put the whole Voice network behind a Firewall. if they move to a Data Vlan only....... the phone never comes up.... then the helpdesk gets the call and someone can go and slap them around. ;-)<div><br></div><div>just make sure the Firewall is an ASA and not a FWSM. <RANT> what a Joke........ it's a firewall...... but NO VPN, NO Phone Proxy, basically you loose all Voice functions you want out of a Firewall </RANT>.</div>
<div><br></div><div>Scott<br><br><div class="gmail_quote">On Tue, Nov 3, 2009 at 8:55 AM, Ed Leatherman <span dir="ltr"><<a href="mailto:ealeatherman@gmail.com">ealeatherman@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Depending on the particular security requirements, he should still<br>
consider disabling the web access in addition to ACLs etc.<br>
I've had end users unplug phones, and move them to another office that<br>
had jack with only data vlan on it. Now the phone gets a public IP<br>
address that is potentially reachable from the anywhere. you can surf<br>
to it and get the IP addresses of all your call manager servers, tftp<br>
server, etc. Granted, these servers are hopefully on private IP space<br>
- but its more information than you probably want to provide to<br>
someone scanning port 80. Just depends on how strict your security<br>
concerns are, or how paranoid you are I guess :)<br>
<div class="im"><br>
On Tue, Nov 3, 2009 at 10:56 AM, Lelio Fulgenzi <<a href="mailto:lelio@uoguelph.ca">lelio@uoguelph.ca</a>> wrote:<br>
> Personally speaking, I would investigate using ACLs to limit access to the<br>
> phones web browser/server. There are many services (some Cisco, some third<br>
> party) that use the web server to do stuff, like post messages, etc.<br>
><br>
> Granted, it's a little more involved, and you need to have separate voice<br>
> and data VLANs, but it's a better long term approach. IMHO.<br>
><br>
> ---<br>
> Lelio Fulgenzi, B.A.<br>
> Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1<br>
> (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)<br>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^<br>
> "Bad grammar makes me [sic]" - Tshirt<br>
><br>
<br>
<br>
--<br>
</div><font color="#888888">Ed Leatherman<br>
</font><div><div></div><div class="h5">_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
</div></div></blockquote></div><br></div>