.

VOIP Security

<<

g00d_4sh

User avatar

Sr. Member
Sr. Member

Posts: 394

Joined: Tue Sep 18, 2007 1:50 pm

Location: Guayaquil, Ecuador

Post Thu Jan 31, 2008 3:46 pm

VOIP Security

Alright, I'm doing some 'footwork' myself, to gather and glean information, but I would definately appreciate any links, experience, or advice and opinions from those of you who know on this issue.  We're going over our VOIP system right now, and considering the security of it in general.  We are of course in a switched network, and have the VOIP traffic running over it's own VLAN. 

My question is... security wise how would that be looking?  We're a Cisco house, using Cisco VOIP phones, etc.  I was under the impression that ARP poisoning, and man in the middle attacks, combined with Cain and Abel or another sniffer/translator program would make listening into the VOIP system rather easy.  I just recently in my search came accross a Cisco white paper saying that having the phones on a different VLAN (even though the computers hook into the phones) negates man in the middle attacks. 

So, please any thoughts, opinions, insights, or solutions would be highly appreciated.
"Bad.. Good?  I'm the guy with the gun"
<<

rance

User avatar

Full Member
Full Member

Posts: 212

Joined: Thu Jan 03, 2008 5:24 pm

Location: Earth

Post Thu Jan 31, 2008 3:59 pm

Re: VOIP Security

g00d_4sh wrote:Alright, I'm doing some 'footwork' myself, to gather and glean information, but I would definately appreciate any links, experience, or advice and opinions from those of you who know on this issue.  We're going over our VOIP system right now, and considering the security of it in general.  We are of course in a switched network, and have the VOIP traffic running over it's own VLAN. 

My question is... security wise how would that be looking?  We're a Cisco house, using Cisco VOIP phones, etc.  I was under the impression that ARP poisoning, and man in the middle attacks, combined with Cain and Abel or another sniffer/translator program would make listening into the VOIP system rather easy.  I just recently in my search came accross a Cisco white paper saying that having the phones on a different VLAN (even though the computers hook into the phones) negates man in the middle attacks. 

So, please any thoughts, opinions, insights, or solutions would be highly appreciated.


A snipped I gleaned from here: http://www.roboguys.com/index.php?optio ... &Itemid=47

Dividing your broadcast domains in your network up can limit the effectiveness of an ARP based attack. Traffic for a machine not on the same broadcast domain as the attacker cannot be redirected due to the nature of ARP; it's a broadcast protocol. Dividing your important servers into a separate network can provide a layer of security against this type of attack and follows good industry design standards.

One additional method of defending against this attack is to hardcode each IP address to each MAC address on vulnerable systems. Naturally, this has a high level of administrative overhead and can be cumbersome and fraught with problems in some situations. Implementing a solution such as this is only practical for a limited number of servers and devices in most cases, but is probably one of the more effective methods of actually stopping ARP spoofing attacks.


So, if your VoIP devices are on a separate VLAN, they should be protected from simple attacks by residing on a separate broadcast domain.  Now, if you were able to sneak a machine on you VoIP VLAN, I don't know what would stop someone from being able to perform a MITM attack, unless of course, you are utilizing Static MAC address configuration on your switches (which, with my limited exposure to VoIP may be happening as part of normal device deployment/configuration).

It'd be fun to test... so... get testing! :)
Poking at security since 1986.  +++ATH
<<

g00d_4sh

User avatar

Sr. Member
Sr. Member

Posts: 394

Joined: Tue Sep 18, 2007 1:50 pm

Location: Guayaquil, Ecuador

Post Thu Jan 31, 2008 4:37 pm

Re: VOIP Security

Well we are not doing port security on the switches, nor static mac mapping.  Our VOIP phones are such that they can be freely moved around the organization, and retain the phone number/ID we assign them via the Cisco manager.  We also plug our computers into the phones.  Honestly I'm a tad intrigued on how that works, since our computer sends the info into the phone, which then forwards it to the POE switches.  Though the VOIP is on it's own VOIP VLAN, i'm assuming it strips off the phone MAC and replaces it with the comp MAC for forwarding purposes?  As to the VOIP phones being on another VLAN, for a MITM attack... couldn't a computer 'call' the target phone number via software, and disassemble the packets to get the target phone's MAC since all switch ports allow both the data and VOIP streams?
"Bad.. Good?  I'm the guy with the gun"

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software