests an encrypted version of the configuration file. Some phones don't support encrypted phone configuration files. The phone model and protocol determine the method that the system uses to encrypt the configuration file. Supported methods rely on Unified Communications Manager functionality and a firmware load that supports encrypted configuration files. If you downgrade the phone firmware load to a version that doesn't support encrypted configuration files, the TFTP server offers an unencrypted configuration file that provides minimal configuration settings, and the phone may not perform as expected. Encryption Key Distribution To ensure that you maintain the privacy of the key information, we recommend that you perform the tasks that are associated with encrypted phone configuration files in a secure environment. Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 105