The way I understood it was that if you use phone proxy specifically, then any cisco phone would be authenticated because every cisco ip phone has the same MIC. If you used phone proxy with MIC, any Cisco phone that knew the TFTP address could get through the firewall. Unless it spoofed the right MAC address, it would be rejected. If you have auto registration on and phone proxy with MIC authentication, you're in trouble if someone knows the TFTP address. I don't know what type of risk we're talking about when a phone gets through the firewall but is rejected by CUCM. <br>
<br>I suppose if you had a hacked softphone that would advertise itself as another type of phone, and also knew the right MAC to spoof, you would be able to register as some else's phone if it wasn't already registered. It would also be able to handle the SCCP messaging for the type of phone it spoofed. The only mechanism to prevent that is LSCs. This is applicable to phone proxy or locally plugging in the phone.<br>
<br>I'm reminded by this web comic all too often when we talk about IP phone security:<br><a href="http://xkcd.com/538/">http://xkcd.com/538/</a><br><br>In a traditional TDM phone network there's not really a way to prevent wire tapping, and it didn't seem to concern a lot of people. DoD/government I can understand, or if there are strict regulations, but I don't understand self-enforcing this level of security. Curious to hear use-cases and opinions.<br>
<br>I'll let someone who knows more about IP phone security chime in.<br><br>-nick<br><br><div class="gmail_quote">On Tue, Aug 24, 2010 at 5:26 PM, James Key <span dir="ltr"><<a href="mailto:JKey@jackhenry.com">JKey@jackhenry.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p class="MsoNormal">When configuring encryption, is it acceptable to just use
the MIC, or should an LSC be installed? I have read through the security
guide, and it does state Cisco recommends to use the MIC only for LSC
installation. Reason I am seeking some clarification is, I recently worked
with a TAC engineer on a security issue and he told me to use the MIC and not
worry about using LSCs.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span style="font-size: 10pt;">James</span></p>
<p class="MsoNormal"> </p>
</div>
<font face="monospace">NOTICE: This electronic mail message and any files transmitted with it are intended<br>
exclusively for the individual or entity to which it is addressed. The message, <br>
together with any attachment, may contain confidential and/or privileged information.<br>
Any unauthorized review, use, printing, saving, copying, disclosure or distribution <br>
is strictly prohibited. If you have received this message in error, please <br>
immediately advise the sender by reply email and delete all copies.</font></div>
<br>_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
<br></blockquote></div><br>