Educause Security Discussion mailing list archives
Re: Voice mail portals
From: Harry Hoffman <hhoffman () IP-SOLUTIONS NET>
Date: Mon, 25 Mar 2013 15:08:56 -0400
We had to do something similar with a account provisioning system. The admin functions were moved to a separate vhost and ACLs were used to deny access. Here's the deal though. You need to ensure that the client facing applications has very specific privileges and they are rigorously enforced. Or that your admin access using a different data storage mechanism. Should the client side have vulnerabilities that would allow escalation to change/add/delete items only a administrator should have access to then separating the two functions via your F5 is going to have little effect. SQL injection is the first thing that comes to mind. HTH. Cheers, Harry On 03/25/2013 02:47 PM, David Curry wrote:
Hi, We're in the process of installing a VoIP solution in the new building on campus (deployment to the rest of campus to follow). The solution includes a "web portal" where users can go to adjust certain settings on their voice mail (PIN change, etc.). Because some of the people who will have phone numbers on the system won't actually have phones/offices (adjunct faculty, etc.), we want to make the portal available from the Internet. Our vendor's pro services team is recommending against this because administrator access to the portal is via the same system, just a different URL. We think we can work around this by limiting access to the administrator URL with our F5 (or other similar approaches). But before we do that, we though we'd ask... What are other schools doing? If your VoIP product has a portal, do you let people access it from the Internet, or just from on campus? Thanks, --Dave -- *DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY *THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011 +1 212 229-5300 x4728 • david.curry () newschool edu
Current thread:
- Voice mail portals David Curry (Mar 25)
- Re: Voice mail portals Harry Hoffman (Mar 25)
- Re: Voice mail portals Julian Y Koh (Mar 26)