[cisco-voip] has anyone seen this !

keli at carocomp.ro keli at carocomp.ro
Sat Jun 7 04:19:47 EDT 2008 

Basically I agree with you, and I think all of us who faced the  
problem have learned our lesson the hard way ... :/

But the issue here is a bit different, I'd say:
Cisco is running SIP and H.323 services by default, once CME is  
configured.  Cisco CME is *routing* incoming SIP/H.323 calls  
indiscriminately, also *by default*. The key thing being that your  
appliance (Cisco CME router in this case) makes things you're not  
configured it specifically to do. Where we hit this thing, we didn't  
used any SIP services, and the router was configured from blank, so I  
did not expect any SIP service to be running on it.

It's funny, that on local side Cisco considers their stuff so  
"secure", that an auto-registered SCCP phone will not get tone, and  
won't be able to call anywhere, but then again a blind incoming SIP  
packet can pass through the router as they wish...

If you consider, that CME systems come integrated into routers, so  
they are very likely to be used as such in low-budget environments.  
It's very possible that the people installing it are not some  
extremely experienced telephony and/or networking experts (Cisco's  
target for CME is expected to be able to use/configure CME through the  
web interface). So while it is certainly a bad decision to deploy it  
that way, it's not by a mile such an unlikely one.

sorry for the rant. :)

regards,
   Zoltan

Quoting James Buchanan <jbuchanan at ctiusa.com>:

> I find it puzzling why anyone would put their production telephone
> system on the Internet with no apparent security measures, not even an
> access list. Cisco should restrict this I suppose, but some basic
> network security practices should also have been followed in this case
> during implementation.
>
>
>
> From: cisco-voip-bounces at puck.nether.net
> [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Aman Chugh
> Sent: Friday, June 06, 2008 10:50 PM
> To: Kelemen Zoltan
> Cc: cisco voip
> Subject: Re: [cisco-voip] has anyone seen this !
>
>
>
> Yes , exactly I was told the same thing  and customer is facing a huge
> bill.
>
>
>
> On 6/6/08, Kelemen Zoltan <keli at carocomp.ro> wrote:
>
>
>
> 	I had bitten this bullet in January (
> https://puck.nether.net/pipermail/cisco-voip/2008-January/029569.html )
> and I'm still perplexed how can Cisco leave this as-is with SIP and
> H.323 wide open for public as default settings, while being well aware
> of the situation and it's possible consequences.
>
> 	I've been discussing this issue with some other colleagues as
> well in the branch and I know  this has happened to plenty of other
> people, in some case causing very serious monetary damage.
>
> 	regards,
> 	 Zoltan
>
> 	Aman Chugh wrote:
>
> 	It was SIP ,  disabled sip on the wan port using an ACL to stop
> calls going out.
> 	 Aman
>
> 	 On 6/6/08, *James Edmondson* <biged7600 at gmail.com
> <mailto:biged7600 at gmail.com>> wrote:
>
> 	   Do you happen to have custom scripts on the CME box? I had
> this
> 	   problem as whoever developed the script left the hole open to
> dial
> 	   anynumber from the AA.
> 	   On Thu, Jun 5, 2008 at 2:31 PM, Jorge L. Rodriguez Aguila
> 	   <jorge.rodriguez at netxar.com
> <mailto:jorge.rodriguez at netxar.com>>
> 	   wrote:
>
> 	       I would recommend that you do Two things immediately.
> Install
> 	       COR to limit calls and second implement Access List to
> Kill
> 	       H.323 coming from the internet.
>
>
> 	       Jorge
>
>
> 	       *From:* cisco-voip-bounces at puck.nether.net
> 	       <mailto:cisco-voip-bounces at puck.nether.net>
> 	       [mailto:cisco-voip-bounces at puck.nether.net
> 	       <mailto:cisco-voip-bounces at puck.nether.net>] *On Behalf
> Of
> 	       *Aman Chugh
> 	       *Sent:* Thursday, June 05, 2008 2:13 PM
> 	       *To:* cisco voip
> 	       *Subject:* [cisco-voip] has anyone seen this !
>
>
>
>
> 	       I have a site with CME and CUE , the internet link is
> also
> 	       terminated on my CME router, apparently some one has
> hacked
> 	       into the router and is using the router calling numbers
> in
> 	       cuba and somalia.  This has caused a huge bill from the
> phone
> 	       company.We have TAC case openned for this, When we shut
> the
> 	       internet link this stops .
>
>
> 	       Aman
>
>
> 	       _______________________________________________
> 	       cisco-voip mailing list
> 	       cisco-voip at puck.nether.net
> <mailto:cisco-voip at puck.nether.net>
> 	       https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
>
> 	   --    James
> 	   _______________________________________________
> 	   cisco-voip mailing list
> 	   cisco-voip at puck.nether.net
> <mailto:cisco-voip at puck.nether.net>
> 	   https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
> ------------------------------------------------------------------------
>
> 	_______________________________________________
> 	cisco-voip mailing list
> 	cisco-voip at puck.nether.net
> 	https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
>
>
>
>



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

More information about the cisco-voip mailing list