×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

how can we secure Call manager with all these microsoft security breaches

Unanswered Question
Aug 24th, 2002
User Badges:

http://www.cnn.com/2002/TECH/internet/08/23/microsoft.security.reut/index.html

SEATTLE, Washington (Reuters) -- Microsoft Corp. said Thursday that "critical" security lapses in its Office software and Internet Explorer Web browser put tens of millions of users at risk of having their files read and altered by online attackers


Any suggestions besides shuting down unnecessary services and IDS host sensor ?


Jim K

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

suggestions? sure!

dont install Money 2002 on Call Manager!


seriously though these are obvioulsy important security issues but I dont see how they apply directly to CCM since office,money etc shouldnt be running on CCM anyway and in terms of IE holes, you shouldnt need to browse from CCM. How often did you browse the internet of create word doc's from your G3 before you went IP ?

Don't forget the most obvious answer - though one that admittedly is hard to remember when first approaching CM - there is usually NO NEED for non-telphony end user devices to have to be able to access the CM - this includes computers on your lan, and definitely not computers on the Internet.


Now there are exceptions - but there are ways around some of them.

By and large - set up ACLs on your cat switches so that NO DEVICES except for your IP Phones (which should be in their own subnets and AUX VLANs right?) and the gateways can even communicate with the call managers.

Then make exceptions for your administration stations - should be only a few.

Then you don't even have access granted to useable consoles - unless they find a way to break into your auxillary VLANS and fake being an IP phone...

SOme exceptions you'll have to look out for:

If you're using TAPI dialers you'll have to have at least one call manager reachable - don't make it your publisher - if necessary - make it do nothing but service TAPI clients - some vulnerability to intrusion there - but little vulnerability of your main CM system to DOS then...

Clients which want to access the CM webpages:

Set up apache as a proxy to a CM subscriber - grant access to the CM only to the secured Apache server...

Using these suggestions you can make it pretty difficult to suffer problems...

- Ken

Actions

This Discussion