Hi,
we are using commercial EPM an if you are check the list of Cisco devices, they are all outdated. All without TLS 1.2 support, means no use with secure PJSIP in FreePBX with this devices too.
There are no new IP Phones 7811-7861, or 8811-8865.
Is it planed to extend Cisco devices? Or how can I do it manually?
P.S. Yes, I can manually register and configure the new Cisco devices, but this is not comfy, especially if you used to manage all with EPM.
Why so?
EndPoinManager modul is not from Cisco isn`t?
As I see, who made the EPM can add xml templates, pictures with devices and let it to configure with EPM, this is not so complicate for programer.
Or there is licence thing from cisco for this?
PJSIP und TLS with recommended security TLS 1.2 for outdated Cisco devices(they can only TLS 1.1 or ssl23) not possible, only with PJSIP und TLS 1.1 or ssl23, and this is not that should used.
Yes they are but that doesn’t mean that business needs/requirements are. Anything less than TLS 1.2 is opening yourself for vulnerabilities. Using TLS 1.0 or lower (SSLv2/v3) is considered a big no no as they are full of vulnerabilities and TLS 1.1, while the lowest you can be right now for PCI DSS compliance, has known vulnerabilities as well (just less than its predecessors). The current standard is TLS 1.2 and the drive is now to TLS 1.3, which was approved last year.
So I guess it boils down to a question of how you really want to implement your security. Are you really implementing a secure solution using protocols that have known vulnerabilities that can be exploited and thus make you less secure at the end of the day?
Because Cisco would need to become a certified partner for them to include those new models. It’s why none of the current Poly VVX series (non-Obi and Obi based) are not in the EPM, they aren’t a certified partner.
If you look at the Supported Devices list you’ll see that Cisco Enterprise phones (the majority) are not only list as No for being Certified but they are also listed as Not Tested.
Right now the only Certified devices belong to H-Tek, VTech, Snom, Grandstream (handful of models) and Yealink. Everything else (non-Digium/Sangoma) is considered not certified and thus new models are not added to the EPM.
This is part of the reason I stopped using it. The lack of support for some of the biggest players in the IP Phone market of their more current models.
I would, if I reviewed the vulnerabilities and determined that they did not pose a specific risk to my situation. (If my situation allowed me to upgrade all units to new units with the latest security protocols, I would do that.) But I understand you have a different opinion, as you have argued with me about it before. I’m simply letting the OP know his options, as it seemed he was not aware that PJSIP TLS settings could be adjusted from TLSv1.2.