[cisco-voip] Expressway Search Rules - Source:Any -or- Source-Named Zone

Thu Sep 13 11:55:12 EDT 2018

Pardon ... “the E’s search rule” ... I said traversal zone. Email needs a delete like WebEx Teams ...

Sent from my iPhone

On Sep 13, 2018, at 11:53, Ryan Huff <ryanhuff at outlook.com<mailto:ryanhuff at outlook.com>> wrote:

The source for the E’s traversal zone only needs to be ‘ANY’, if it truly needs to be. I’ve deployed several scenarios where the business only wanted to receive B2B calls from other things on it’s own domain (or a few domains strung together in Regex).

Also, using the Call Policy engine (under the Configuration menu) or the more in depth CPL (Call Processing Language) is a great way to block obviously fraudulent dials by source, target or zone (Ex. source URI: deny clown at nose.com<mailto:clown at nose.com>).

I prefer to use the standard Call Policy rules in the GUI .... which is more akin to a prioritized Allow / Deny ACL.

CPL on the other hand (located in the same GUI menu section) is a more robust way of using call policies and is really only needed for advanced Call handling.

Call Processing Language is referenced on page 324: https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/admin_guide/Cisco-Expressway-Administrator-Guide-X8-11.pdf<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cisco.com%2Fc%2Fdam%2Fen%2Fus%2Ftd%2Fdocs%2Fvoice_ip_comm%2Fexpressway%2Fadmin_guide%2FCisco-Expressway-Administrator-Guide-X8-11.pdf&data=02%7C01%7C%7C3f8b4ba419f64dbbdc0e08d619910237%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636724507923515580&sdata=NeldWVTphyDQ9YlAwTUf1uxQgZZ0Ce80X6G0pssBf4Y%3D&reserved=0>

Call Policy is referenced on page 168: https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/admin_guide/Cisco-Expressway-Administrator-Guide-X8-11.pdf<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cisco.com%2Fc%2Fdam%2Fen%2Fus%2Ftd%2Fdocs%2Fvoice_ip_comm%2Fexpressway%2Fadmin_guide%2FCisco-Expressway-Administrator-Guide-X8-11.pdf&data=02%7C01%7C%7C3f8b4ba419f64dbbdc0e08d619910237%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636724507923515580&sdata=NeldWVTphyDQ9YlAwTUf1uxQgZZ0Ce80X6G0pssBf4Y%3D&reserved=0>

The Firewall rules are useful for only allowing  administrative services to a particular subnet (System / Protection / Firewall Rules) if you need to leave HTTPS and SSH exposed to a non secure network (this is less about toll fraud than it is general security).

The firewall rules are referenced on page 28: https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/admin_guide/Cisco-Expressway-Administrator-Guide-X8-11.pdf<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cisco.com%2Fc%2Fdam%2Fen%2Fus%2Ftd%2Fdocs%2Fvoice_ip_comm%2Fexpressway%2Fadmin_guide%2FCisco-Expressway-Administrator-Guide-X8-11.pdf&data=02%7C01%7C%7C3f8b4ba419f64dbbdc0e08d619910237%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636724507923515580&sdata=NeldWVTphyDQ9YlAwTUf1uxQgZZ0Ce80X6G0pssBf4Y%3D&reserved=0>

As with any system exposed to the Internet, turn off any services and protocols not in use (Ex. Turn off UDP support if you’re not using it ... etc).

Thanks,

Ryan

On Sep 13, 2018, at 11:12, Lelio Fulgenzi <lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>> wrote:

Curious – what are people doing with their search rules? I’ve got a search rule for calls coming from the ‘net into E and then to C all good, but just wondering, I know the search rule on E has to be source:ANY because it’s coming from the net, but what about the search rule on C? Shouldn’t it be source:named zone (and pick C-to-E traversal zone) to be sure that nothing else hits it?

Same goes for say rules that I use to send calls all the way from CUCM to C to E to DNS Zone. Shouldn’t my rules be as specifically configured as possible? Including the source zone?

I understand that if I start registering devices on either the C or E I will need to create additional rules, but I’m fine with that, that way I know exactly what’s going to hit.

What are others doing? What’s the best practice?

---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>

www.uoguelph.ca/ccs<https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.uoguelph.ca%2Fccs&data=02%7C01%7C%7C308d306aa7304a99862d08d6198b5f80%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636724483721747900&sdata=PcG0pzWOqlGi%2FZSWYRBV75zlCq0aXpYiJdoLn62bqrI%3D&reserved=0> | @UofGCCS on Instagram, Twitter and Facebook

<image001.png>

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=02%7C01%7C%7C308d306aa7304a99862d08d6198b5f80%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636724483721747900&sdata=xBfVzgyQ2V610hNW94%2BivvkD7BWXVdzEElfonKucDaU%3D&reserved=0
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=02%7C01%7C%7C3f8b4ba419f64dbbdc0e08d619910237%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636724507923515580&sdata=jdOzGK47WmW%2F38w2rtvox42%2BQNDhcqnJ3UYEcUZX2kA%3D&reserved=0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20180913/9b41db17/attachment.html>