Telephony (SCCP, SIP, etc) Security

[IPJETS]

Cisco has a very informative document on IP Telephony, and security. Available at :

http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safip_wp.htm

It even discusses the vomit application, which surprised me.
Basically, it says keep your voip lan/wan and your data lan/wan seperated, run arpwatch to mitigate any arp spoofing, and monitor your callmanager with an IDS (snort, or some of there IOS Intrusion detection systems.)

And of course, if you are passing traffic across a bordering gateway or another service, Encrypt it, and VPN it, silly

I'm working on a linux box transparently modified the layer 2 headers of an IP phone to spoof the mac address of a Cisco IP Phone (with the SCCP images loaded on it.) I will let you know the outcome of this, and how easy it is to have it register with the callmanager, and start intercepting calls.


This document is another good read (

http://www.sys-security.com/archive/papers/The_Trivial_Cisco_IP_Phones_Compromise.pdf)

Titled: The Trivial Cisco IP Phones Compromise.

What is your expert opinion on IP Telephony security? There is a lot of risks involved...
Brian McManus
CCNA, CCDA, CCNP, Spanlink: IPCC

tek at mynetworkplaces period com

http://mynetworkplaces.com/pgp.asc

 

[packetde]

In my opinion many of the sniffing concerns related to IP Telephony are overblown. If your network is suseptable to Vomit that would imply that your switches are also vulnerabile to arp spoofing. If you switches are vulnerable to arp spoofing and cam attacks then an attacker can not only sniff your voice but also your data traffic. Now what is more vulnerable, someone capturing your banking transaction passwords, email passwords, etc or listening in on a conversation?

Point is that if your network is vulnerable to sniffing you have serious problems even without VoIP!

http://www.packetdefense.com

- Info Security

http://www.voipreviews.com

- Voice over IP

 

[BuckWeet]

I agree with you. If they can get that much info on your network. You have other problems that you should address...

BuckWeet

 

[pansophic]

Yes, but VoIP had many problems beyond sniffing, and the default configuration of much of the Cisco stuff is complete crap.

And frankly, I'd be more worried about my audio being captured on a telephone call where there is a reasonable expectation of privacy, than my SSL encrypted banking transaction being sniffed.

And I haven't found many environments where ARP cache poisoning was not effective, even though it takes very little work to detect it.

But that is why they pay us to tell them how to configure things. VoIP can be installed in a reasonably secure manner, it just takes some work. Work that most people aren't willing to put into it.


pansophic

 

[VOIPeng]

One PLUS here for Avaya is Media Encryption, but I'm sure Cisco will have a feature like this built into the phones and CCM in the future as well, till then utilize your VLAN's, Port Security and ACL's properly to ensure that the LAN itself is secure, as it should be already.

Frank

Thank you,
VOIPEng

 

[scaine]

It's a blow, but port security is not currently supported on trunk ports. And of course, all the Cisco phones require that the port is a trunk in order to carry the voice traffic along with the data.

Has anyone come across an effective method of implementing port security in a (Cisco) VOIP environment?

Scaine