Manualshelf

Specifications

ManualsBrandsAutoCommand ManualsRemote Control20036
101102103104105106107108109110
Setting Up Secure SRST
Information About Setting Up Secure SRST
100
Cisco IOS Survivable Remote Site Telephony Version 3.4 System Administrator Guide
Secure SRST provides new SRST security features such as authentication, integrity, and media
encryption. Authentication provides assurance to one party that another party is whom it claims to be.
Integrity provides assurance that the given data has not been altered between the entities. Encryption
implies confidentiality; that is, that no one can read the data except the intended recipient. These security
features allow privacy for SRST voice calls and protect against voice security violations and identity
theft.
SRST security is achieved when:
End devices are authenticated using certificates.
Signaling is authenticated and encrypted using Transport Layer Security (TLS) for TCP.
A secure media path is encrypted using Secure Real-Time Transport Protocol (SRTP).
Certificates are generated and distributed by a CA.
Cisco IP Phones Clear-Text Fallback During SRST
Cisco SRST versions prior to 12.3(14)T are not capable of supporting secure connections or have
security enabled. If an SRST router is not capable of secure SRST as a fallback mode—that is, it is not
capable of completing a TLS handshake with Cisco CallManager—its certificate is not added to the
configuration file of the Cisco IP phone. The absence of an SRST router certificate causes the Cisco IP
phone to use nonsecure (clear-text) communication when in SRST fallback mode. The capability to
detect and fallback in clear-text mode is built into Cisco IP phone firmware. See the Media and
Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways for more information
on clear-text mode.
SRST Routers and the TLS Protocol
Transport Layer Security (TLS) Version 1.0 provides secure TCP channels between Cisco IP phones,
secure SRST routers, and Cisco CallManager. The TLS process begins with the Cisco IP phone
establishing a TLS connection when registering with Cisco CallManager. Assuming that
Cisco CallManager is configured to fallback to SRST, the TLS connection between the Cisco IP phones
and the secure SRST router is also established. If the WAN link or Cisco CallManager fails, call control
reverts to the SRST router.