[cisco-voip] Preventing Web Access to 79xx

Ed Leatherman ealeatherman at gmail.com
Tue Nov 3 11:51:21 EST 2009


Oh I agree.. I leave web access enabled myself - I don't consider the
risk great enough to out weigh the troubleshooting value. Just saying
its something to consider depending on your situation.
Coming from a higher education point of view, we have a hard time
blocking certain traffic no matter how much we want to, port 80 may
very well be open to the internet.

On Tue, Nov 3, 2009 at 12:26 PM, Ryan Ratliff <rratliff at cisco.com> wrote:
> Would having your data vlan IP address be public and reachable from the big
> bad internet (especially on port 80) be a bigger worry for the security
> group than users being able to access their IP phones' web page?
>
> There are some times when web access to the phone is very useful for
> verifying config, looking at media information, or even for getting a
> screenshot of the phone's display.
>
> Setting up ACLs to block those you don't want to have access may be more
> pain up front but if you ever need to get console logs, etc from a phone
> without resetting it (bug investigation for example) then being able to
> modify an ACL will be a lot easier then enabling web access, resetting the
> phone (which will fix the issue), and waiting for the problem to come back.
>
> -Ryan
>
> On Nov 3, 2009, at 10:55 AM, Ed Leatherman wrote:
>
> Depending on the particular security requirements, he should still
> consider disabling the web access in addition to ACLs etc.
> I've had end users unplug phones, and move them to another office that
> had jack with only data vlan on it. Now the phone gets a public IP
> address that is potentially reachable from the anywhere. you can surf
> to it and get the IP addresses of all your call manager servers, tftp
> server, etc. Granted, these servers are hopefully on private IP space
> - but its more information than you probably want to provide to
> someone scanning port 80. Just depends on how strict your security
> concerns are, or how paranoid you are I guess :)
>
> On Tue, Nov 3, 2009 at 10:56 AM, Lelio Fulgenzi <lelio at uoguelph.ca> wrote:
>>
>> Personally speaking, I would investigate using ACLs to limit access to the
>> phones web browser/server. There are many services (some Cisco, some third
>> party) that use the web server to do stuff, like post messages, etc.
>>
>> Granted, it's a little more involved, and you need to have separate voice
>> and data VLANs, but it's a better long term approach. IMHO.
>>
>> ---
>> Lelio Fulgenzi, B.A.
>> Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
>> (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> "Bad grammar makes me [sic]" - Tshirt
>>
>
>
> --
> Ed Leatherman
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>



-- 
Ed Leatherman


More information about the cisco-voip mailing list