All contents are Copyright © 2006 Cisco Systems,
Inc. All rights reserved. Important Notice and Privacy Statement
Page 16 of 21
8.1 H ard ened Serv er O S:
Cisco provides guidelines for hardening the Windows OSs on which its various telephony servers run. While
the specifics of hardening vary from server to server, for the Cisco CallManager, a hardened Win2K OS or
Linux appliance is shipped by default and can also be downloaded from the Cisco website as needed.
8.2 Patching and A nti-v irus Sof tw are:
Cisco also recommends tested and supported Anti-virus software from McAffe, Symantec and TrendMicro to
further augment the security of the OS on which its servers run. Please see following link for more information:
http://www.cisco.com/en/US/products/sw/voicesw/ps556/prod_bulletin0900aecd800f8572.html
Cisco wraps Important, Moderate, and Low-Security patches, as classified by Microsoft or a third-party vendor
into an operating system support patch, along with any Critical patches that were posted individually. Cisco
tests, then posts, the support patch on the third Tuesday of each month. Any support patches that are obsolete
due to a more current patch on cisco.com will be removed. The support patches and associated README files
can be found on cisco.com at:
http://www.cisco.com/cgi-bin/tablebuild.pl/cmva-3des
8.3 H ard ened I P Phone O S:
Cisco provides guidelines on how to harden IP phones running in its IP Communications environment. The use
of these techniques, however, depends on the specific needs of each environment. Some of the possible settings
changes that can be done to harden Cisco IP Phones are listed below:
- Disabling the Gratuitous ARP Setting: By default, Cisco Unified IP Phones accept Gratuitous ARP packets.
Gratuitous ARP packets, which devices use, announce the presence of the device on the network. However,
attackers can use these packets to spoof a valid network device. For example, an attacker could send out a
packet that claims to be the default router. If you choose to do so, you can disable Gratuitous ARP in the Phone
Configuration window of Cisco Unified CallManager Administration.
- Disabling Web Access Setting: Disabling the web server functionality for the phone blocks access to the
phone internal web pages, which provide statistics and configuration information. Features, such as
Cisco Quality Report Tool, do not function properly without access to the phone web pages. Disabling the web
server also affects any serviceability application, such as CiscoWorks, that relies on web access.
To determine whether the web services are disabled, the phone parses a parameter in the configuration file that
indicates whether the services are disabled or enabled. If the web services are disabled, the phone does not
open the HTTP port 80 for monitoring purposes and blocks access to the phone internal web pages.
- Disabling the PC Voice VLAN Access Setting: By default, Cisco Unified IP Phones forward all packets that
are received on the switch port (the one that faces the upstream switch) to the PC port. If you choose to disable
the PC Voice VLAN Access setting in the Phone Configuration window of Cisco Unified CallManager
Administration, packets that are received from the PC port that use voice VLAN functionality will drop.
Various Cisco Unified IP Phone models use this functionality differently.
• Cisco Unified IP Phone 7940 and 7960 drop any packets that are tagged with the voice VLAN, in or out of
the PC port.
• Cisco Unified IP Phone 7970 drops any packet that contains an 802.1Q tag on any VLAN, in or out of the
PC port.
• Cisco Unified IP Phone 7912 cannot perform this functionality.
- Disabling the Setting Access Setting: By default, pressing the Settings button on a Cisco Unified IP Phone
provides access to a variety of information, including phone configuration information. Disabling the Setting
Access setting in the Phone Configuration window of Cisco Unified CallManager Administration prohibits