<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body dir="auto">
The source for the E’s traversal zone only needs to be ‘ANY’, if it truly needs to be. I’ve deployed several scenarios where the business only wanted to receive B2B calls from other things on it’s own domain (or a few domains strung together in Regex).
<div><br>
</div>
<div>Also, using the Call Policy engine (under the Configuration menu) or the more in depth CPL (Call Processing Language) is a great way to block obviously fraudulent dials by source, target or zone (Ex. source URI: deny
<a href="mailto:clown@nose.com">clown@nose.com</a>).</div>
<div><br>
</div>
<div>I prefer to use the standard Call Policy rules in the GUI .... which is more akin to a prioritized Allow / Deny ACL. </div>
<div><br>
</div>
<div>CPL on the other hand (located in the same GUI menu section) is a more robust way of using call policies and is really only needed for advanced Call handling.</div>
<div><br>
</div>
<div>Call Processing Language is referenced on page 324: <a href="https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/admin_guide/Cisco-Expressway-Administrator-Guide-X8-11.pdf">https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/admin_guide/Cisco-Expressway-Administrator-Guide-X8-11.pdf</a></div>
<div><br>
</div>
<div>Call Policy is referenced on page 168: <a href="https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/admin_guide/Cisco-Expressway-Administrator-Guide-X8-11.pdf">https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/admin_guide/Cisco-Expressway-Administrator-Guide-X8-11.pdf</a><br>
<br>
The Firewall rules are useful for only allowing administrative services to a particular subnet (System / Protection / Firewall Rules) if you need to leave HTTPS and SSH exposed to a non secure network (this is less about toll fraud than it is general security).</div>
<div><br>
</div>
<div>The firewall rules are referenced on page 28: <a href="https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/admin_guide/Cisco-Expressway-Administrator-Guide-X8-11.pdf">https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/admin_guide/Cisco-Expressway-Administrator-Guide-X8-11.pdf</a><br>
<br>
As with any system exposed to the Internet, turn off any services and protocols not in use (Ex. Turn off UDP support if you’re not using it ... etc).<br>
<br>
<div>Thanks,</div>
<div><br>
</div>
<div>Ryan</div>
<div><br>
On Sep 13, 2018, at 11:12, Lelio Fulgenzi <<a href="mailto:lelio@uoguelph.ca">lelio@uoguelph.ca</a>> wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Curious – what are people doing with their search rules? I’ve got a search rule for calls coming from the ‘net into E and then to C all good, but just wondering, I know the search rule on E has to be source:ANY because it’s coming from
the net, but what about the search rule on C? Shouldn’t it be source:named zone (and pick C-to-E traversal zone) to be sure that nothing else hits it?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Same goes for say rules that I use to send calls all the way from CUCM to C to E to DNS Zone. Shouldn’t my rules be as specifically configured as possible? Including the source zone?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I understand that if I start registering devices on either the C or E I will need to create additional rules, but I’m fine with that, that way I know exactly what’s going to hit.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">What are others doing? What’s the best practice?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">---<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-family:"Arial",sans-serif">Lelio Fulgenzi, B.A.</span></b><span style="font-family:"Arial",sans-serif"> | Senior Analyst<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:#333333">Computing and Communications Services</span><span style="font-family:"Arial",sans-serif"> | University of Guelph<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">519-824-4120 Ext. 56354 |
<a href="mailto:lelio@uoguelph.ca"><span style="color:#0563C1">lelio@uoguelph.ca</span></a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><a href="https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.uoguelph.ca%2Fccs&data=02%7C01%7C%7C308d306aa7304a99862d08d6198b5f80%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636724483721747900&sdata=PcG0pzWOqlGi%2FZSWYRBV75zlCq0aXpYiJdoLn62bqrI%3D&reserved=0" originalsrc="http://www.uoguelph.ca/ccs" shash="brhMP8dXTiR4LVRCzIhMh8OiATDC2yvaf8YyPN3cVWnSJLOHAZEPVikwjHuEtYRTIGKD/MQNk/0L4IH2+T2rdsHlve3vfyMz1TyRodDfWhsdPBITYiNUiCRfWV+QbkelPmOGF58fVcg6V3Sc8J7Kyf2WXO/Y38YJ9+SFvN3Vdk4="><span style="font-family:"Arial",sans-serif;color:blue">www.uoguelph.ca/ccs</span></a><span style="font-family:"Arial",sans-serif;color:#1F497D">
| @UofGCCS on Instagram, Twitter and Facebook<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><image001.png><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</blockquote>
<blockquote type="cite">
<div><span>_______________________________________________</span><br>
<span>cisco-voip mailing list</span><br>
<span><a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a></span><br>
<span><a href="https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=02%7C01%7C%7C308d306aa7304a99862d08d6198b5f80%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636724483721747900&sdata=xBfVzgyQ2V610hNW94%2BivvkD7BWXVdzEElfonKucDaU%3D&reserved=0">https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=02%7C01%7C%7C308d306aa7304a99862d08d6198b5f80%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636724483721747900&sdata=xBfVzgyQ2V610hNW94%2BivvkD7BWXVdzEElfonKucDaU%3D&reserved=0</a></span><br>
</div>
</blockquote>
</div>
</body>
</html>