Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Presence Fedeartion with Googletalk - Security Risk

Hi,

We want to federate Jabber with Googletalk for Custromer, All the voip Servers are in Corporate Network and Not in DMZ.

Based on the document we need to open a Port for XMPP federation which we cannot open it from outside to inside as it would be security Risk.

My question is can I install a Presence server for a cluster in DMZ and let just that one in the cluster talk to Googletalk? However, users still getting their Jabbers registered in the other Presence Servers in Corporate Netowork?

HM

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Super Bronze

Presence Fedeartion with Googletalk - Security Risk

It's possible but not a good idea. For one, you would end up having to open many more ports to get the cluster database replication, XMPP server-to-server, etc. to work across the firewall. For another, the node in the DMZ has a full IPsec tunnel to the other nodes as well as CUCM; if the DMZ node was compromised your entire cluster would be in trouble, except now you gave the attacker a protected tunnel instead of confining them to only XMPP port/process. For SIP federation Cisco used a TLS proxy feature of the ASA but that has never been developed for the XCP side of things. For XMPP you either need to rely on SELinux and IPtables embedded in the appliance, or look at third-party XMPP proxies which is not supported by Cisco. IMO, you're more likely to introduct security risks than close them by using a third-party proxy.

Please remember to rate helpful responses and identify helpful or correct answers.

Please remember to rate helpful responses and identify helpful or
2 REPLIES
VIP Super Bronze

Presence Fedeartion with Googletalk - Security Risk

It's possible but not a good idea. For one, you would end up having to open many more ports to get the cluster database replication, XMPP server-to-server, etc. to work across the firewall. For another, the node in the DMZ has a full IPsec tunnel to the other nodes as well as CUCM; if the DMZ node was compromised your entire cluster would be in trouble, except now you gave the attacker a protected tunnel instead of confining them to only XMPP port/process. For SIP federation Cisco used a TLS proxy feature of the ASA but that has never been developed for the XCP side of things. For XMPP you either need to rely on SELinux and IPtables embedded in the appliance, or look at third-party XMPP proxies which is not supported by Cisco. IMO, you're more likely to introduct security risks than close them by using a third-party proxy.

Please remember to rate helpful responses and identify helpful or correct answers.

Please remember to rate helpful responses and identify helpful or
New Member

Presence Fedeartion with Googletalk - Security Risk

Thanks Jon,

Gtalk decided not to use  XMPP and wants to use its own protocol anyway which is a shame.

153
Views
5
Helpful
2
Replies