[cisco-voip] Preventing Web Access to 79xx

Scott Voll svoll.voip at gmail.com
Tue Nov 3 11:00:35 EST 2009 

put the whole Voice network behind a Firewall.  if they move to a Data Vlan
only....... the phone never comes up.... then the helpdesk gets the call and
someone can go and slap them around. ;-)

just make sure the Firewall is an ASA and not a FWSM. <RANT> what a
Joke........ it's a firewall...... but NO VPN, NO Phone Proxy, basically you
loose all Voice functions you want out of a Firewall </RANT>.

Scott

On Tue, Nov 3, 2009 at 8:55 AM, Ed Leatherman <ealeatherman at gmail.com>wrote:

> Depending on the particular security requirements, he should still
> consider disabling the web access in addition to ACLs etc.
> I've had end users unplug phones, and move them to another office that
> had jack with only data vlan on it. Now the phone gets a public IP
> address that is potentially reachable from the anywhere. you can surf
> to it and get the IP addresses of all your call manager servers, tftp
> server, etc. Granted, these servers are hopefully on private IP space
> - but its more information than you probably want to provide to
> someone scanning port 80. Just depends on how strict your security
> concerns are, or how paranoid you are I guess :)
>
> On Tue, Nov 3, 2009 at 10:56 AM, Lelio Fulgenzi <lelio at uoguelph.ca> wrote:
> > Personally speaking, I would investigate using ACLs to limit access to
> the
> > phones web browser/server. There are many services (some Cisco, some
> third
> > party) that use the web server to do stuff, like post messages, etc.
> >
> > Granted, it's a little more involved, and you need to have separate voice
> > and data VLANs, but it's a better long term approach. IMHO.
> >
> > ---
> > Lelio Fulgenzi, B.A.
> > Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
> > (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > "Bad grammar makes me [sic]" - Tshirt
> >
>
>
> --
> Ed Leatherman
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20091103/4dde3c26/attachment.html>

More information about the cisco-voip mailing list