<div>VPN everything in and don't use the phone proxy feature =)</div>
<div> </div>
<div>Scott<br><br></div>
<div class="gmail_quote">On Wed, Mar 11, 2009 at 2:34 PM, Gavrilov, Anatoly <span dir="ltr"><<a href="mailto:Anatoly.Gavrilov@gsjbw.com">Anatoly.Gavrilov@gsjbw.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div lang="EN-AU" vlink="blue" link="blue">
<div>
<p><font face="Arial" color="navy" size="2"><span style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">My concern is that I have to open Tomcat port (8080) on UCM for everyone. As EM service is quite vital and can be easily affected by DDOS attack, what additional security measures can be used to give access to this port only to authenticated phones? </span></font></p>
<p><font face="Arial" color="navy" size="2"><span style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"> </span></font></p>
<p><font face="Arial" color="navy" size="2"><span style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"> </span></font></p>
<p><font face="Arial" color="navy" size="2"><span style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"> </span></font></p>
<div>
<p><font face="Arial" color="navy" size="2"><span style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">Best Regards, </span></font><font color="navy"><span style="COLOR: navy"></span></font></p>
<p><font face="Arial" color="navy" size="2"><span style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">Anatoly</span></font></p></div>
<div>
<div style="TEXT-ALIGN: center" align="center"><font face="Times New Roman" size="3"><span lang="EN-US" style="FONT-SIZE: 12pt">
<hr align="center" width="100%" size="2">
</span></font></div>
<p><b><font face="Tahoma" size="2"><span lang="EN-US" style="FONT-WEIGHT: bold; FONT-SIZE: 10pt; FONT-FAMILY: Tahoma">From:</span></font></b><font face="Tahoma" size="2"><span lang="EN-US" style="FONT-SIZE: 10pt; FONT-FAMILY: Tahoma"> Jason Burns [mailto:<a href="mailto:burns.jason@gmail.com" target="_blank">burns.jason@gmail.com</a>] <br>
<b><span style="FONT-WEIGHT: bold">Sent:</span></b> Thursday, 12 March 2009 3:21 AM<br><b><span style="FONT-WEIGHT: bold">To:</span></b> Vince Loschiavo<br><b><span style="FONT-WEIGHT: bold">Cc:</span></b> Gavrilov, Anatoly; <a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a>
<div>
<div></div>
<div class="h5"><br><b><span style="FONT-WEIGHT: bold">Subject:</span></b> Re: [cisco-voip] ASA 8.0.4 Phone-Proxy feature and ExtensionMobility</div></div></span></font><span lang="EN-US"></span>
<p></p></p></div>
<div>
<div></div>
<div class="h5">
<p><font face="Times New Roman" size="3"><span style="FONT-SIZE: 12pt"> </span></font></p>
<p style="MARGIN-BOTTOM: 12pt"><font face="Times New Roman" size="3"><span style="FONT-SIZE: 12pt">Anatoly,<br><br>The Cisco IP Phones do not yet support https. Until that support is added in a future version your EM logins will be clear text.<br>
<br>One alternative would be to use a hardware VPN for people who need to use Extension Mobility.<br><br>- Jason<br><br></span></font></p>
<div>
<p><font face="Times New Roman" size="3"><span style="FONT-SIZE: 12pt">On Wed, Mar 11, 2009 at 12:15 PM, Vince Loschiavo <<a href="mailto:VLoschiavo@data-corporation.com" target="_blank">VLoschiavo@data-corporation.com</a>> wrote:</span></font></p>
<div vlink="purple" link="blue">
<div>
<p><font face="Times New Roman" color="#1f497d" size="2"><span lang="EN-US" style="FONT-SIZE: 11pt; COLOR: #1f497d"><a href="http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns165/ns391/white_paper_c11-493584.html" target="_blank">http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns165/ns391/white_paper_c11-493584.html</a></span></font><span lang="EN-US"></span></p>
<p><font face="Times New Roman" color="#1f497d" size="2"><span lang="EN-US" style="FONT-SIZE: 11pt; COLOR: #1f497d"> </span></font><span lang="EN-US"></span></p>
<p><font face="Times New Roman" color="#1f497d" size="2"><span lang="EN-US" style="FONT-SIZE: 11pt; COLOR: #1f497d">I believe this white paper will answer all of your questions.</span></font><span lang="EN-US"></span></p>
<p><font face="Times New Roman" color="#1f497d" size="2"><span lang="EN-US" style="FONT-SIZE: 11pt; COLOR: #1f497d"> </span></font><span lang="EN-US"></span></p>
<p><b><font face="Times New Roman" color="black" size="2"><span lang="EN-US" style="FONT-WEIGHT: bold; FONT-SIZE: 11pt; COLOR: black">Vincent Loschiavo</span></font></b><font color="black" size="2"><span lang="EN-US" style="FONT-SIZE: 11pt; COLOR: black"><br>
</span></font><b><font color="#7f7f7f" size="1"><span lang="EN-US" style="FONT-WEIGHT: bold; FONT-SIZE: 8pt; COLOR: #7f7f7f">Director of Consulting</span></font></b><font color="#7f7f7f" size="1"><span lang="EN-US" style="FONT-SIZE: 8pt; COLOR: #7f7f7f"><br>
</span></font><b><font color="#0084a8" size="1"><span lang="EN-US" style="FONT-WEIGHT: bold; FONT-SIZE: 8pt; COLOR: #0084a8"><img height="43" alt="cid:image001.gif@01C8D09B.0C46BD50" src="cid:image001.gif@01C9A2ED.54DA95D0" width="85" border="0"></span></font></b><font color="#1f497d" size="2"><span lang="EN-US" style="FONT-SIZE: 11pt; COLOR: #1f497d"><br>
</span></font><b><font color="#0084a8" size="1"><span lang="EN-US" style="FONT-WEIGHT: bold; FONT-SIZE: 8pt; COLOR: #0084a8">8200 NW 41st Street, Suite 130</span></font></b><font color="#1f497d" size="2"><span lang="EN-US" style="FONT-SIZE: 11pt; COLOR: #1f497d"><br>
</span></font><b><font color="#0084a8" size="1"><span lang="EN-US" style="FONT-WEIGHT: bold; FONT-SIZE: 8pt; COLOR: #0084a8">Miami</span></font></b><b><font color="#0084a8" size="1"><span lang="EN-US" style="FONT-WEIGHT: bold; FONT-SIZE: 8pt; COLOR: #0084a8">, FL 33166</span></font></b><font color="#1f497d" size="2"><span lang="EN-US" style="FONT-SIZE: 11pt; COLOR: #1f497d"><br>
</span></font><b><font color="#788d1f" size="1"><span lang="EN-US" style="FONT-WEIGHT: bold; FONT-SIZE: 8pt; COLOR: #788d1f">Ofc: </span></font></b><b><font color="#0084a8" size="1"><span lang="EN-US" style="FONT-WEIGHT: bold; FONT-SIZE: 8pt; COLOR: #0084a8">954-671-5669</span></font></b><font color="#1f497d" size="2"><span lang="EN-US" style="FONT-SIZE: 11pt; COLOR: #1f497d"><br>
</span></font><b><font color="#788d1f" size="1"><span lang="EN-US" style="FONT-WEIGHT: bold; FONT-SIZE: 8pt; COLOR: #788d1f">Cell:</span></font></b><b><font color="#1f497d" size="1"><span lang="EN-US" style="FONT-WEIGHT: bold; FONT-SIZE: 8pt; COLOR: #1f497d"> </span></font></b><b><font color="#0084a8" size="1"><span lang="EN-US" style="FONT-WEIGHT: bold; FONT-SIZE: 8pt; COLOR: #0084a8">786-282-1164<br>
</span></font></b><b><font color="#788d1f" size="1"><span lang="EN-US" style="FONT-WEIGHT: bold; FONT-SIZE: 8pt; COLOR: #788d1f">Fax:</span></font></b><b><font color="#1f497d" size="1"><span lang="EN-US" style="FONT-WEIGHT: bold; FONT-SIZE: 8pt; COLOR: #1f497d"> </span></font></b><b><font color="#0084a8" size="1"><span lang="EN-US" style="FONT-WEIGHT: bold; FONT-SIZE: 8pt; COLOR: #0084a8">888-767-5905</span></font></b><font color="#1f497d" size="2"><span lang="EN-US" style="FONT-SIZE: 11pt; COLOR: #1f497d"><br>
</span></font><b><font color="#788d1f" size="1"><span lang="EN-US" style="FONT-WEIGHT: bold; FONT-SIZE: 8pt; COLOR: #788d1f">Email:</span></font></b><b><font color="#1f497d" size="1"><span lang="EN-US" style="FONT-WEIGHT: bold; FONT-SIZE: 8pt; COLOR: #1f497d"> </span></font></b><b><font color="#0084a8" size="1"><span lang="EN-US" style="FONT-WEIGHT: bold; FONT-SIZE: 8pt; COLOR: #0084a8"><a href="mailto:vloschiavo@data-corporation.com" target="_blank"><font color="#0084a8"><span style="COLOR: #0084a8">vloschiavo@data-corporation.com</span></font></a></span></font></b><b><font color="#008db4" size="1"><span lang="EN-US" style="FONT-WEIGHT: bold; FONT-SIZE: 8pt; COLOR: #008db4"><br>
<br></span></font></b><i><font color="#c94429" size="1"><span lang="EN-US" style="FONT-SIZE: 8pt; COLOR: #c94429; FONT-STYLE: italic">"KEEPING YOUR BUSINESS HIGHLY AVAILABLE"<br><img height="73" alt="partner-logos" src="cid:image002.gif@01C9A2ED.54DA95D0" width="288" border="0"></span></font></i><span lang="EN-US"></span></p>
<p><font face="Times New Roman" color="#1f497d" size="2"><span lang="EN-US" style="FONT-SIZE: 11pt; COLOR: #1f497d"> </span></font><span lang="EN-US"></span></p>
<div style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0cm; BORDER-TOP: windowtext 1pt solid; PADDING-LEFT: 0cm; PADDING-BOTTOM: 0cm; BORDER-LEFT: medium none; PADDING-TOP: 3pt; BORDER-BOTTOM: medium none">
<p><b><font face="Times New Roman" size="2"><span lang="EN-US" style="FONT-WEIGHT: bold; FONT-SIZE: 10pt">From:</span></font></b><font size="2"><span lang="EN-US" style="FONT-SIZE: 10pt"> <a href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a> [mailto:<a href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a>] <b><span style="FONT-WEIGHT: bold">On Behalf Of </span></b>Jason Burns<br>
<b><span style="FONT-WEIGHT: bold">Sent:</span></b> Wednesday, March 11, 2009 8:37 AM<br><b><span style="FONT-WEIGHT: bold">To:</span></b> Gavrilov, Anatoly<br><b><span style="FONT-WEIGHT: bold">Cc:</span></b> <a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<b><span style="FONT-WEIGHT: bold">Subject:</span></b> Re: [cisco-voip] ASA 8.0.4 Phone-Proxy feature and ExtensionMobility</span></font><span lang="EN-US"></span></p></div>
<div>
<div>
<p><font face="Times New Roman" size="3"><span lang="EN-US" style="FONT-SIZE: 12pt"> </span></font></p>
<p style="MARGIN-BOTTOM: 12pt"><font face="Times New Roman" size="3"><span lang="EN-US" style="FONT-SIZE: 12pt">Anatoly,<br><br>The phone downloads a secure configuration file via TFTP. It is encrypted and requires CTL / LSC on the phone to decrypt it.<br>
<br>The http communication between the phone and the ASA for Extension Mobility I believe IS in plain text though. I don't think the phones support https EM yet.<br><br>I don't know of a great way to protect this communication, and I'm not sure if the ASA has any mechanisms built in to ONLY proxy http requests from the IP Phones.<br>
<br>Maybe someone more familiar with the ASA can comment on that?<br><br>-Jason</span></font></p>
<div>
<p><font face="Times New Roman" size="3"><span lang="EN-US" style="FONT-SIZE: 12pt">On Wed, Mar 11, 2009 at 12:27 AM, Gavrilov, Anatoly <<a href="mailto:Anatoly.Gavrilov@gsjbw.com" target="_blank">Anatoly.Gavrilov@gsjbw.com</a>> wrote:</span></font></p>
<div>
<div>
<p><font face="Times New Roman" size="2"><span style="FONT-SIZE: 10pt">Hi all, </span></font><span lang="EN-US"></span></p>
<p><font face="Times New Roman" size="2"><span style="FONT-SIZE: 10pt"> </span></font><span lang="EN-US"></span></p>
<p><font face="Times New Roman" size="2"><span style="FONT-SIZE: 10pt">I’m thinking to implement Phone-proxy but I have some concerns about overall security of this solution. </span></font><span lang="EN-US"></span></p>
<p><font face="Times New Roman" size="2"><span style="FONT-SIZE: 10pt"> </span></font><span lang="EN-US"></span></p>
<p><font face="Times New Roman" size="2"><span style="FONT-SIZE: 10pt">As I understand, phone downloads its configuration in clear text. Can this information be used for unauthorised access? </span></font><span lang="EN-US"></span></p>
<p><font face="Times New Roman" size="2"><span style="FONT-SIZE: 10pt"> </span></font><span lang="EN-US"></span></p>
<p><font face="Times New Roman" size="2"><span style="FONT-SIZE: 10pt">Is it possible to spoof Phone’s request and send request with different MAC address? I know that ASA checks phone’s MIC file and authenticates phone based on it, but what about CUPC? </span></font><span lang="EN-US"></span></p>
<p><font face="Times New Roman" size="2"><span style="FONT-SIZE: 10pt"> </span></font><span lang="EN-US"></span></p>
<p><font face="Times New Roman" size="2"><span style="FONT-SIZE: 10pt">For Extension Mobility feature to work, I have to open port 8080 on Publisher for all hosts coming from Internet. I think it’s really a huge hole in the firewall. Taking into consideration that EM request is just normal HTTP request, it’s very easy to get user credentials and run attack on Call Manager to trigger all phones to log off. What’s the way to protect this port from such attacks? </span></font><span lang="EN-US"></span></p>
<p><font face="Times New Roman" size="2"><span style="FONT-SIZE: 10pt"> </span></font><span lang="EN-US"></span></p>
<p><font face="Times New Roman" size="3"><span style="FONT-SIZE: 12pt"> </span></font><span lang="EN-US"></span></p></div>
<p style="MARGIN: 0cm 0cm 0pt"><b><font face="Times New Roman" size="1"><span lang="EN-GB" style="FONT-WEIGHT: bold; FONT-SIZE: 9pt">Please consider our environment before printing this email</span></font></b><span lang="EN-US"></span></p>
<p style="MARGIN: 0cm 0cm 0pt"><font face="Times New Roman" size="3"><span style="FONT-SIZE: 12pt"> </span></font><span lang="EN-US"></span></p>
<p style="MARGIN: 0cm 0cm 0pt"><font face="Times New Roman" size="1"><span lang="EN-GB" style="FONT-SIZE: 8pt">Please note that Goldman Sachs JBWere makes important disclosures of its interests at <font color="#3366ff"><span style="COLOR: #3366ff"><a href="http://www.gsjbw.com/Disclosures" target="_blank"><font color="#3366ff"><span style="COLOR: #3366ff">http://www.gsjbw.com/Disclosures</span></font></a></span></font>. If you do not wish to receive future communications of this nature, you can unsubscribe by going to <a href="http://www.gsjbw.com/?p=Unsubscribe&S=%7bSender%7d" target="_blank">http://www.gsjbw.com/?p=Unsubscribe&S=Anatoly.Gavrilov@gsjbw.com</a>. If you require any further information regarding our SPAM policy, please email <a href="mailto:spam-officer@gsjbw.com" target="_blank">spam-officer@gsjbw.com</a>. </span></font><font size="1"><span lang="EN-US" style="FONT-SIZE: 8pt">This communication and its attachments are also subject to copyright.</span></font><span lang="EN-US"></span></p>
<p style="MARGIN: 0cm 0cm 0pt"><font face="Times New Roman" size="1"><span lang="EN-US" style="FONT-SIZE: 8pt">NOTICE TO RECIPIENTS: The information contained in and accompanying this communication may be confidential, subject to legal privilege, or otherwise protected from disclosure, and is intended solely for the use of the intended recipient(s). If you are not the intended recipient of this communication, please delete and destroy all copies in your possession, notify the sender that you have received this communication in error, and note that any review or dissemination of, or the taking of any action in reliance on, this communication is expressly prohibited. E-mail messages may contain computer viruses or other defects, may not be accurately replicated on other systems, or may be intercepted, deleted or interfered with without the knowledge of the sender or the intended recipient. To the extent permitted by law Goldman Sachs JBWere makes no warranties, and expressly disclaims any liability, in relation to the contents of this message. Goldman Sachs JBWere reserves the right to intercept and monitor the content of e-mail messages to and from its systems.</span></font><span lang="EN-US"></span></p>
<p><font face="Times New Roman" size="3"><span style="FONT-SIZE: 12pt"> </span></font><span lang="EN-US"></span></p></div>
<p style="MARGIN-BOTTOM: 12pt"><font face="Times New Roman" size="3"><span lang="EN-US" style="FONT-SIZE: 12pt"><br>_______________________________________________<br>cisco-voip mailing list<br><a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a></span></font></p></div>
<p><font face="Times New Roman" size="3"><span lang="EN-US" style="FONT-SIZE: 12pt"> </span></font></p></div></div></div></div></div>
<p><font face="Times New Roman" size="3"><span style="FONT-SIZE: 12pt"> </span></font></p></div></div></div></div><br>_______________________________________________<br>cisco-voip mailing list<br><a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br><br></blockquote></div><br>