<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: Verdana; font-size: 10pt; color: #000000'>Ed's correct though, it won't come up, but it will get an IP address and can be browsed. The phone keeps config data around.<br><br>---<br>Lelio Fulgenzi, B.A.<br>Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1<br>(519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)<br>^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^<br>"Bad grammar makes me [sic]" - Tshirt<br><br><br>----- Original Message -----<br>From: "Scott Voll" <svoll.voip@gmail.com><br>To: "Ed Leatherman" <ealeatherman@gmail.com><br>Cc: "Lelio Fulgenzi" <lelio@uoguelph.ca>, cisco-voip@puck.nether.net<br>Sent: Tuesday, November 3, 2009 11:00:35 AM GMT -05:00 US/Canada Eastern<br>Subject: Re: [cisco-voip] Preventing Web Access to 79xx<br><br><link href="/zimbra/css/msgview.css?v=081117021119" rel="stylesheet">put the whole Voice network behind a Firewall. if they move to a Data Vlan only....... the phone never comes up.... then the helpdesk gets the call and someone can go and slap them around. ;-)<div><br></div><div>just make sure the Firewall is an ASA and not a FWSM. <RANT> what a Joke........ it's a firewall...... but NO VPN, NO Phone Proxy, basically you loose all Voice functions you want out of a Firewall </RANT>.</div>
<div><br></div><div>Scott<br><br><div class="gmail_quote">On Tue, Nov 3, 2009 at 8:55 AM, Ed Leatherman <span dir="ltr"><<a href="mailto:ealeatherman@gmail.com" target="_blank">ealeatherman@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Depending on the particular security requirements, he should still<br>
consider disabling the web access in addition to ACLs etc.<br>
I've had end users unplug phones, and move them to another office that<br>
had jack with only data vlan on it. Now the phone gets a public IP<br>
address that is potentially reachable from the anywhere. you can surf<br>
to it and get the IP addresses of all your call manager servers, tftp<br>
server, etc. Granted, these servers are hopefully on private IP space<br>
- but its more information than you probably want to provide to<br>
someone scanning port 80. Just depends on how strict your security<br>
concerns are, or how paranoid you are I guess :)<br>
<div class="im"><br>
On Tue, Nov 3, 2009 at 10:56 AM, Lelio Fulgenzi <<a href="mailto:lelio@uoguelph.ca" target="_blank">lelio@uoguelph.ca</a>> wrote:<br>
> Personally speaking, I would investigate using ACLs to limit access to the<br>
> phones web browser/server. There are many services (some Cisco, some third<br>
> party) that use the web server to do stuff, like post messages, etc.<br>
><br>
> Granted, it's a little more involved, and you need to have separate voice<br>
> and data VLANs, but it's a better long term approach. IMHO.<br>
><br>
> ---<br>
> Lelio Fulgenzi, B.A.<br>
> Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1<br>
> (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)<br>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^<br>
> "Bad grammar makes me [sic]" - Tshirt<br>
><br>
<br>
<br>
--<br>
</div><font color="#888888">Ed Leatherman<br>
</font><div><div></div><div class="h5">_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
</div></div></blockquote></div><br></div>
</div></body></html>