<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:D="DAV:" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="2050" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><a
href="http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns165/ns391/white_paper_c11-493584.html">http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns165/ns391/white_paper_c11-493584.html</a><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I believe this white paper will answer all of your questions.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Arial","sans-serif";
color:black'>Vincent Loschiavo</span></b><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif";color:black'><br>
</span><b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";
color:#7F7F7F'>Director of Consulting</span></b><span style='font-size:8.0pt;
font-family:"Verdana","sans-serif";color:#7F7F7F'><br>
</span><b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";
color:#0084A8'><img border=0 width=85 height=43 id="Picture_x0020_1"
src="cid:image001.gif@01C9A243.0AAEB4A0"
alt="cid:image001.gif@01C8D09B.0C46BD50"></span></b><span style='font-size:
11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><br>
</span><b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";
color:#0084A8'>8200 NW 41st Street, Suite 130</span></b><span style='font-size:
11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><br>
</span><b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";
color:#0084A8'>Miami, FL 33166</span></b><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'><br>
</span><b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";
color:#788D1F'>Ofc: </span></b><b><span style='font-size:8.0pt;font-family:
"Verdana","sans-serif";color:#0084A8'>954-671-5669</span></b><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><br>
</span><b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";
color:#788D1F'>Cell:</span></b><b><span style='font-size:8.0pt;font-family:
"Verdana","sans-serif";color:#1F497D'> </span></b><b><span style='font-size:
8.0pt;font-family:"Verdana","sans-serif";color:#0084A8'>786-282-1164<br>
</span></b><b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";
color:#788D1F'>Fax:</span></b><b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";
color:#1F497D'> </span></b><b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";
color:#0084A8'>888-767-5905</span></b><span style='font-size:11.0pt;font-family:
"Calibri","sans-serif";color:#1F497D'><br>
</span><b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";
color:#788D1F'>Email:</span></b><b><span style='font-size:8.0pt;font-family:
"Verdana","sans-serif";color:#1F497D'> </span></b><b><span style='font-size:
8.0pt;font-family:"Verdana","sans-serif";color:#0084A8'><a
href="mailto:vloschiavo@data-corporation.com"><span style='color:#0084A8'>vloschiavo@data-corporation.com</span></a></span></b><b><span
style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:#008DB4'><br>
<br>
</span></b><i><span style='font-size:8.0pt;font-family:"Arial","sans-serif";
color:#C94429'>"KEEPING YOUR BUSINESS HIGHLY AVAILABLE"<br>
</span></i><i><span style='font-size:8.0pt;font-family:"Arial","sans-serif";
color:#C94429'><img border=0 width=288 height=73 id="Picture_x0020_2"
src="cid:image002.gif@01C9A243.0AAEB4A0" alt=partner-logos></span></i><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-bounces@puck.nether.net] <b>On
Behalf Of </b>Jason Burns<br>
<b>Sent:</b> Wednesday, March 11, 2009 8:37 AM<br>
<b>To:</b> Gavrilov, Anatoly<br>
<b>Cc:</b> cisco-voip@puck.nether.net<br>
<b>Subject:</b> Re: [cisco-voip] ASA 8.0.4 Phone-Proxy feature and
ExtensionMobility<o:p></o:p></span></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'>Anatoly,<br>
<br>
The phone downloads a secure configuration file via TFTP. It is encrypted and
requires CTL / LSC on the phone to decrypt it.<br>
<br>
The http communication between the phone and the ASA for Extension Mobility I
believe IS in plain text though. I don't think the phones support https EM yet.<br>
<br>
I don't know of a great way to protect this communication, and I'm not sure if
the ASA has any mechanisms built in to ONLY proxy http requests from the IP
Phones.<br>
<br>
Maybe someone more familiar with the ASA can comment on that?<br>
<br>
-Jason<o:p></o:p></p>
<div>
<p class=MsoNormal>On Wed, Mar 11, 2009 at 12:27 AM, Gavrilov, Anatoly <<a
href="mailto:Anatoly.Gavrilov@gsjbw.com">Anatoly.Gavrilov@gsjbw.com</a>>
wrote:<o:p></o:p></p>
<div>
<div>
<p><span lang=EN-AU style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Hi
all, </span><span lang=EN-AU><o:p></o:p></span></p>
<p><span lang=EN-AU style='font-size:10.0pt;font-family:"Arial","sans-serif"'> </span><span
lang=EN-AU><o:p></o:p></span></p>
<p><span lang=EN-AU style='font-size:10.0pt;font-family:"Arial","sans-serif"'>I’m
thinking to implement Phone-proxy but I have some concerns about overall
security of this solution. </span><span lang=EN-AU><o:p></o:p></span></p>
<p><span lang=EN-AU style='font-size:10.0pt;font-family:"Arial","sans-serif"'> </span><span
lang=EN-AU><o:p></o:p></span></p>
<p><span lang=EN-AU style='font-size:10.0pt;font-family:"Arial","sans-serif"'>As
I understand, phone downloads its configuration in clear text. Can this
information be used for unauthorised access? </span><span lang=EN-AU><o:p></o:p></span></p>
<p><span lang=EN-AU style='font-size:10.0pt;font-family:"Arial","sans-serif"'> </span><span
lang=EN-AU><o:p></o:p></span></p>
<p><span lang=EN-AU style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Is
it possible to spoof Phone’s request and send request with different MAC
address? I know that ASA checks phone’s MIC file and authenticates phone based
on it, but what about CUPC? </span><span lang=EN-AU><o:p></o:p></span></p>
<p><span lang=EN-AU style='font-size:10.0pt;font-family:"Arial","sans-serif"'> </span><span
lang=EN-AU><o:p></o:p></span></p>
<p><span lang=EN-AU style='font-size:10.0pt;font-family:"Arial","sans-serif"'>For
Extension Mobility feature to work, I have to open port 8080 on Publisher for
all hosts coming from Internet. I think it’s really a huge hole in the
firewall. Taking into consideration that EM request is just normal HTTP
request, it’s very easy to get user credentials and run attack on Call Manager
to trigger all phones to log off. What’s the way to protect this port from such
attacks? </span><span lang=EN-AU><o:p></o:p></span></p>
<p><span lang=EN-AU style='font-size:10.0pt;font-family:"Arial","sans-serif"'> </span><span
lang=EN-AU><o:p></o:p></span></p>
<p><span lang=EN-AU style='font-family:"Verdana","sans-serif"'> </span><span
lang=EN-AU><o:p></o:p></span></p>
</div>
<p style='margin:0in;margin-bottom:.0001pt'><b><span lang=EN-GB
style='font-size:9.0pt;font-family:"Arial","sans-serif"'>Please consider our
environment before printing this email</span></b><span lang=EN-AU><o:p></o:p></span></p>
<p style='margin:0in;margin-bottom:.0001pt'><span lang=EN-AU> <o:p></o:p></span></p>
<p style='margin:0in;margin-bottom:.0001pt'><span lang=EN-GB style='font-size:
8.0pt;font-family:"Verdana","sans-serif"'>Please note that Goldman Sachs JBWere
makes important disclosures of its interests at </span><span lang=EN-GB
style='font-size:8.0pt;color:#3366FF'><a href="http://www.gsjbw.com/Disclosures"
target="_blank"><span style='font-family:"Arial","sans-serif";color:#3366FF'>http://www.gsjbw.com/Disclosures</span></a></span><span
lang=EN-GB style='font-size:8.0pt;font-family:"Verdana","sans-serif"'>.
If you do not wish to receive future communications of this nature, you can
unsubscribe by going to </span><span lang=EN-GB style='font-size:8.0pt'><a
href="http://www.gsjbw.com/?p=Unsubscribe&S=%7bSender%7d" target="_blank"><span
style='font-family:"Verdana","sans-serif"'>http://www.gsjbw.com/?p=Unsubscribe&S=Anatoly.Gavrilov@gsjbw.com</span></a></span><span
lang=EN-GB style='font-size:8.0pt;font-family:"Verdana","sans-serif"'>.
If you require any further information regarding our SPAM policy, please email <a
href="mailto:spam-officer@gsjbw.com" target="_blank">spam-officer@gsjbw.com</a>.
</span><span style='font-size:8.0pt;font-family:"Verdana","sans-serif"'>This
communication and its attachments are also subject to copyright.</span><span
lang=EN-AU><o:p></o:p></span></p>
<p style='margin:0in;margin-bottom:.0001pt'><span style='font-size:8.0pt;
font-family:"Verdana","sans-serif"'>NOTICE TO RECIPIENTS: The information
contained in and accompanying this communication may be confidential, subject
to legal privilege, or otherwise protected from disclosure, and is intended
solely for the use of the intended recipient(s). If you are not the intended
recipient of this communication, please delete and destroy all copies in your
possession, notify the sender that you have received this communication in
error, and note that any review or dissemination of, or the taking of any
action in reliance on, this communication is expressly prohibited. E-mail
messages may contain computer viruses or other defects, may not be accurately
replicated on other systems, or may be intercepted, deleted or interfered with
without the knowledge of the sender or the intended recipient. To the
extent permitted by law Goldman Sachs JBWere makes no warranties, and expressly
disclaims any liability, in relation to the contents of this message. Goldman
Sachs JBWere reserves the right to intercept and monitor the content of e-mail
messages to and from its systems.</span><span lang=EN-AU><o:p></o:p></span></p>
<p><span lang=EN-AU> <o:p></o:p></span></p>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><o:p></o:p></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</body>
</html>