Anatoly,<br><br>The Cisco IP Phones do not yet support https. Until that support is added in a future version your EM logins will be clear text.<br><br>One alternative would be to use a hardware VPN for people who need to use Extension Mobility.<br>
<br>- Jason<br><br><br><div class="gmail_quote">On Wed, Mar 11, 2009 at 12:15 PM, Vince Loschiavo <span dir="ltr"><<a href="mailto:VLoschiavo@data-corporation.com">VLoschiavo@data-corporation.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"><a href="http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns165/ns391/white_paper_c11-493584.html" target="_blank">http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns165/ns391/white_paper_c11-493584.html</a></span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">I believe this white paper will answer all of your questions.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><b><span style="font-size: 11pt; color: black;">Vincent Loschiavo</span></b><span style="font-size: 11pt; color: black;"><br>
</span><b><span style="font-size: 8pt; color: rgb(127, 127, 127);">Director of Consulting</span></b><span style="font-size: 8pt; color: rgb(127, 127, 127);"><br>
</span><b><span style="font-size: 8pt; color: rgb(0, 132, 168);"><img src="cid:image001.gif@01C9A243.0AAEB4A0" alt="cid:image001.gif@01C8D09B.0C46BD50" width="85" border="0" height="43"></span></b><span style="font-size: 11pt; color: rgb(31, 73, 125);"><br>
</span><b><span style="font-size: 8pt; color: rgb(0, 132, 168);">8200 NW 41st Street, Suite 130</span></b><span style="font-size: 11pt; color: rgb(31, 73, 125);"><br>
</span><b><span style="font-size: 8pt; color: rgb(0, 132, 168);">Miami, FL 33166</span></b><span style="font-size: 11pt; color: rgb(31, 73, 125);"><br>
</span><b><span style="font-size: 8pt; color: rgb(120, 141, 31);">Ofc: </span></b><b><span style="font-size: 8pt; color: rgb(0, 132, 168);">954-671-5669</span></b><span style="font-size: 11pt; color: rgb(31, 73, 125);"><br>
</span><b><span style="font-size: 8pt; color: rgb(120, 141, 31);">Cell:</span></b><b><span style="font-size: 8pt; color: rgb(31, 73, 125);"> </span></b><b><span style="font-size: 8pt; color: rgb(0, 132, 168);">786-282-1164<br>
</span></b><b><span style="font-size: 8pt; color: rgb(120, 141, 31);">Fax:</span></b><b><span style="font-size: 8pt; color: rgb(31, 73, 125);"> </span></b><b><span style="font-size: 8pt; color: rgb(0, 132, 168);">888-767-5905</span></b><span style="font-size: 11pt; color: rgb(31, 73, 125);"><br>
</span><b><span style="font-size: 8pt; color: rgb(120, 141, 31);">Email:</span></b><b><span style="font-size: 8pt; color: rgb(31, 73, 125);"> </span></b><b><span style="font-size: 8pt; color: rgb(0, 132, 168);"><a href="mailto:vloschiavo@data-corporation.com" target="_blank"><span style="color: rgb(0, 132, 168);">vloschiavo@data-corporation.com</span></a></span></b><b><span style="font-size: 8pt; color: rgb(0, 141, 180);"><br>
<br>
</span></b><i><span style="font-size: 8pt; color: rgb(201, 68, 41);">"KEEPING YOUR BUSINESS HIGHLY AVAILABLE"<br>
</span></i><i><span style="font-size: 8pt; color: rgb(201, 68, 41);"><img src="cid:image002.gif@01C9A243.0AAEB4A0" alt="partner-logos" width="288" border="0" height="73"></span></i><span style="font-size: 11pt; color: rgb(31, 73, 125);"></span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<div style="border-style: solid none none; border-color: rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0in 0in;">
<p><b><span style="font-size: 10pt;">From:</span></b><span style="font-size: 10pt;">
<a href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a> [mailto:<a href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a>] <b>On
Behalf Of </b>Jason Burns<br>
<b>Sent:</b> Wednesday, March 11, 2009 8:37 AM<br>
<b>To:</b> Gavrilov, Anatoly<br>
<b>Cc:</b> <a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<b>Subject:</b> Re: [cisco-voip] ASA 8.0.4 Phone-Proxy feature and
ExtensionMobility</span></p>
</div><div><div></div><div class="h5">
<p> </p>
<p style="margin-bottom: 12pt;">Anatoly,<br>
<br>
The phone downloads a secure configuration file via TFTP. It is encrypted and
requires CTL / LSC on the phone to decrypt it.<br>
<br>
The http communication between the phone and the ASA for Extension Mobility I
believe IS in plain text though. I don't think the phones support https EM yet.<br>
<br>
I don't know of a great way to protect this communication, and I'm not sure if
the ASA has any mechanisms built in to ONLY proxy http requests from the IP
Phones.<br>
<br>
Maybe someone more familiar with the ASA can comment on that?<br>
<br>
-Jason</p>
<div>
<p>On Wed, Mar 11, 2009 at 12:27 AM, Gavrilov, Anatoly <<a href="mailto:Anatoly.Gavrilov@gsjbw.com" target="_blank">Anatoly.Gavrilov@gsjbw.com</a>>
wrote:</p>
<div>
<div>
<p><span style="font-size: 10pt;" lang="EN-AU">Hi
all, </span><span lang="EN-AU"></span></p>
<p><span style="font-size: 10pt;" lang="EN-AU"> </span><span lang="EN-AU"></span></p>
<p><span style="font-size: 10pt;" lang="EN-AU">I’m
thinking to implement Phone-proxy but I have some concerns about overall
security of this solution. </span><span lang="EN-AU"></span></p>
<p><span style="font-size: 10pt;" lang="EN-AU"> </span><span lang="EN-AU"></span></p>
<p><span style="font-size: 10pt;" lang="EN-AU">As
I understand, phone downloads its configuration in clear text. Can this
information be used for unauthorised access? </span><span lang="EN-AU"></span></p>
<p><span style="font-size: 10pt;" lang="EN-AU"> </span><span lang="EN-AU"></span></p>
<p><span style="font-size: 10pt;" lang="EN-AU">Is
it possible to spoof Phone’s request and send request with different MAC
address? I know that ASA checks phone’s MIC file and authenticates phone based
on it, but what about CUPC? </span><span lang="EN-AU"></span></p>
<p><span style="font-size: 10pt;" lang="EN-AU"> </span><span lang="EN-AU"></span></p>
<p><span style="font-size: 10pt;" lang="EN-AU">For
Extension Mobility feature to work, I have to open port 8080 on Publisher for
all hosts coming from Internet. I think it’s really a huge hole in the
firewall. Taking into consideration that EM request is just normal HTTP
request, it’s very easy to get user credentials and run attack on Call Manager
to trigger all phones to log off. What’s the way to protect this port from such
attacks? </span><span lang="EN-AU"></span></p>
<p><span style="font-size: 10pt;" lang="EN-AU"> </span><span lang="EN-AU"></span></p>
<p><span lang="EN-AU"> </span><span lang="EN-AU"></span></p>
</div>
<p style="margin: 0in 0in 0.0001pt;"><b><span style="font-size: 9pt;" lang="EN-GB">Please consider our
environment before printing this email</span></b><span lang="EN-AU"></span></p>
<p style="margin: 0in 0in 0.0001pt;"><span lang="EN-AU"> </span></p>
<p style="margin: 0in 0in 0.0001pt;"><span style="font-size: 8pt;" lang="EN-GB">Please note that Goldman Sachs JBWere
makes important disclosures of its interests at </span><span style="font-size: 8pt; color: rgb(51, 102, 255);" lang="EN-GB"><a href="http://www.gsjbw.com/Disclosures" target="_blank"><span style="color: rgb(51, 102, 255);">http://www.gsjbw.com/Disclosures</span></a></span><span style="font-size: 8pt;" lang="EN-GB">.
If you do not wish to receive future communications of this nature, you can
unsubscribe by going to </span><span style="font-size: 8pt;" lang="EN-GB"><a href="http://www.gsjbw.com/?p=Unsubscribe&S=%7bSender%7d" target="_blank"><span>http://www.gsjbw.com/?p=Unsubscribe&S=Anatoly.Gavrilov@gsjbw.com</span></a></span><span style="font-size: 8pt;" lang="EN-GB">.
If you require any further information regarding our SPAM policy, please email <a href="mailto:spam-officer@gsjbw.com" target="_blank">spam-officer@gsjbw.com</a>.
</span><span style="font-size: 8pt;">This
communication and its attachments are also subject to copyright.</span><span lang="EN-AU"></span></p>
<p style="margin: 0in 0in 0.0001pt;"><span style="font-size: 8pt;">NOTICE TO RECIPIENTS: The information
contained in and accompanying this communication may be confidential, subject
to legal privilege, or otherwise protected from disclosure, and is intended
solely for the use of the intended recipient(s). If you are not the intended
recipient of this communication, please delete and destroy all copies in your
possession, notify the sender that you have received this communication in
error, and note that any review or dissemination of, or the taking of any
action in reliance on, this communication is expressly prohibited. E-mail
messages may contain computer viruses or other defects, may not be accurately
replicated on other systems, or may be intercepted, deleted or interfered with
without the knowledge of the sender or the intended recipient. To the
extent permitted by law Goldman Sachs JBWere makes no warranties, and expressly
disclaims any liability, in relation to the contents of this message. Goldman
Sachs JBWere reserves the right to intercept and monitor the content of e-mail
messages to and from its systems.</span><span lang="EN-AU"></span></p>
<p><span lang="EN-AU"> </span></p>
</div>
<p style="margin-bottom: 12pt;"><br>
_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a></p>
</div>
<p> </p>
</div></div></div>
</div>
</blockquote></div><br>