[cisco-voip] Preventing Web Access to 79xx[Scanned]

Martin Bufton m.bufton at spectra-group.co.uk
Tue Nov 3 11:28:05 EST 2009 

I think access lists will be the way to go as I would like my Engineers
to be able to debug the phones.

Access list denying all, other than the management network is the way
forward I think


Martin Bufton BSc (Hons), CCNA - Systems Engineer


-----Original Message-----
From: Ryan Ratliff [mailto:rratliff at cisco.com] 
Sent: 03 November 2009 16:26
To: Ed Leatherman
Cc: cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] Preventing Web Access to 79xx[Scanned]

Would having your data vlan IP address be public and reachable from  
the big bad internet (especially on port 80) be a bigger worry for the  
security group than users being able to access their IP phones' web  
page?

There are some times when web access to the phone is very useful for  
verifying config, looking at media information, or even for getting a  
screenshot of the phone's display.

Setting up ACLs to block those you don't want to have access may be  
more pain up front but if you ever need to get console logs, etc from  
a phone without resetting it (bug investigation for example) then  
being able to modify an ACL will be a lot easier then enabling web  
access, resetting the phone (which will fix the issue), and waiting  
for the problem to come back.

-Ryan

On Nov 3, 2009, at 10:55 AM, Ed Leatherman wrote:

Depending on the particular security requirements, he should still
consider disabling the web access in addition to ACLs etc.
I've had end users unplug phones, and move them to another office that
had jack with only data vlan on it. Now the phone gets a public IP
address that is potentially reachable from the anywhere. you can surf
to it and get the IP addresses of all your call manager servers, tftp
server, etc. Granted, these servers are hopefully on private IP space
- but its more information than you probably want to provide to
someone scanning port 80. Just depends on how strict your security
concerns are, or how paranoid you are I guess :)

On Tue, Nov 3, 2009 at 10:56 AM, Lelio Fulgenzi <lelio at uoguelph.ca>  
wrote:
> Personally speaking, I would investigate using ACLs to limit access  
> to the
> phones web browser/server. There are many services (some Cisco, some  
> third
> party) that use the web server to do stuff, like post messages, etc.
>
> Granted, it's a little more involved, and you need to have separate  
> voice
> and data VLANs, but it's a better long term approach. IMHO.
>
> ---
> Lelio Fulgenzi, B.A.
> Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
> (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> "Bad grammar makes me [sic]" - Tshirt
>


-- 
Ed Leatherman
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

More information about the cisco-voip mailing list