[cisco-voip] CAPF Question

Nick Matthews matthnick at gmail.com
Tue Aug 24 20:34:36 EDT 2010 

The way I understood it was that if you use phone proxy specifically, then
any cisco phone would be authenticated because every cisco ip phone has the
same MIC. If you used phone proxy with MIC, any Cisco phone that knew the
TFTP address could get through the firewall.  Unless it spoofed the right
MAC address, it would be rejected.  If you have auto registration on and
phone proxy with MIC authentication, you're in trouble if someone knows the
TFTP address.  I don't know what type of risk we're talking about when a
phone gets through the firewall but is rejected by CUCM.

I suppose if you had a hacked softphone that would advertise itself as
another type of phone, and also knew the right MAC to spoof, you would be
able to register as some else's phone if it wasn't already registered.  It
would also be able to handle the SCCP messaging for the type of phone it
spoofed.  The only mechanism to prevent that is LSCs.  This is applicable to
phone proxy or locally plugging in the phone.

I'm reminded by this web comic all too often when we talk about IP phone
security:
http://xkcd.com/538/

In a traditional TDM phone network there's not really a way to prevent wire
tapping, and it didn't seem to concern a lot of people.  DoD/government I
can understand, or if there are strict regulations, but I don't understand
self-enforcing this level of security.  Curious to hear use-cases and
opinions.

I'll let someone who knows more about IP phone security chime in.

-nick

On Tue, Aug 24, 2010 at 5:26 PM, James Key <JKey at jackhenry.com> wrote:

>  When configuring encryption, is it acceptable to just use the MIC, or
> should an LSC be installed?  I have read through the security guide, and it
> does state Cisco recommends to  use the MIC only for LSC installation.
> Reason I am seeking some clarification is, I recently worked with a TAC
> engineer on a security issue and he told me to use the MIC and not worry
> about using LSCs.
>
>
>
>
>
> James
>
>
>  NOTICE: This electronic mail message and any files transmitted with it
> are intended
> exclusively for the individual or entity to which it is addressed. The
> message,
> together with any attachment, may contain confidential and/or privileged
> information.
> Any unauthorized review, use, printing, saving, copying, disclosure or
> distribution
> is strictly prohibited. If you have received this message in error, please
> immediately advise the sender by reply email and delete all copies.
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20100824/97739406/attachment.html>

More information about the cisco-voip mailing list