Configuring Secure SRST for SCCP and SIP
Information About Configuring Secure SRST
179
Cisco Unified SCCP and SIP SRST System Administrator Guide
OL-13143-04
•
When a Secure Real-Time Transport Protocol (SRTP) encrypted call is made between Cisco Unified
IP Phone endpoints or from a Cisco Unified IP Phone to a gateway endpoint, a lock icon is displayed
on the IP phones. The lock indicates security only for the IP leg of the call. Security of the PSTN
leg is not implied.
•
Secure SCCP SRST is supported only within the scope of a single router.
Information About Configuring Secure SRST
•
Benefits of Secure SRST, page 179
•
Cisco IP Phones Clear-Text Fallback During Non-Secure SRST, page 179
•
Signaling Security on Unify SRST - TLS, page 180
•
Media Security on Unify SRST - SRTP, page 182
•
Establishment of Secure Cisco Unified SRST to the Cisco Unified IP Phone, page 182
•
Secure SRST Authentication and Encryption, page 184
Benefits of Secure SRST
Secure Cisco Unified IP phones that are located at remote sites and that are attached to gateway routers
can communicate securely with Cisco Unified Communications Manager using the WAN. But if the
WAN link or Cisco Unified Communications Manager goes down, all communication through the
remote phones becomes nonsecure. To overcome this situation, gateway routers can now function in
secure SRST mode, which activates when the WAN link or Cisco Unified Communications Manager
goes down. When the WAN link or Cisco Unified Communications Manager is restored, Cisco
Unified Communications Manager resumes secure call-handling capabilities.
Secure SRST provides new Cisco Unified SRST security features such as authentication, integrity, and
media encryption. Authentication provides assurance to one party that another party is whom it claims
to be. Integrity provides assurance that the given data has not been altered between the entities.
Encryption implies confidentiality; that is, that no one can read the data except the intended recipient.
These security features allow privacy for Cisco Unified SRST voice calls and protect against voice
security violations and identity theft.
SRST security is achieved when:
•
End devices are authenticated using certificates.
•
Signaling is authenticated and encrypted using Transport Layer Security (TLS) for TCP.
•
A secure media path is encrypted using Secure Real-Time Transport Protocol (SRTP).
•
Certificates are generated and distributed by a CA.
Cisco IP Phones Clear-Text Fallback During Non-Secure SRST
•
Cisco Unified SRST versions prior to 12.3(14)T are not capable of supporting secure connections
or have security enabled. If an SRST router is not capable of SRST as a fallback mode—that is, it
is not capable of completing a TLS handshake with Cisco Unified Communications Manager—its
certificate is not added to the configuration file of the Cisco IP phone. The absence of a Cisco
Unified SRST router certificate causes the Cisco Unified IP phone to use nonsecure (clear-text)
communication when in Cisco Unified SRST fallback mode. The capability to detect and fallback