C and E
Integrity and loss of control are typically terms to describe one's personal life rather than IP telephony security.
B and F
Secure signaling is accomplished through Transport Layer Security (TLS). This security is crucial because CallManager sends the keys for SRTP (which secures the media) through signaling to the IP phone.
D and F
The trusted introducer and its clients must trust the root of a system. The root guarantees the identity of the trusted introducer. Only the trusted introducer can guarantee the authenticity of any member of the system.
C and D
In Cisco IP telephony PKI infrastructures, the CAPF has a self-signed certificate because the IP phones refer to this as the CA of the PKI. Only the Cisco IP Phone 7940, 7960, and 7970 (and subsequent) models can have LSCs because these are the only models that support device security at this point.
C and F
Securing enrollment through a PKI can be a sticky situation. The best method is to perform the enrollment over a trusted network (or significantly secured public network). Otherwise, you must manually perform mutual out-of-band authentication between the PKI user and CA.
CAPF enrollment supports the use of authentication strings. This is known as the manual enrollment method, which requires the administrator to visit each IP phone he wants to enroll and enter the correct string from the CAPF.
The CTL client uses a smart token for key storage. This smart token exists on a USB key attached to the server running the CTL client. The smart token never leaves the key, but, rather, acts as a separate authentication engine to validate the CTL.
TLS allows both the server and the IP phone to authenticate each other through a signed certificate. This also allows them to authenticate the signaling message to ensure they came from the correct source.
B and D
Certificates are only exchanged between the Cisco CallManager server and the IP phone. The IP phones themselves do not exchange certificates directly. Likewise, the encrypted transmission of SRTP session keys occurs between the IP phones and the Cisco CallManager rather than between the IP phones.
The most accurate list of tasks is to enable services, set cluster to mixed mode, create a signed CTL, deploy certificates to the IP phones, and set the device security mode.
Part I: Cisco CallManager Fundamentals
Introduction to Cisco Unified Communications and Cisco Unified CallManager
Cisco Unified CallManager Clustering and Deployment Options
Cisco Unified CallManager Installation and Upgrades
Part II: IPT Devices and Users
Cisco IP Phones and Other User Devices
Configuring Cisco Unified CallManager to Support IP Phones
Cisco IP Telephony Users
Cisco Bulk Administration Tool
Part III: IPT Network Integration and Route Plan
Cisco Catalyst Switches
Configuring Cisco Gateways and Trunks
Cisco Unified CallManager Route Plan Basics
Cisco Unified CallManager Advanced Route Plans
Configuring Hunt Groups and Call Coverage
Implementing Telephony Call Restrictions and Control
Implementing Multiple-Site Deployments
Part IV: VoIP Features
Configuring User Features, Part 1
Configuring User Features, Part 2
Configuring Cisco Unified CallManager Attendant Console
Configuring Cisco IP Manager Assistant
Part V: IPT Security
Securing the Windows Operating System
Securing Cisco Unified CallManager Administration
Preventing Toll Fraud
Hardening the IP Phone
Understanding Cryptographic Fundamentals
Understanding the Public Key Infrastructure
Understanding Cisco IP Telephony Authentication and Encryption Fundamentals
Configuring Cisco IP Telephony Authentication and Encryption
Part VI: IP Video
Introducing IP Video Telephony
Configuring Cisco VT Advantage
Part VII: IPT Management
Introducing Database Tools and Cisco Unified CallManager Serviceability
Configuring Alarms and Traces
Using Additional Management and Monitoring Tools
Part VIII: Appendix
Appendix A. Answers to Review Questions