I work in a multi-customer environment and we provide a centralized / shared Cisco IPT solution for some of our customers.
We need to keep each customer seperate such that Customer A doesn't know about Customer B even if they happen to call eachother through our IPT solution. We have CM partitioned properly and that's all well and good, but I have a couple questions regrading general network security.
At sites that have a significant amount of users, we create a sepearte voice VLAN and on our central router have an access-list that allows the voice VLAN access to any other internal network for UDP ports 16384-32767. THis seems to be a good solution because the only devices on the Voice VLAN are the phones, so that's OK. Switch ports are set to trunk dynamic-desirable with voice vlan defined etc.
There are a couple locations that only have 1-2 users where we have not implemented a sepearte voice VLAN for them just basic QoS. We previously had a very broad and insecure access-list for sites like this that was define as such:
access-list 106 permit udp 10.0.0.0 0.255.255.255 any range 16384 32767
Basically, this allows any PC at that location to ANY other site, including other customer sites on those ports. Not a good idea. We just implemented a DHCP reservation system for these locations that involves setting a reservation for the phone in a certain range of IPs, and only allowing that range of IPs access, like this:
access-list 103 permit udp 10.0.0.222 0.255.255.1 any range 16384 32767
This allows 10.x.x.222 or 10.x.x.223 access to the network on that port range.
Better than it was, but still I wonder... How can we make this more secure without a ton of overhead associated with keeping a ton of specific access-lists on our router.
We also have a number of remote VPN locations that terminate on our central firewall that use our IPT solution as well. These are currently implemented with an ASA5505 or PIX501 at the remote site and the VPN terminates on our ASA5520. These are either EasyVPN OR L2L VPNs. For these sites, I placed a filter on the VPN allowing only access to the entire 10's network for those UDP ports.Goes back to my first point, ANY pc on those remote VPN networks can get to ANY other network on those UDP ports... The ASAs / PIXs can't do DHCP reservations nor can I forward DHCP across the VPN tunnel to a central DHCP server so I can't use the same scheme as what we're doing with our IOS routers at our datacenter.
Any Thoughs on how we can tighten up the security?
SIP traces provide key information in troubleshooting SIP Trunks, SIP
endpoints and other SIP related issues. Even though these traces are in
clear text, these texts can be gibberish unless you understand fully
what they mean. This document attempts to br...
Please find the attached HTML document, download and open it on your PC.
This provides an easy to use form where you simply answer a few
questions and it will render the proper jabber-config.xml file for you
to copy/paste. There is built in logic to verif...
CUCM Database Replication is an area in which Cisco customers and
partners have asked for more in-depth training in being able to properly
assess a replication problem and potentially resolve an issue without
involving TAC. This document discusses the bas...