Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

how can we secure Call manager with all these microsoft security breaches

http://www.cnn.com/2002/TECH/internet/08/23/microsoft.security.reut/index.html

SEATTLE, Washington (Reuters) -- Microsoft Corp. said Thursday that "critical" security lapses in its Office software and Internet Explorer Web browser put tens of millions of users at risk of having their files read and altered by online attackers

Any suggestions besides shuting down unnecessary services and IDS host sensor ?

Jim K

2 REPLIES
New Member

Re: how can we secure Call manager with all these microsoft secu

suggestions? sure!

dont install Money 2002 on Call Manager!

seriously though these are obvioulsy important security issues but I dont see how they apply directly to CCM since office,money etc shouldnt be running on CCM anyway and in terms of IE holes, you shouldnt need to browse from CCM. How often did you browse the internet of create word doc's from your G3 before you went IP ?

New Member

Re: how can we secure Call manager with all these microsoft secu

Don't forget the most obvious answer - though one that admittedly is hard to remember when first approaching CM - there is usually NO NEED for non-telphony end user devices to have to be able to access the CM - this includes computers on your lan, and definitely not computers on the Internet.

Now there are exceptions - but there are ways around some of them.

By and large - set up ACLs on your cat switches so that NO DEVICES except for your IP Phones (which should be in their own subnets and AUX VLANs right?) and the gateways can even communicate with the call managers.

Then make exceptions for your administration stations - should be only a few.

Then you don't even have access granted to useable consoles - unless they find a way to break into your auxillary VLANS and fake being an IP phone...

SOme exceptions you'll have to look out for:

If you're using TAPI dialers you'll have to have at least one call manager reachable - don't make it your publisher - if necessary - make it do nothing but service TAPI clients - some vulnerability to intrusion there - but little vulnerability of your main CM system to DOS then...

Clients which want to access the CM webpages:

Set up apache as a proxy to a CM subscriber - grant access to the CM only to the secured Apache server...

Using these suggestions you can make it pretty difficult to suffer problems...

- Ken

84
Views
0
Helpful
2
Replies
CreatePlease to create content