[cisco-voip] Preventing Web Access to 79xx
Lelio Fulgenzi
lelio at uoguelph.ca
Tue Nov 3 11:14:18 EST 2009
Ed's correct though, it won't come up, but it will get an IP address and can be browsed. The phone keeps config data around.
---
Lelio Fulgenzi, B.A.
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
(519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
"Bad grammar makes me [sic]" - Tshirt
----- Original Message -----
From: "Scott Voll" <svoll.voip at gmail.com>
To: "Ed Leatherman" <ealeatherman at gmail.com>
Cc: "Lelio Fulgenzi" <lelio at uoguelph.ca>, cisco-voip at puck.nether.net
Sent: Tuesday, November 3, 2009 11:00:35 AM GMT -05:00 US/Canada Eastern
Subject: Re: [cisco-voip] Preventing Web Access to 79xx
put the whole Voice network behind a Firewall. if they move to a Data Vlan only....... the phone never comes up.... then the helpdesk gets the call and someone can go and slap them around. ;-)
just make sure the Firewall is an ASA and not a FWSM. <RANT> what a Joke........ it's a firewall...... but NO VPN, NO Phone Proxy, basically you loose all Voice functions you want out of a Firewall </RANT>.
Scott
On Tue, Nov 3, 2009 at 8:55 AM, Ed Leatherman < ealeatherman at gmail.com > wrote:
Depending on the particular security requirements, he should still
consider disabling the web access in addition to ACLs etc.
I've had end users unplug phones, and move them to another office that
had jack with only data vlan on it. Now the phone gets a public IP
address that is potentially reachable from the anywhere. you can surf
to it and get the IP addresses of all your call manager servers, tftp
server, etc. Granted, these servers are hopefully on private IP space
- but its more information than you probably want to provide to
someone scanning port 80. Just depends on how strict your security
concerns are, or how paranoid you are I guess :)
On Tue, Nov 3, 2009 at 10:56 AM, Lelio Fulgenzi < lelio at uoguelph.ca > wrote:
> Personally speaking, I would investigate using ACLs to limit access to the
> phones web browser/server. There are many services (some Cisco, some third
> party) that use the web server to do stuff, like post messages, etc.
>
> Granted, it's a little more involved, and you need to have separate voice
> and data VLANs, but it's a better long term approach. IMHO.
>
> ---
> Lelio Fulgenzi, B.A.
> Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
> (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> "Bad grammar makes me [sic]" - Tshirt
>
--
Ed Leatherman
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20091103/58124acd/attachment.html>
More information about the cisco-voip
mailing list