Hardening Cisco IP Phones

The IP phone is a target for attacks, just like all other components of the network. IP phone endpoints should be protected in a similar manner to servers in the environment. IP phones have default settings that make them vulnerable to attacks. There are several options available to harden IP phones and thus protect them against various attacks and infiltration methods.

The product-specific configuration parameters of Cisco IP Phones are set by default to achieve the greatest functionality but are not considered secure. To secure Cisco IP Phones, you can modify these settings:

■ Disable Speakerphone and Disable Speakerphone and Headset: Disable these features to prevent eavesdropping on conversations in the office by an attacker gaining remote control of the IP phone and listening to the sound near it.

■ PC Port: Disable the PC port to prevent a PC from connecting to the corporate network via the IP phone's PC port.

■ Settings Access: Disable or restrict access to the IP phone settings to avoid the risk that details about the network infrastructure could be exposed.

■ Gratuitous ARP: Disable this feature to prevent GARP-based man-in-the-middle attacks.

■ PC Voice VLAN Access: Disable this feature to stop the IP phone from forwarding voice VLAN traffic to the PC.

■ Web Access: Disable access to the IP phone from a web browser to avoid the risk that details about the network infrastructure could be exposed.

Figure 9-31 displays the device-level security configuration options.

Figure 9-31 IP Phone Security Configuration

Figure 9-31 IP Phone Security Configuration

PC Port

The PC port should be disabled in special areas such as a lobby or areas where no additional PC access is allowed. This practice is not common otherwise, however, because it entails a major functionality constraint.

Settings Access

Disabling access to settings prevents anyone with physical access to the phone from gathering information about network settings (DHCP server, TFTP server, default router, and CUCM IP addresses). The network settings share information about the network that an attacker can leverage to launch attacks. CUCM Release 4.1 and later releases offer a restricted option for settings access. With restricted access, the user can modify the contrast and ringer settings but cannot access other settings.

Cisco IP Phones Web Services

A web browser can be used to connect to the HTTP server of the IP phone by browsing to the IP address of the phone. The HTTP server displays similar information that can be viewed directly on the IP phone using the Settings button, enhanced by some additional statistics.

Attackers can use the intelligence gained by discovering the network configuration to direct their attacks at the most critical telephony components, such as CUCM and the TFTP server. It is recommended that you disable web access to the phone if the highest level of security is desired. Figure 9-32 displays the information available by pointing a web browser to the IP address of the Cisco IP Phone. Notice that there are many hyperlinks on this page that access more information. The web services of the IP phone can prove useful for troubleshooting.

Figure 9-32 Cisco IP Phone Web Services


Device Information

Cisco IP PJiont CP-7961G ( SEP001S1S7F4CF5 )

Device Information

MAC Addi es s


Network Configuration

Host Rame


Network Statistics

Phone DN


Ethernet Information

App Load ID



Boot Load ID




TERM41.7-0-2 SR1S

Device Logs

Expansion Module 1

Console Logs

Expansion Module 2

Core Dumps

Hardware Revision

Status Messages

Seiial Number


Debug Display

Model Nui nber


Streaming Statistics

Message Waiting


Stream 1

When web access is disabled, the IP phone does not accept incoming web connections and does not provide access to sensitive information.

Disabling web access at the IP phone stops Extensible Markup Language (XML) push applications from working. If you want to use XML push applications on some IP phones, you cannot disable web access to the IP phone. An example of a push application is the emergency notification sent by Cisco Emergency Responder (Cisco ER).

Gratuitous Address Resolution Protocol

Address Resolution Protocol (ARP) normally operates in a request-and-response fashion. When a station needs to know the MAC address of a given IP address, it sends an ARP request. The device with the corresponding IP address replies and thus provides its MAC address. All receiving devices update their ARP cache by adding the IP and MAC address pair.

Gratuitous Address Resolution Protocol (GARP) packets are packets that announce the MAC address of the sender even though this information has not been requested. This technique allows receiving devices to update their ARP caches with the information. Usually such GARP messages are sent after the MAC address of a device has changed to avoid packets being sent to the old MAC address until the related entry has timed out in the ARP caches of the other devices.

GARP, however, can also be used by an attacker to redirect packets in a man-in-the-middle attack and therefore should be disabled.

Cisco IP Phones, by default, accept GARP messages and update their ARP cache whenever they receive a GARP packet.

An attacker located in the VLAN of the IP phone can repeatedly send out GARP packets announcing its MAC address to be the MAC address of the default gateway of the IP phone. The IP phone accepts the information, updates its ARP cache, and forwards all packets meant for the default gateway to the attacker. Software tools, such as Ettercap, allow the attacker to copy or modify the information and then relay it to the real destination. The user does not notice that someone is listening to the data stream so long as the attacker does not significantly increase the delay and does not drop packets.

In Figure 9-33, only traffic from the IP phone toward the default gateway is sent to the attacker; but if the attacker also impersonates the IP phone toward the router, the attacker could control bidirectional traffic. In this case, the router would also have to listen to GARP packets.

To prevent GARP-based attacks against an IP phone, you should disable the GARP feature of the IP phone.

NOTE There are several ways to prevent GARP attacks. You can disable GARP on end devices, or you can use features such as Dynamic ARP Inspection (DAI) and IP Source Guard at switches.

Figure 9-33 GARP Man-in-the-Middle Attack

PC of the Hacker

PC Voice VLAN Access

By default, an IP phone sends all traffic that it receives from the switch out its PC port (as shown in Figure 9-34). This enables the PC to see not only the traffic of the data VLAN (untagged Ethernet traffic) but also the traffic of the voice VLAN sourced and destined to the IP phone. When the PC receives voice VLAN traffic, the traffic can be captured, and hence the conversation can be sniffed with tools such as Wire Shark, available at http://www.wireshark.org.

The PC can also send packets to the voice VLAN if they are tagged accordingly. This capability breaks the separation of voice and data traffic, because the PC that is supposed to have access to the data VLAN can now send packets to the voice VLAN only, bypassing all access control rules (access control lists [ACLs] in routers or firewalls) that might be enforced between the two VLANs.

Usually the PC does not need access to the voice VLAN, and therefore you should block PC access to the voice VLAN.

NOTE Some applications, such as call recording or supervisory monitoring in call center applications, require access to the voice VLAN. In such situations, you cannot disable the PC Voice VLAN Access setting.

Figure 9-34 PC Voice VLAN Access

PC Voice VLAN Access* Enabled a

Figure 9-34 PC Voice VLAN Access

PC Voice VLAN Access* Enabled

Voice VLAN 22

Voice VLAN 22

Voice VLAN 22

Data VLAN 1

Voice VLAN 22

Data VLAN 1

PC Also Receives Voice VLAN Traffic

PC Also Receives Voice VLAN Traffic

Two different settings are available for blocking PC VLAN access:

■ PC Voice VLAN Access can be disabled.

When a phone is configured this way, it does not forward voice VLAN-tagged traffic to the PC when it receives such frames from the switch. In addition, the phone does not forward voice VLAN-tagged traffic to the switch if it receives such frames from the PC. Although this setting is recommended for security, it makes troubleshooting more difficult because you cannot analyze voice VLAN traffic from a PC connected to the PC port of the IP phone. Whenever you need to capture voice VLAN traffic to analyze network problems, you must sniff the traffic on the network devices.

This setting is supported on all current Cisco IP Phones with PC ports.

This setting has the same effect as the PC Voice VLAN setting, except it does not apply only to voice VLAN-tagged traffic, but to traffic tagged with any VLAN ID. With Span to PC Port disabled, the IP phone forwards only untagged frames.

This setting is not available on Cisco Unified IP Phones 7940 and 7960.

NOTE The Cisco Unified IP Phone 7912, which is end of sale, does not support either of the two settings.

Was this article helpful?

+1 0


  • anja
    How to harden cisco cucm?
    1 year ago
    How to harden a phone system?
    1 year ago
  • zufan
    Can you disable the network port on a telephone?
    1 month ago

Post a comment