Unify V3R3 Specifications download pdf (Page 20)

Phone Hardening Measures

A31003-D3000-P100-01-76A9, 10-2013

20 OpenStage and Desk Phone IP SIP V3, Security Checklist, Planning Guide

Secure Signalling and Voice/Video Access to the Phone

4.5 Secure Signalling and Voice/Video Access to the Phone

To give privacy for Voice and Video connections, the Openstage and Desk Phone

IP phones should use TLS for the signalling and Secure RTP for the voice and

video connections.

Related Topics

4.5.1 Harden Signalling to Secure Signalling

To provide a secure signalling mechanism TLS signalling should be used.

• Configure use of TLS on the SIP server and install server certificates.

• Configure TLS on the phone – the port will need to be set to 5061.

In addition to using TLS signalling, authentication of the server by the phone can

be done by validating the Server certificate sent by the SIP server.

• Install the SIP Server CA certificate on the phone using DLS.

• Configure the TLS certificate validation policy to trusted or full – full is recom-

mended.

• Configure OCSP checking to allow revocation checking of the SIP server

certificate.

It should be noted that if the Backup / Dual registration mode is used as part of

survivability setup, the phone only supports TLS on the connection to the primary

SIP server. The connection used for the backup/dual registration is only possible

using UDP or TCP not TLS. To avoid this vulnerability the use of DNS-SRV is

recommended for survivability setup. To avoid unplanned use of UDP/TCP when

using TLS connections the Backup Proxy Address should be configured as

0.0.0.0. ?

1 2 ... 15 16 17 18 19 20 21 22 23 24 25 ... 43 44

No comments

Unify V3R3 Specifications Page 20