Cisco OL-18348-01 User Manual

Phone hardening, Disabling the gratuitous arp setting, Disabling web access setting

background image



Cisco Unified Communications Manager Security Guide



Phone Hardening

To tighten security on the phone, you can perform phone hardening tasks in the Phone Configuration
window in Cisco Unified Communications Manager Administration. This chapter contains information
on the following topics:

Disabling the Gratuitous ARP Setting, page 10-1

Disabling Web Access Setting, page 10-1

Disabling the PC Voice VLAN Access Setting, page 10-2

Disabling the Setting Access Setting, page 10-2

Disabling the PC Port Setting, page 10-2

Configuring Phone Hardening, page 10-2

Where to Find More Information, page 10-3

Disabling the Gratuitous ARP Setting

By default, Cisco Unified IP Phones accept Gratuitous ARP packets. Gratuitous ARP packets, which
devices use, announce the presence of the device on the network. However, attackers can use these
packets to spoof a valid network device; for example, an attacker could send out a packet that claims to
be the default router. If you choose to do so, you can disable Gratuitous ARP in the Phone Configuration


Disabling this functionality does not prevent the phone from identifying its default router.

Disabling Web Access Setting

Disabling the web server functionality for the phone blocks access to the phone internal web pages,
which provide statistics and configuration information. Features, such as Cisco Quality Report Tool, do
not function properly without access to the phone web pages. Disabling the web server also affects any
serviceability application, such as CiscoWorks, that relies on web access.

To determine whether the web services are disabled, the phone parses a parameter in the configuration
file that indicates whether the services are disabled or enabled. If the web services are disabled, the
phone does not open the HTTP port 80 for monitoring purposes and blocks access to the phone internal
web pages.