eduardo:cisco:cucm:cucm-phhdn
Table of Contents
Phone Hardening
PC Port
- Disable PC Port access e.g. in a lobby
Setting Access
- Disable setting access and deactivates the settings button completely.
- Or restricted option grants access to contrast and ringer menu only
GARP
- Disable Gratuitous ARP
- Usually ARP operates in request-response fashion
- Learned MAC addresses are added to a local ARP cache.
- GARP packets are ARP packets that have not been requested:
- Sent by a station that announces its own MAC address.
- Allow update of ARP caches in receiving devices.
- Usually sent after MAC address changes.
- Can be misused for packet redirection in a man-in-the-middle attack.
PC Voice VLAN access
- Disable PC Voice VLAN access
- By default, the IP phone forwards all frames it receives from the switch to the PC and vice versa:
- Includes voice VLAN traffic
- Includes all other VLANs allowed on the port (if configured as a trunk)
- Allows the PC to sniff phone conversations or other traffic
- Allows the PC to send data to voice and other VLANs
- There are two options
- Disabling PC Voice VLAN Access
- Only Voice VLAN traffic is blocked
- Available on all phones
- Disablign Span to PC Port
- Does not forward any tagged frame
- Only untagged traffic is permitted
- Not available on 7940 or 7960
Web Access
- Disable IP Phone Web Service
eduardo/cisco/cucm/cucm-phhdn.txt · Last modified: 2024/02/23 08:20 by 127.0.0.1