I just found a major security issue with 2 systems using Bandwidth.com. The end users are unrelated.
The issue is with Bandwidth's Edgemarc. Bandwidth.com has opened port 5060 to the entire Internet, unrestricted, and forwards anything received on 5060 to the cutomer's PBX, router, gateway, UC500. With this configuration anyone on the Net can point a SIP client to the Edgemarc's public IP and make a phone call. When the SIP messages are forwarded to the router/UC500 they appear to be sourced from the "trusted" Edgemarc IP, but in fact are sourced from anywhere on the Net. Note: Bandwidth.com doesn't use SIP registration, they expect you to "trust" the IP of their servers or gear.
The disturbing points, the Bandwidth techs had a difficult time understanding why this was a risk....even after watching multiple rougue international calls traverse the Edgemarc. Also disturbing, one of these Edgemarcs was locked down at one time because I tested for this vulnerability at the time if install, but now that is no longer the case and Bandwidth techs insisted that port 5060 should be open to the entire Internet!?!?!
Bottom line, if you are connecting to Bandwidth.com using an Edgemarc or any Bandwidth gear at your site, check the security. Better yet, do not trust Bandwidth.com with the security of your network. On a similar, but unrelated note, in one of these cases the end customer also advised me that Bandwidth.com had also left the default passwords on the Edgemarc as well. The passwords have since been changed due to efforts by the end customer.
You have reached the Cisco Logistics Support Center.. To Check Status of
your RMA, visit Product Returns & Replacements (RMA). Need help? Contact
us by Phone or Email. North Americas Phone: 1800 553 2447 Option 4
Email: firstname.lastname@example.org Europe Phone: +3...
The short answer is that you don't.... That isn't entirely true while at
the same time it kind of is, but for the most part you don't configure
the softkeys. You enable or disable them via TCL. Here is the long
answer. Be sure to read the whole thing or e...
Topology: IP Phone > Switches > Microsoft NPS setup to forward 802.1x
proxy to > ISE 2.1 patch 3 Authentication: EAP-TLS using Cisco MIC SANs
Phone Models 802.1X support? 802.1x flavor Addtl Comment EAP-MD5 EAP-TLS
Cisco 3905 Y Y N Cisco 6911 Y Y N Cisco ...