McDewey

When you configure a shared line for an encrypted Cisco IP Phone, configure all devices that share the lines for encryption; that is, ensure that you set the device security mode for all devices to encrypted by applying a security profile that supports encryption. Tip Phone Hardening Overview This section provides an overview of the phone hardening behaviours like Gratuitous ARP Disable, Web Access Disable, PC Voice VLAN Access Disable, Setting Access Disable and PC Port Disable and so on. The following optional settings are used to harden the connection to Cisco IP Phones. These settings appear in the Product-Specific Configuration Layout of the Phone Configuration window. To apply them to a set of phones, or all phones enterprise-wide, these settings also appear in the Common Phone Profile Configuration window and the Enterprise Phone Configuration window. Table 23: Phone Hardening Behaviour Description Phone Hardening Behaviour By default, Cisco Unified IP Phones accept Gratuitous ARP packets. Gratuitous ARP packets, which devices use, announce the presence of the device on the network. However, attackers can use these packets to spoof a valid network device; for example, an attacker could send out a packet that claims to be the default router. If you choose to do so, you can disable Gratuitous ARP in the Phone Configuration window. Note Disabling this functionality does not prevent the phone from identifying its default router. Gratuitous ARP Disable Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 130 Basic System Security Phone Hardening Overview