Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL
Help

Chapter 6. Securing the Environment > Secure Endpoint Operation - Pg. 156

Securing the Environment Get a CTL into Phones 156 An important ramification of the CTL implementation in Cisco IP Phones is that a phone blindly accepts the first CTL file it receives after it has been manufactured. This is because the phone is programmed to have no prior knowledge of and no way to validate the entity that signs the first CTL file. An emerging expression to describe this initial leap of faith is imprinting because the process is analogous to a fabled newborn bird that associates as its trusted mother the first face it sees. This process is safe when you have a controlled environment for preparing the birth of an IP phone into your network because you have a high degree of certainty that a trusted administrator is facilitating the introduction. Consider an alternative case in which a hacker imprints an unsafe CTL file into a new phone. This threat is not a significant concern because an authorized administrator does not add the phone's device ID to the CallManager database, so the phone cannot register with the local CallManager. Only one threat model you should watch out for relates to this discussion. A hacker imprints a new phone with a bogus CTL file, and the phone subsequently is added to the CallManager database unwittingly (or maliciously) by an authorized administrator. This sequence is conceivable only if there is a breakdown in the operational process of enrolling the phone. It highlights the importance of ensuring a safe enrollment environment that includes both the CTL file imprinting and including the phone in the CallManager database through the BAT or CallManager Administration. You should avoid an operational process that introduces a significant amount of time or distance between these two steps. If you are really concerned about security, this process should also involve multiple people who check each other's work so that a corrupt administrator cannot circumvent the security process. Secure Endpoint Operation