<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.3157" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=734144609-08062008><FONT face=Arial
color=#0000ff size=2>Not to sound harsh here...but...ANYTHING connected to the
Internet should always be firewalled/protected. </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=734144609-08062008><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=734144609-08062008><FONT face=Arial
color=#0000ff size=2>Would you put an open PC on the Internet? No..unless
you want it to become part of a botnet.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=734144609-08062008><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=734144609-08062008><FONT face=Arial
color=#0000ff size=2>This is basic security. I've been running a 2811 on
the Internet with CME for years - BUT I *always* have the firewall and IDS
feature sets active. </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=734144609-08062008><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=734144609-08062008><FONT face=Arial
color=#0000ff size=2>Now...all that being said...most 18xx/28xx/38xx routers
I've worked with come with HUGE warnings on them about turning on security - in
fact it even has an account by default out of the box. It is up to the
users installing them to read the warnings and understand the environment in
which they are putting the device.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=734144609-08062008><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=734144609-08062008><FONT face=Arial
color=#0000ff size=2>I'm not trying to offend you.....just change your way of
thinking when it comes to attaching anything to
the Internet.</FONT></SPAN></DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> cisco-voip-bounces@puck.nether.net
[mailto:cisco-voip-bounces@puck.nether.net] <B>On Behalf Of </B>Aman
Chugh<BR><B>Sent:</B> Sunday, June 08, 2008 2:21 AM<BR><B>To:</B> cisco
voip<BR><B>Subject:</B> Re: [cisco-voip] has anyone seen this
!<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV>I agree with Zoltan's email on this. I am not the first one to experience
this , still Cisco does not warn or inform about SIP/H.323 open on CME for mis
use. We were not using SIP , still some one was able to get on to the
router through the WAN and make use of SIP on the router. I think Cisco should
clearly state this during the installation/Configuration of CME.</DIV>
<DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV>Aman</DIV><BR><BR> </DIV>
<DIV><SPAN class=gmail_quote>On 6/7/08, <B class=gmail_sendername>Jason Aarons
(US)</B> <<A
href="mailto:jason.aarons@us.didata.com">jason.aarons@us.didata.com</A>>
wrote:</SPAN>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">I
would recommend running a port/security scanner on your own subnet,<BR>you
mind find other unexpected results.<BR><BR>It wasn't clear if these are
outside your firewall.<BR><BR>-----Original Message-----<BR>From: <A
href="mailto:cisco-voip-bounces@puck.nether.net">cisco-voip-bounces@puck.nether.net</A><BR>[mailto:<A
href="mailto:cisco-voip-bounces@puck.nether.net">cisco-voip-bounces@puck.nether.net</A>]
On Behalf Of<BR><A
href="mailto:keli@carocomp.ro">keli@carocomp.ro</A><BR>Sent: Saturday, June
07, 2008 4:20 AM<BR>To: James Buchanan<BR>Cc: cisco voip<BR>Subject: Re:
[cisco-voip] has anyone seen this !<BR><BR>Basically I agree with you, and I
think all of us who faced the<BR>problem have learned our lesson the hard way
... :/<BR><BR>But the issue here is a bit different, I'd say:<BR>Cisco is
running SIP and H.323 services by default, once CME
is<BR>configured. Cisco CME is *routing* incoming SIP/H.323
calls<BR>indiscriminately, also *by default*. The key thing being that
your<BR>appliance (Cisco CME router in this case) makes things you're
not<BR>configured it specifically to do. Where we hit this thing, we
didn't<BR>used any SIP services, and the router was configured from blank, so
I<BR>did not expect any SIP service to be running on it.<BR><BR>It's funny,
that on local side Cisco considers their stuff so<BR>"secure", that an
auto-registered SCCP phone will not get tone, and<BR>won't be able to call
anywhere, but then again a blind incoming SIP<BR>packet can pass through the
router as they wish...<BR><BR>If you consider, that CME systems come
integrated into routers, so<BR>they are very likely to be used as such in
low-budget environments.<BR>It's very possible that the people installing it
are not some<BR>extremely experienced telephony and/or networking experts
(Cisco's<BR>target for CME is expected to be able to use/configure CME through
the<BR>web interface). So while it is certainly a bad decision to deploy
it<BR>that way, it's not by a mile such an unlikely one.<BR><BR>sorry for the
rant. :)<BR><BR>regards,<BR> Zoltan<BR><BR>Quoting James Buchanan
<<A
href="mailto:jbuchanan@ctiusa.com">jbuchanan@ctiusa.com</A>>:<BR><BR>> I
find it puzzling why anyone would put their production telephone<BR>>
system on the Internet with no apparent security measures, not even an<BR>>
access list. Cisco should restrict this I suppose, but some basic<BR>>
network security practices should also have been followed in this case<BR>>
during implementation.<BR>><BR>><BR>><BR>> From: <A
href="mailto:cisco-voip-bounces@puck.nether.net">cisco-voip-bounces@puck.nether.net</A><BR>>
[mailto:<A
href="mailto:cisco-voip-bounces@puck.nether.net">cisco-voip-bounces@puck.nether.net</A>]
On Behalf Of Aman Chugh<BR>> Sent: Friday, June 06, 2008 10:50 PM<BR>>
To: Kelemen Zoltan<BR>> Cc: cisco voip<BR>> Subject: Re: [cisco-voip]
has anyone seen this !<BR>><BR>><BR>><BR>> Yes , exactly I was
told the same thing and customer is facing a huge<BR>>
bill.<BR>><BR>><BR>><BR>> On 6/6/08, Kelemen Zoltan <<A
href="mailto:keli@carocomp.ro">keli@carocomp.ro</A>>
wrote:<BR>><BR>><BR>><BR>> I
had bitten this bullet in January (<BR>> <A
href="https://puck.nether.net/pipermail/cisco-voip/2008-January/029569.html">https://puck.nether.net/pipermail/cisco-voip/2008-January/029569.html</A><BR>)<BR>>
and I'm still perplexed how can Cisco leave this as-is with SIP and<BR>>
H.323 wide open for public as default settings, while being well aware<BR>>
of the situation and it's possible
consequences.<BR>><BR>> I've been
discussing this issue with some other colleagues as<BR>> well in the branch
and I know this has happened to plenty of other<BR>> people, in
some case causing very serious monetary
damage.<BR>><BR>>
regards,<BR>> Zoltan<BR>><BR>>
Aman Chugh wrote:<BR>><BR>> It was
SIP , disabled sip on the wan port using an ACL to stop<BR>>
calls going
out.<BR>> Aman<BR>><BR>> On
6/6/08, *James Edmondson* <<A
href="mailto:biged7600@gmail.com">biged7600@gmail.com</A><BR>>
<mailto:<A
href="mailto:biged7600@gmail.com">biged7600@gmail.com</A>>>
wrote:<BR>><BR>> Do
you happen to have custom scripts on the CME box? I had<BR>>
this<BR>> problem
as whoever developed the script left the hole open to<BR>>
dial<BR>> anynumber
from the
AA.<BR>> On Thu,
Jun 5, 2008 at 2:31 PM, Jorge L. Rodriguez
Aguila<BR>> <<A
href="mailto:jorge.rodriguez@netxar.com">jorge.rodriguez@netxar.com</A><BR>>
<mailto:<A
href="mailto:jorge.rodriguez@netxar.com">jorge.rodriguez@netxar.com</A>>><BR>> wrote:<BR>><BR>> I
would recommend that you do Two things immediately.<BR>>
Install<BR>> COR
to limit calls and second implement Access List to<BR>>
Kill<BR>> H.323
coming from the
internet.<BR>><BR>><BR>> Jorge<BR>><BR>><BR>> *From:*
<A
href="mailto:cisco-voip-bounces@puck.nether.net">cisco-voip-bounces@puck.nether.net</A><BR>> <mailto:<A
href="mailto:cisco-voip-bounces@puck.nether.net">cisco-voip-bounces@puck.nether.net</A>><BR>> [mailto:<A
href="mailto:cisco-voip-bounces@puck.nether.net">cisco-voip-bounces@puck.nether.net</A><BR>> <mailto:<A
href="mailto:cisco-voip-bounces@puck.nether.net">cisco-voip-bounces@puck.nether.net</A>>]
*On Behalf<BR>>
Of<BR>> *Aman
Chugh<BR>> *Sent:*
Thursday, June 05, 2008 2:13
PM<BR>> *To:*
cisco
voip<BR>> *Subject:*
[cisco-voip] has anyone seen this
!<BR>><BR>><BR>><BR>><BR>> I
have a site with CME and CUE , the internet link is<BR>>
also<BR>> terminated
on my CME router, apparently some one has<BR>>
hacked<BR>> into
the router and is using the router calling numbers<BR>>
in<BR>> cuba
and somalia. This has caused a huge bill from the<BR>>
phone<BR>> company.We
have TAC case openned for this, When we shut<BR>>
the<BR>> internet
link this stops
..<BR>><BR>><BR>> Aman<BR>><BR>><BR>> _______________________________________________<BR>> cisco-voip
mailing
list<BR>> <A
href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</A><BR>>
<mailto:<A
href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</A>><BR>> <A
href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</A><BR>><BR>><BR>><BR>><BR>> -- James<BR>> _______________________________________________<BR>> cisco-voip
mailing
list<BR>> <A
href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</A><BR>>
<mailto:<A
href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</A>><BR>> <A
href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</A><BR>><BR>><BR>><BR>><BR>------------------------------------------------------------------------<BR>><BR>>
_______________________________________________<BR>>
cisco-voip mailing list<BR>> <A
href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</A><BR>>
<A
href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</A><BR>><BR>><BR>><BR>><BR>><BR>><BR>><BR><BR><BR><BR>----------------------------------------------------------------<BR>This
message was sent using IMP, the Internet Messaging
Program.<BR><BR>_______________________________________________<BR>cisco-voip
mailing list<BR><A
href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</A><BR><A
href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</A><BR><BR>-----------------------------------------<BR>Disclaimer:<BR><BR>This
e-mail communication and any attachments may contain<BR>confidential and
privileged information and is for use by the<BR>designated addressee(s) named
above only. If you are not the<BR>intended addressee, you are
hereby notified that you have received<BR>this communication in error and that
any use or reproduction of<BR>this email or its contents is strictly
prohibited and may be<BR>unlawful. If you have received this
communication in error, please<BR>notify us immediately by replying to this
message and deleting it<BR>from your computer. Thank
you.<BR>_______________________________________________<BR>cisco-voip mailing
list<BR><A
href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</A><BR><A
href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</A><BR></BLOCKQUOTE></DIV><BR></BODY></HTML>