[VOIPSEC] VoIP Blocking Filter w/Ettercap

Troy Sherman tsherman at cisco.com
Mon Jul 18 20:56:51 CDT 2005 

 In line but shorter.....


Troy Sherman
JAG 1024
Cisco Systems Inc.
Phone   408.902.3091
Cell    408.887.9516
Pager   800.365.4578



MT - This is not true. I have performed this on all manner of  
switches and IOS versions. Can you please specify why a "newer"  
switch would block this?

THS - Some switches now look at CDP (I know, but more difficult, do not
remember the IOS versions) to make sure that they are seeing a CDP packet
from the phone before they allow traffic on that voice vlan. It is baby
steps until some newer features come out in the future. The best one off the
top of my head is on the CatOS on the 6k (8.3.(4) I think), it uses a
command called CDP verify to check this, otherwise traffic is blocked.

MT - You are correct that MITM options are definitely limited once  
DAI is enabled. I would also suggest DHCP anti-spoofing measures on  
top of the arp spoofing measures. I really am just trying to point  
out that there are no options for switch level authentication of VoIP  
endpoints. My other concern is that nowhere in the Cisco SAFE  
blueprint for IP Telephony are these recommended, and many network  
administrators do not configure these features. I believe that  
Arpwatch is recommended, but these would only log arp changes, not  
block them.

THS - This confuses me, do you mean a rouge DHCP server? If so, you have to
have dhcp snooping turned on to make DAI work. When you turn on dhcp
snooping you get 3 things, no port can reply to a dhcp broadcast, you build
the dhcp snooping binding table for DAI and IP source guard, and the dhcp
request CHADDER field is checked to make sure that the mac address in the
dhcp requests matches the mac address in the cam table of the switch. Unless
you have IP source guard with port security, but that is not really a
enterprise feature because of the requirement of the option 82 field in the
dhcp request.

THS - and yes, they are not in SAFE, I did not write SAFE :). I can tell you
that data is data in my world and most of the things we have talked about
are the same for email and even ssh/ssl, and how many companies encrypt all
the email that they send. If I were going to be a bad guy, I would much
rather read someone's email then listen to the voice. I have talked to
companies that have turned all this security on and more for their voice
network (which is data) and yet have done nothing to protect the "other"
data on their network, which is strange to me. A good security policy,
layers, monitoring, all those things are what it takes to make a secure
network. I have found that most attacks are internal, and that most attacks
are allowed because of mis configuration, that is one reason for things like
smartports and such.

MT - For anyone interested, THS has a good presentation on these  
attacks at http://www.cisco.com/networkers/nw04/presos/docs/SEC-2002.pdf

THS - googled me eh? :)

More information about the Voipsec mailing list