I have the Phone Proxy up and running correctly but i'm a little concerned about having a Static NAT for my CUCM server to a public IP using TFTP. Are there any security concerns to be aware of when opening your CUCM server to the public using TFTP?
Currently, Phone Proxy feature on ASA does not support configuration file encryption for TFTP transfers between the CUCM and the phone through the firewall. This causes the configuration to appear in cleartext on the INternet and may expose certain private parameters. Please see more details in the enhancement request CSCsw97570:
I think i'm more concerned about my CUCM server being compromised since it is open to the public on port 69 due to the static NAT. Would it be possible for anyone to compromise my CUCM server?
yes, its possible that the tftp server could get hacked as its available to the external side. The asa will just allow tftp 69 traffic through to the cucm for downloading of the config, etc. There is not really anything that you can do from the asa side other than to restrict via acl, however, it might be impossible to know where your phone proxy clients are located.
The cisco vpn ip phones will not have this problem since its making a vpn connection to your network instead of running through phone proxy.
hope this helps a bit.
I am in the process of getting phone proxy setup on our ASA. Having a static NAT entry from the public to our CCUM/TFTP concerns me too. Is our only defense to have an acl to only restrict udp 69 traffic through this connection? How vunerable does this make our CCUCM server?
Yes, what you mentioned would be what you would do to limit the amount of exposure to your cucm from the outside. You do need to allow tftp port 69 available to to the outside. There is a possibility that they could go through that port 69. As mentioned in an earlier response, you can use the anyconnect client on the phone for further security instead of the asa phone proxy.
Thanks for the response.
I am unfamiliar with the AnyConnect Client on the phone. We have IP 7975 phones. Our firewall is licensed for 100 UC Proxy Sessions.
How does the AnyConnect Client work on the phone?
Heres a document that discusses the anyconnect client on the ip phone in more detail:
In the new CUCM 8.x it has the new ability coupled with the 9.x firmware on the phone.
Hope this helps a bit.
one other thing i forgot to mention is that when using the anyconnect client on the phone, you are not going to be doing phone proxy. Effectively, you are making a vpn tunnel from the phone to the ASA and the voice traffic will be through that tunnel and therefore the phone will be considered on the inside. This method does not use phone proxy at all but allows the phone to be on the inside through the encrypted tunnel.
That is great but it looks like we need CCUM 8.0.1 and IP Phone Firmware 9.x.
We are currently running CCUM 7 and IP Phone SCCP 9.0.3S. I guess we would need licensing too on the ASA for the AnyConnect VPN.
We do have maintenance to cover our CCUM update but I am unsure of a time frame for this update.
Are more moving towards the AnyConnect VPN solution than the phone proxy?
The phone proxy must not be too risky (publicly exposed CCUCM TFTP) since it seems lots are using that solution.
Yes, thats correct, it would require you to be on a newer release as well as different licenses etc.. I'm not sure what the adoption rate is on the anyconnect since its a new feature. I do know some people are moving to it to get around the open ports on phone proxy and also for directory services which is unencrypted http traffic.
There are alot of people using phone proxy. Heres a good document if you havent seen it yet which talks about the setup procedure: