Anatoly,<br><br>The phone downloads a secure configuration file via TFTP. It is encrypted and requires CTL / LSC on the phone to decrypt it.<br><br>The http communication between the phone and the ASA for Extension Mobility I believe IS in plain text though. I don't think the phones support https EM yet.<br>
<br>I don't know of a great way to protect this communication, and I'm not sure if the ASA has any mechanisms built in to ONLY proxy http requests from the IP Phones.<br><br>Maybe someone more familiar with the ASA can comment on that?<br>
<br>-Jason<br><br><div class="gmail_quote">On Wed, Mar 11, 2009 at 12:27 AM, Gavrilov, Anatoly <span dir="ltr"><<a href="mailto:Anatoly.Gavrilov@gsjbw.com">Anatoly.Gavrilov@gsjbw.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div link="blue" vlink="purple" lang="EN-AU">
<div>
<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;">Hi all, </span></font></p>
<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;"> </span></font></p>
<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;">I’m thinking to implement Phone-proxy but I have some
concerns about overall security of this solution. </span></font></p>
<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;"> </span></font></p>
<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;">As I understand, phone downloads its configuration in clear
text. Can this information be used for unauthorised access? </span></font></p>
<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;"> </span></font></p>
<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;">Is it possible to spoof Phone’s request and send
request with different MAC address? I know that ASA checks phone’s MIC
file and authenticates phone based on it, but what about CUPC? </span></font></p>
<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;"> </span></font></p>
<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;">For Extension Mobility feature to work, I have to open port
8080 on Publisher for all hosts coming from Internet. I think it’s really
a huge hole in the firewall. Taking into consideration that EM request is just
normal HTTP request, it’s very easy to get user credentials and run
attack on Call Manager to trigger all phones to log off. What’s the way
to protect this port from such attacks? </span></font></p>
<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;"> </span></font></p>
<p><font face="Verdana"><span style="font-family: Verdana;"> </span></font></p>
</div>
<p style="margin: 0cm 0cm 0pt;"><span style="font-size: 8pt;" lang="EN-GB"><font face="Verdana"><span style="font-weight: bold; font-size: 9pt; font-family: Arial;">Please consider
our environment before printing this email</span></font></span></p>
<p style="margin: 0cm 0cm 0pt;"><span style="font-size: 8pt;" lang="EN-GB"><font face="Verdana"></font></span> </p>
<p style="margin: 0cm 0cm 0pt;"><span style="font-size: 8pt;" lang="EN-GB"><font face="Verdana">Please note that Goldman Sachs JBWere makes important disclosures
of its interests at </font><span style="color: rgb(51, 102, 255);"><a href="http://www.gsjbw.com/Disclosures" target="_blank"><span style="color: rgb(51, 102, 255); font-family: Arial;">http://www.gsjbw.com/Disclosures</span></a></span><font face="Verdana">.<span> </span>If you do not wish
to receive future communications of this nature, you can unsubscribe by going to
</font><a href="http://www.gsjbw.com/?p=Unsubscribe&S=%7bSender%7d" target="_blank"><span><font face="Verdana">http://www.gsjbw.com/?p=Unsubscribe&S=Anatoly.Gavrilov@gsjbw.com</font></span></a><font face="Verdana">.<span> </span>If you require any
further information regarding our SPAM policy, please email
<a href="mailto:spam-officer@gsjbw.com" target="_blank">spam-officer@gsjbw.com</a>.<span>
</span></font></span><span style="font-size: 8pt;" lang="EN-US"><font face="Verdana">This communication and its attachments are also subject to
copyright.</font></span></p>
<p style="margin: 0cm 0cm 0pt;"><span style="font-size: 8pt;" lang="EN-GB"><font face="Verdana"></font></span></p>
<p style="margin: 0cm 0cm 0pt;"><font face="Verdana"><span style="font-size: 8pt;" lang="EN-US">NOTICE
TO RECIPIENTS: The information contained in and accompanying this communication
may be confidential, subject to legal privilege, or otherwise protected from
disclosure, and is intended solely for the use of the intended recipient(s). If
you are not the intended recipient of this communication, please delete and
destroy all copies in your possession, notify the sender that you have received
this communication in error, and note that any review or dissemination of, or
the taking of any action in reliance on, this communication is expressly
prohibited. E-mail messages may contain computer viruses or other defects, may
not be accurately replicated on other systems, or may be intercepted, deleted or
interfered with without the knowledge of the sender or the intended
recipient. To the extent permitted by law Goldman Sachs JBWere makes no
warranties, and expressly disclaims any liability, in relation to the contents
of this message. </span><span style="font-size: 8pt;" lang="EN-US">Goldman
Sachs JBWere reserves the right to intercept and monitor the content of e-mail
messages to and from its systems.</span></font></p>
<p> </p>
</div>
<br>_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
<br></blockquote></div><br>