Alright, I'm doing some 'footwork' myself, to gather and glean information, but I would definately appreciate any links, experience, or advice and opinions from those of you who know on this issue. We're going over our VOIP system right now, and considering the security of it in general. We are of course in a switched network, and have the VOIP traffic running over it's own VLAN.
My question is... security wise how would that be looking? We're a Cisco house, using Cisco VOIP phones, etc. I was under the impression that ARP poisoning, and man in the middle attacks, combined with Cain and Abel or another sniffer/translator program would make listening into the VOIP system rather easy. I just recently in my search came accross a Cisco white paper saying that having the phones on a different VLAN (even though the computers hook into the phones) negates man in the middle attacks.
So, please any thoughts, opinions, insights, or solutions would be highly appreciated.
A snipped I gleaned from here:
http://www.roboguys.com/index.php?option=com_content&task=view&id=57&Itemid=47Dividing your broadcast domains in your network up can limit the effectiveness of an ARP based attack. Traffic for a machine not on the same broadcast domain as the attacker cannot be redirected due to the nature of ARP; it's a broadcast protocol. Dividing your important servers into a separate network can provide a layer of security against this type of attack and follows good industry design standards.
One additional method of defending against this attack is to hardcode each IP address to each MAC address on vulnerable systems. Naturally, this has a high level of administrative overhead and can be cumbersome and fraught with problems in some situations. Implementing a solution such as this is only practical for a limited number of servers and devices in most cases, but is probably one of the more effective methods of actually stopping ARP spoofing attacks.
So, if your VoIP devices are on a separate VLAN, they should be protected from simple attacks by residing on a separate broadcast domain. Now, if you were able to sneak a machine on you VoIP VLAN, I don't know what would stop someone from being able to perform a MITM attack, unless of course, you are utilizing Static MAC address configuration on your switches (which, with my limited exposure to VoIP may be happening as part of normal device deployment/configuration).
It'd be fun to test... so... get testing!
GCIH - GIAC Certified Incident Handler : Passed my GCIH
