[cisco-voip] Preventing Web Access to 79xx

Lelio Fulgenzi lelio at uoguelph.ca
Tue Nov 3 11:14:18 EST 2009 

Ed's correct though, it won't come up, but it will get an IP address and can be browsed. The phone keeps config data around. 

--- 
Lelio Fulgenzi, B.A. 
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1 
(519) 824-4120 x56354 (519) 767-1060 FAX (JNHN) 
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
"Bad grammar makes me [sic]" - Tshirt 


----- Original Message ----- 
From: "Scott Voll" <svoll.voip at gmail.com> 
To: "Ed Leatherman" <ealeatherman at gmail.com> 
Cc: "Lelio Fulgenzi" <lelio at uoguelph.ca>, cisco-voip at puck.nether.net 
Sent: Tuesday, November 3, 2009 11:00:35 AM GMT -05:00 US/Canada Eastern 
Subject: Re: [cisco-voip] Preventing Web Access to 79xx 

put the whole Voice network behind a Firewall. if they move to a Data Vlan only....... the phone never comes up.... then the helpdesk gets the call and someone can go and slap them around. ;-) 


just make sure the Firewall is an ASA and not a FWSM. <RANT> what a Joke........ it's a firewall...... but NO VPN, NO Phone Proxy, basically you loose all Voice functions you want out of a Firewall </RANT>. 


Scott 


On Tue, Nov 3, 2009 at 8:55 AM, Ed Leatherman < ealeatherman at gmail.com > wrote: 


Depending on the particular security requirements, he should still 
consider disabling the web access in addition to ACLs etc. 
I've had end users unplug phones, and move them to another office that 
had jack with only data vlan on it. Now the phone gets a public IP 
address that is potentially reachable from the anywhere. you can surf 
to it and get the IP addresses of all your call manager servers, tftp 
server, etc. Granted, these servers are hopefully on private IP space 
- but its more information than you probably want to provide to 
someone scanning port 80. Just depends on how strict your security 
concerns are, or how paranoid you are I guess :) 


On Tue, Nov 3, 2009 at 10:56 AM, Lelio Fulgenzi < lelio at uoguelph.ca > wrote: 
> Personally speaking, I would investigate using ACLs to limit access to the 
> phones web browser/server. There are many services (some Cisco, some third 
> party) that use the web server to do stuff, like post messages, etc. 
> 
> Granted, it's a little more involved, and you need to have separate voice 
> and data VLANs, but it's a better long term approach. IMHO. 
> 
> --- 
> Lelio Fulgenzi, B.A. 
> Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1 
> (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN) 
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
> "Bad grammar makes me [sic]" - Tshirt 
> 


-- 
Ed Leatherman 



_______________________________________________ 
cisco-voip mailing list 
cisco-voip at puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-voip 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20091103/58124acd/attachment.html>

More information about the cisco-voip mailing list