Disable Management on LAN interface? 1

[WCeightoh]

Morning, everyone!

I'm looking for a way to disable access to the IP Office configuration on one of the network interfaces via Manager for one of our customers. IP500v2 on 9.0 service pack 4.

The set up is that we have the IPO on a public IP address on LAN1 (not best practice, I know), and private on LAN2 to connect to phones and handle DHCP. LAN1 is used to connect to their SIP provider. What's happened is that someone accessed the IPO via the public IP, and sent their numbers off-site to an international number. We've since changed all passwords, as well as the security login password, but I'm hoping someone might know of a way to disable management access on an interface altogether. I was trying to think of a way to do it via IP Routes possibly, but coming up short.

Any help would be appreciated!

 

[AACon]

First, yes, bad, bad bad bad bad. USE A FIREWALL OR AN SBC!
Second, you could swap the interfaces, use lan 2 for public, lan 1 for private (as it should be), and you can configure the software firewall on lan2 to block access.
Third, yes, you could use routes; only allow routes to the ip addresses from your sip provider; no default gateway set.
Fourth, USE AN SBC or FIREWALL!!!

-Austin
ACE: Implement IP Office

 

[mattKnight]

(not best practice, I know)

TBH, I'd address the gaping hole in their security in other ways first, like a firewall, SBC and NAT.

There are tweaks in the internal firewall (search this forum) that may help, but I wouldn't be happy using that as the first and only layer of defence


Take Care

Matt
I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone.

 

[WCeightoh]

Yeah, absolutely. I wasn't a part of the original planning and set up, otherwise I would have smacked whoever made that decision.

They currently have managed services through their internet provider(s). Our next step will be to get them behind a firewall, but in the meantime I think I'll just block via IP routes.

Delete default gateway route for LAN1, create IP Route of SIP Gateway -> LAN1. Then any other IP that connects isn't automatically routed to IPO? Think that should do it?

 

[Gunnaro]

Jepp, do as Matt and Austin says. Keep it like you have it now, LAN2 facing the internal network and put a decent firewall between the modem and your LAN1.

Tweaking the firewall is not so hard, but to help out those in need of assistance, I made a little document and calculator.
You'll find it here: thread940-1739002

Kind regards

Gunnar
______________________________________
Mille viae ducunt homines per saecula Romam

 

[WCeightoh]

Good stuff. Thanks guys. We'll definitely be getting them behind a firewall soon - only hitch with that is that they're on the other side of the country, but we'll definitely make that happen.

In the meantime, I'm going to try the IP route way after-hours and test it out.

Gunnaro, thank you for that link - have it saved for these sort of situations going forward.

 

[bdelmar]

I would also go in to the security settings and change all the user account passwords, and disable any user accounts not used or needed for management.

Take a look at this,

http://marketingtools.avaya.com/kno.../mergedProjects/bulletins/techbulls/tb169.pdf