[cisco-voip] has anyone seen this !
Philip Walenta
pwalenta at wi.rr.com
Sun Jun 8 05:53:35 EDT 2008
Not to sound harsh here...but...ANYTHING connected to the Internet should
always be firewalled/protected.
Would you put an open PC on the Internet? No...unless you want it to become
part of a botnet.
This is basic security. I've been running a 2811 on the Internet with CME
for years - BUT I *always* have the firewall and IDS feature sets active.
Now...all that being said...most 18xx/28xx/38xx routers I've worked with
come with HUGE warnings on them about turning on security - in fact it even
has an account by default out of the box. It is up to the users installing
them to read the warnings and understand the environment in which they are
putting the device.
I'm not trying to offend you.....just change your way of thinking when it
comes to attaching anything to the Internet.
_____
From: cisco-voip-bounces at puck.nether.net
[mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Aman Chugh
Sent: Sunday, June 08, 2008 2:21 AM
To: cisco voip
Subject: Re: [cisco-voip] has anyone seen this !
I agree with Zoltan's email on this. I am not the first one to experience
this , still Cisco does not warn or inform about SIP/H.323 open on CME for
mis use. We were not using SIP , still some one was able to get on to the
router through the WAN and make use of SIP on the router. I think Cisco
should clearly state this during the installation/Configuration of CME.
Aman
On 6/7/08, Jason Aarons (US) <jason.aarons at us.didata.com> wrote:
I would recommend running a port/security scanner on your own subnet,
you mind find other unexpected results.
It wasn't clear if these are outside your firewall.
-----Original Message-----
From: cisco-voip-bounces at puck.nether.net
[mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of
keli at carocomp.ro
Sent: Saturday, June 07, 2008 4:20 AM
To: James Buchanan
Cc: cisco voip
Subject: Re: [cisco-voip] has anyone seen this !
Basically I agree with you, and I think all of us who faced the
problem have learned our lesson the hard way ... :/
But the issue here is a bit different, I'd say:
Cisco is running SIP and H.323 services by default, once CME is
configured. Cisco CME is *routing* incoming SIP/H.323 calls
indiscriminately, also *by default*. The key thing being that your
appliance (Cisco CME router in this case) makes things you're not
configured it specifically to do. Where we hit this thing, we didn't
used any SIP services, and the router was configured from blank, so I
did not expect any SIP service to be running on it.
It's funny, that on local side Cisco considers their stuff so
"secure", that an auto-registered SCCP phone will not get tone, and
won't be able to call anywhere, but then again a blind incoming SIP
packet can pass through the router as they wish...
If you consider, that CME systems come integrated into routers, so
they are very likely to be used as such in low-budget environments.
It's very possible that the people installing it are not some
extremely experienced telephony and/or networking experts (Cisco's
target for CME is expected to be able to use/configure CME through the
web interface). So while it is certainly a bad decision to deploy it
that way, it's not by a mile such an unlikely one.
sorry for the rant. :)
regards,
Zoltan
Quoting James Buchanan <jbuchanan at ctiusa.com>:
> I find it puzzling why anyone would put their production telephone
> system on the Internet with no apparent security measures, not even an
> access list. Cisco should restrict this I suppose, but some basic
> network security practices should also have been followed in this case
> during implementation.
>
>
>
> From: cisco-voip-bounces at puck.nether.net
> [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Aman Chugh
> Sent: Friday, June 06, 2008 10:50 PM
> To: Kelemen Zoltan
> Cc: cisco voip
> Subject: Re: [cisco-voip] has anyone seen this !
>
>
>
> Yes , exactly I was told the same thing and customer is facing a huge
> bill.
>
>
>
> On 6/6/08, Kelemen Zoltan <keli at carocomp.ro> wrote:
>
>
>
> I had bitten this bullet in January (
> https://puck.nether.net/pipermail/cisco-voip/2008-January/029569.html
)
> and I'm still perplexed how can Cisco leave this as-is with SIP and
> H.323 wide open for public as default settings, while being well aware
> of the situation and it's possible consequences.
>
> I've been discussing this issue with some other colleagues as
> well in the branch and I know this has happened to plenty of other
> people, in some case causing very serious monetary damage.
>
> regards,
> Zoltan
>
> Aman Chugh wrote:
>
> It was SIP , disabled sip on the wan port using an ACL to stop
> calls going out.
> Aman
>
> On 6/6/08, *James Edmondson* <biged7600 at gmail.com
> <mailto:biged7600 at gmail.com>> wrote:
>
> Do you happen to have custom scripts on the CME box? I had
> this
> problem as whoever developed the script left the hole open to
> dial
> anynumber from the AA.
> On Thu, Jun 5, 2008 at 2:31 PM, Jorge L. Rodriguez Aguila
> <jorge.rodriguez at netxar.com
> <mailto:jorge.rodriguez at netxar.com>>
> wrote:
>
> I would recommend that you do Two things immediately.
> Install
> COR to limit calls and second implement Access List to
> Kill
> H.323 coming from the internet.
>
>
> Jorge
>
>
> *From:* cisco-voip-bounces at puck.nether.net
> <mailto:cisco-voip-bounces at puck.nether.net>
> [mailto:cisco-voip-bounces at puck.nether.net
> <mailto:cisco-voip-bounces at puck.nether.net>] *On Behalf
> Of
> *Aman Chugh
> *Sent:* Thursday, June 05, 2008 2:13 PM
> *To:* cisco voip
> *Subject:* [cisco-voip] has anyone seen this !
>
>
>
>
> I have a site with CME and CUE , the internet link is
> also
> terminated on my CME router, apparently some one has
> hacked
> into the router and is using the router calling numbers
> in
> cuba and somalia. This has caused a huge bill from the
> phone
> company.We have TAC case openned for this, When we shut
> the
> internet link this stops .
>
>
> Aman
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> <mailto:cisco-voip at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
>
> -- James
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> <mailto:cisco-voip at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
>
------------------------------------------------------------------------
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
>
>
>
>
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
-----------------------------------------
Disclaimer:
This e-mail communication and any attachments may contain
confidential and privileged information and is for use by the
designated addressee(s) named above only. If you are not the
intended addressee, you are hereby notified that you have received
this communication in error and that any use or reproduction of
this email or its contents is strictly prohibited and may be
unlawful. If you have received this communication in error, please
notify us immediately by replying to this message and deleting it
from your computer. Thank you.
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20080608/c4d796ae/attachment-0001.html>
More information about the cisco-voip
mailing list