[cisco-voip] CUCM - separating management traffic

Lelio Fulgenzi lelio at uoguelph.ca
Thu Jan 19 09:46:24 EST 2012 

Separating out user ports and admin ports is something of common practice out there for applications that have web interfaces. It's another level of security which doesn't cost too much to implement (another web daemon). Why Cisco has chosen to not only put the admin interface on the same port as the user interface is beyond me and why they chose to put a link to the admin interface on the default web page of the web server is even more so. 

Not all environments are 'friendly'. It's common simple hacking techniques to go to a URL and start going "up" the chain to see what you get. In two steps you get to the admin interface. With the right password cracking tools I'm sure it wouldn't be hard to break into half of the telephone admin pages out there. 

On that note, we have chosen to implement a reverse proxy which allows access to user pages but blocks access to any admin pages. It certainly let's me sleep better at night. 

Of course, not everyone has worked in an environment such as an EDU where historically there is little to no control over workstations and what software is installed on them. 

Anyways, my two cents. 

--- 
Lelio Fulgenzi, B.A. 
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1 
(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU) 
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
Cooking with unix is easy. You just sed it and forget it. 
- LFJ (with apologies to Mr. Popeil) 


----- Original Message -----
From: "Matthew Saskin" <msaskin at gmail.com> 
To: "FrogOnDSCP46EF" <ciscoboy2006 at gmail.com> 
Cc: "cisco-voip voyp list" <cisco-voip at puck.nether.net> 
Sent: Thursday, January 19, 2012 9:11:05 AM 
Subject: Re: [cisco-voip] CUCM - separating management traffic 

Who knows? It's not something that I've ever heard of on the roadmap from CIsco. Technically speaking, I can't imagine it would be terribly difficult to have the various CCM services operate on one interface/IP and the management (HTTP/HTTPS) on another address, but that's just me thinking about it. 

Speaking realistically, I've never seen anyone care enough to implement ACL's or application layer filtering to "protect" the admin interface in the real world. 

-matthew 



On Thu, Jan 19, 2012 at 6:21 AM, FrogOnDSCP46EF < ciscoboy2006 at gmail.com > wrote: 


Thanks Mathew. Would this be difficult to do? Given Cisco has inhouse UC developers. 





On Thu, Jan 19, 2012 at 5:52 AM, Matthew Saskin < msaskin at gmail.com > wrote: 


You can't. Virtual or physical, CUCM only operates using a single interface and single IP address. Closest you're going to get is firewall rules to disallow certain access based on source, and that may not even work as things like authentication URL's are on the same IP/port on the CUCM - you'd have to do some application layer filtering of URL's. 





On Wed, Jan 18, 2012 at 11:21 AM, FrogOnDSCP46EF < ciscoboy2006 at gmail.com > wrote: 




Have anyone figured out yet how to separate CUCM management in VMware or physical deployment? 

It's kind of weird, Cisco's all deployment templates are still putting mgmt and traffic packets on the same eth0 interface. 

I bet this is in Cisco's todo list. 

thanks 

_______________________________________________ 
cisco-voip mailing list 
cisco-voip at puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-voip 





-- 
Smile, you'll save someone else's day! 
Frog 


_______________________________________________ 
cisco-voip mailing list 
cisco-voip at puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-voip 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20120119/3c90dca5/attachment.html>

More information about the cisco-voip mailing list