ASA Phone-Proxy Security Issue?

speltier · ‎06-16-2009

Hi all,

I am just starting to look over the phone proxy configuration for the ASAs. I noticed one of the steps was to open TFTP access to the CM from the Internet. My question is what are the security ramifications to doing this and has anyone here addressed this in their environment?

parshah · ‎06-16-2009

Hi,

Not sure where you read that you have to open the TFTP access to the CM from the internet.

Actually, what you need is to setup NAT on the ASA. So the ASA will translate an external IP to internal. Also, the connection between the ASA and the phone is going to be secure and so there is not much of a security issue there.

Please take a look at this link for more info.

http://supportwiki.cisco.com/ViewWiki/index.php/ASA_Phone_Proxy_sample_configuration

Thanks,

speltier · ‎06-17-2009

Step 13 in the link you posted. It Says...

Using an access-list, permit inbound TFTP traffic to the tftp-server's global IP address. This is the only specific acl entry that needs to exist to allow the phone-proxy to work. The secured streams which terminate on the firewall will be permitted automatically by the firewall.

Jonathan Schulenberg · ‎06-17-2009

I would be sure to put the cluster in Mixed Mode and use TFTP encryption to protect the downloads. I would also make sure to throttle the connections allowed on the ASA to prevent a DoS against the TFTP server.

If you are a partner the AZTEC team has been working on a lab for this due out sometime in July. I would speak with your channels team so you can get some practice.

speltier · ‎06-17-2009

Do you know what vulnerabilities it presents to the server itself? For instance, ability to upload malicious code to the server or is the server setup for download only?