[cisco-voip] has anyone seen this !

Aman Chugh aman.chugh at gmail.com
Sun Jun 8 03:21:12 EDT 2008 

I agree with Zoltan's email on this. I am not the first one to experience
this , still Cisco does not warn or inform about SIP/H.323 open on CME for
mis use.  We were not using SIP , still some one was able to get on to the
router through the WAN and make use of SIP on the router. I think Cisco
should clearly state this during the installation/Configuration of CME.


Aman



On 6/7/08, Jason Aarons (US) <jason.aarons at us.didata.com> wrote:
>
> I would recommend running a port/security scanner on your own subnet,
> you mind find other unexpected results.
>
> It wasn't clear if these are outside your firewall.
>
> -----Original Message-----
> From: cisco-voip-bounces at puck.nether.net
> [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of
> keli at carocomp.ro
> Sent: Saturday, June 07, 2008 4:20 AM
> To: James Buchanan
> Cc: cisco voip
> Subject: Re: [cisco-voip] has anyone seen this !
>
> Basically I agree with you, and I think all of us who faced the
> problem have learned our lesson the hard way ... :/
>
> But the issue here is a bit different, I'd say:
> Cisco is running SIP and H.323 services by default, once CME is
> configured.  Cisco CME is *routing* incoming SIP/H.323 calls
> indiscriminately, also *by default*. The key thing being that your
> appliance (Cisco CME router in this case) makes things you're not
> configured it specifically to do. Where we hit this thing, we didn't
> used any SIP services, and the router was configured from blank, so I
> did not expect any SIP service to be running on it.
>
> It's funny, that on local side Cisco considers their stuff so
> "secure", that an auto-registered SCCP phone will not get tone, and
> won't be able to call anywhere, but then again a blind incoming SIP
> packet can pass through the router as they wish...
>
> If you consider, that CME systems come integrated into routers, so
> they are very likely to be used as such in low-budget environments.
> It's very possible that the people installing it are not some
> extremely experienced telephony and/or networking experts (Cisco's
> target for CME is expected to be able to use/configure CME through the
> web interface). So while it is certainly a bad decision to deploy it
> that way, it's not by a mile such an unlikely one.
>
> sorry for the rant. :)
>
> regards,
>   Zoltan
>
> Quoting James Buchanan <jbuchanan at ctiusa.com>:
>
> > I find it puzzling why anyone would put their production telephone
> > system on the Internet with no apparent security measures, not even an
> > access list. Cisco should restrict this I suppose, but some basic
> > network security practices should also have been followed in this case
> > during implementation.
> >
> >
> >
> > From: cisco-voip-bounces at puck.nether.net
> > [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Aman Chugh
> > Sent: Friday, June 06, 2008 10:50 PM
> > To: Kelemen Zoltan
> > Cc: cisco voip
> > Subject: Re: [cisco-voip] has anyone seen this !
> >
> >
> >
> > Yes , exactly I was told the same thing  and customer is facing a huge
> > bill.
> >
> >
> >
> > On 6/6/08, Kelemen Zoltan <keli at carocomp.ro> wrote:
> >
> >
> >
> >       I had bitten this bullet in January (
> > https://puck.nether.net/pipermail/cisco-voip/2008-January/029569.html
> )
> > and I'm still perplexed how can Cisco leave this as-is with SIP and
> > H.323 wide open for public as default settings, while being well aware
> > of the situation and it's possible consequences.
> >
> >       I've been discussing this issue with some other colleagues as
> > well in the branch and I know  this has happened to plenty of other
> > people, in some case causing very serious monetary damage.
> >
> >       regards,
> >        Zoltan
> >
> >       Aman Chugh wrote:
> >
> >       It was SIP ,  disabled sip on the wan port using an ACL to stop
> > calls going out.
> >        Aman
> >
> >        On 6/6/08, *James Edmondson* <biged7600 at gmail.com
> > <mailto:biged7600 at gmail.com>> wrote:
> >
> >          Do you happen to have custom scripts on the CME box? I had
> > this
> >          problem as whoever developed the script left the hole open to
> > dial
> >          anynumber from the AA.
> >          On Thu, Jun 5, 2008 at 2:31 PM, Jorge L. Rodriguez Aguila
> >          <jorge.rodriguez at netxar.com
> > <mailto:jorge.rodriguez at netxar.com>>
> >          wrote:
> >
> >              I would recommend that you do Two things immediately.
> > Install
> >              COR to limit calls and second implement Access List to
> > Kill
> >              H.323 coming from the internet.
> >
> >
> >              Jorge
> >
> >
> >              *From:* cisco-voip-bounces at puck.nether.net
> >              <mailto:cisco-voip-bounces at puck.nether.net>
> >              [mailto:cisco-voip-bounces at puck.nether.net
> >              <mailto:cisco-voip-bounces at puck.nether.net>] *On Behalf
> > Of
> >              *Aman Chugh
> >              *Sent:* Thursday, June 05, 2008 2:13 PM
> >              *To:* cisco voip
> >              *Subject:* [cisco-voip] has anyone seen this !
> >
> >
> >
> >
> >              I have a site with CME and CUE , the internet link is
> > also
> >              terminated on my CME router, apparently some one has
> > hacked
> >              into the router and is using the router calling numbers
> > in
> >              cuba and somalia.  This has caused a huge bill from the
> > phone
> >              company.We have TAC case openned for this, When we shut
> > the
> >              internet link this stops .
> >
> >
> >              Aman
> >
> >
> >              _______________________________________________
> >              cisco-voip mailing list
> >              cisco-voip at puck.nether.net
> > <mailto:cisco-voip at puck.nether.net>
> >              https://puck.nether.net/mailman/listinfo/cisco-voip
> >
> >
> >
> >
> >          --    James
> >          _______________________________________________
> >          cisco-voip mailing list
> >          cisco-voip at puck.nether.net
> > <mailto:cisco-voip at puck.nether.net>
> >          https://puck.nether.net/mailman/listinfo/cisco-voip
> >
> >
> >
> >
> ------------------------------------------------------------------------
> >
> >       _______________________________________________
> >       cisco-voip mailing list
> >       cisco-voip at puck.nether.net
> >       https://puck.nether.net/mailman/listinfo/cisco-voip
> >
> >
> >
> >
> >
> >
> >
>
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
> -----------------------------------------
> Disclaimer:
>
> This e-mail communication and any attachments may contain
> confidential and privileged information and is for use by the
> designated addressee(s) named above only.  If you are not the
> intended addressee, you are hereby notified that you have received
> this communication in error and that any use or reproduction of
> this email or its contents is strictly prohibited and may be
> unlawful.  If you have received this communication in error, please
> notify us immediately by replying to this message and deleting it
> from your computer. Thank you.
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20080608/ba2c73f5/attachment-0001.html>

More information about the cisco-voip mailing list