06-16-2009 01:18 PM - edited 03-15-2019 06:33 PM
Hi all,
I am just starting to look over the phone proxy configuration for the ASAs. I noticed one of the steps was to open TFTP access to the CM from the Internet. My question is what are the security ramifications to doing this and has anyone here addressed this in their environment?
06-16-2009 01:55 PM
Hi,
Not sure where you read that you have to open the TFTP access to the CM from the internet.
Actually, what you need is to setup NAT on the ASA. So the ASA will translate an external IP to internal. Also, the connection between the ASA and the phone is going to be secure and so there is not much of a security issue there.
Please take a look at this link for more info.
http://supportwiki.cisco.com/ViewWiki/index.php/ASA_Phone_Proxy_sample_configuration
Thanks,
06-17-2009 05:50 AM
Step 13 in the link you posted. It Says...
Using an access-list, permit inbound TFTP traffic to the tftp-server's global IP address. This is the only specific acl entry that needs to exist to allow the phone-proxy to work. The secured streams which terminate on the firewall will be permitted automatically by the firewall.
06-17-2009 07:36 AM
I would be sure to put the cluster in Mixed Mode and use TFTP encryption to protect the downloads. I would also make sure to throttle the connections allowed on the ASA to prevent a DoS against the TFTP server.
If you are a partner the AZTEC team has been working on a lab for this due out sometime in July. I would speak with your channels team so you can get some practice.
06-17-2009 09:38 AM
Do you know what vulnerabilities it presents to the server itself? For instance, ability to upload malicious code to the server or is the server setup for download only?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: