Re: Voice mail portals

[Harry Hoffman <hhoffman () IP-SOLUTIONS NET>]

We had to do something similar with a account provisioning system.

The admin functions were moved to a separate vhost and ACLs were used to
deny access.

Here's the deal though. You need to ensure that the client facing
applications has very specific privileges and they are rigorously
enforced. Or that your admin access using a different data storage
mechanism.

Should the client side have vulnerabilities that would allow escalation
to change/add/delete items only a administrator should have access to
then separating the two functions via your F5 is going to have little
effect. SQL injection is the first thing that comes to mind.

HTH.

Cheers,
Harry

On 03/25/2013 02:47 PM, David Curry wrote:
> Hi,
>
> We're in the process of installing a VoIP solution in the new building on
> campus (deployment to the rest of campus to follow). The solution includes
> a "web portal" where users can go to adjust certain settings on their voice
> mail (PIN change, etc.). Because some of the people who will have phone
> numbers on the system won't actually have phones/offices (adjunct faculty,
> etc.), we want to make the portal available from the Internet.
>
> Our vendor's pro services team is recommending against this because
> administrator access to the portal is via the same system, just a different
> URL. We think we can work around this by limiting access to the
> administrator URL with our F5 (or other similar approaches). But before we
> do that, we though we'd ask...
>
> What are other schools doing? If your VoIP product has a portal, do you let
> people access it from the Internet, or just from on campus?
>
> Thanks,
> --Dave
>
>
> --
>
> *DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY
>
> *THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011
>
> +1 212 229-5300 x4728 • david.curry () newschool edu