The security weaknesses of VLANs have been known for years. Recent case studies have highlighted the potential risk of using Voice VLANs together with VoIP in an infrastructure absent of properly configured security controls. While visiting Europe just recently, I was reminded of this issue for a couple of reasons.
The British Crown Jewels
Firstly, I saw the magnificent British Crown Jewels in display. They are quite impressive. They are arguably the most valuable items in the world possessed by a sovereign state, and obviously need to be properly protected. It really got me thinking about the origin of the term “Crown Jewels” and how the industry has used this term to refer to protection of a company’s most valuable and precious IT assets and data. We talk about protecting against the theft of these “Crown Jewels” – a company’s IP, trade secrets, or other mission critical data. How to protect and defend the “Crown Jewels”?
Theft of the Crown Jewels!
Hotel VoIP Deployments
After seeing the Cullinan I diamond and other precious jewels, I stayed in a hotel in Stockholm that had IP Phones deployed in guest rooms, which had me thinking again about how attackers could access a company’s IT “Jewels” from a physically unsecured area. A quick and passive view of the IP Phone network configuration showed that this network was most likely vulnerable to the aforementioned VLAN Hop vulnerability. I’ve been seeing an increasing amount of Hotel VoIP deployments in the last year exactly like this.
Both of these items reminded me of how easy it is for a would-be attacker, sitting in the comfort and privacy of their hotel room, to steal a company’s most valuable trade secrets and data through VoIP, in the right scenario and when the environment is not properly protected. We’ve seen this before in production environments, in authorized security assessments. I wanted to reach out to the community and share this with you, and see what others are seeing as well. I’ve roughly seen 1 in 3 hotels in the past year have VoIP deployed in the guest rooms. I am curious as to whether others are seeing a similar trend. What other UC business applications are you seeing deployed in physically remote areas, and how are they being used?
Trunking VoIP to Physically Isolated Areas
When VoIP networks are propagated through trunk ports to physically isolated remote locations that are still under the administrative domain of the same organization, the risk increases that a VLAN Hop into the Voice VLAN can result in unauthorized access to corporate network resources. Resources that were not intended by the system designers. I’m making generalizations because every network is different. But the most common configuration I am seeing takes place because the IP Phones normally need a range of TCP/UCP ports open into the call servers, and the call servers are centrally hosted on the corporate data network. Sometimes the firewall doesn’t properly implement the policy of least privilege for only permitting operational IP Phone traffic and denying all other traffic. The best example of a physically remote location that comes to mind is a Hotel room, but I’m sure there are other good examples. Hotel VoIP deployments with wired ethernet offer benefits to the user such as guest VLAN Internet access from the PC port of the IP Phone. But if you think about it, it offers the perfect backdoor attack vector into the internal network. Privacy and seclusion. An attacker can spend as much time as they please, evading detection and slowly discovering the network. Each time I see this, it makes me wonder the extent to which this vulnerability is getting exploited in real life, but not being publicly disclosed. We’ve seen how well publicized CHD / data breaches of the PCI DSS have taken place over wireless networks – I wonder if and how long it will take before this happens over a VoIP infrastructure deployed to a physically remote location which is trunked, unprotected into the internal network where mission critical servers are hosted.
Some would say that this is a network infrastructure “firewall” mis-configuration issue and not a VoIP issue. They are right. But you could also argue that this issue opens up only when you deploy VoIP with QoS and VoIP is so tightly integrated with the network and QoS. The VLAN Hop also enables UC attacks against not only the IP Phones, but the call server as well. For VoIP to be operational, those TCP/UDP ports between the IP phones and call server must always be permitted, even through a properly configured firewall.
Death of the Voice VLAN
Some have talked about the death of the Voice VLAN and others have questioned the relevance of Voice VLANs to UC Security. In my opinion, VLANs were never intended for security. They were designed for one thing: Broadcast Domain isolation, resulting in improved performance and host management. Then the “Voice VLAN” came about – a special access port feature for VoIP that enables the easy application of QoS and IP Phone provisioning. Brilliant, if you really think about it. Voice VLANs were also never intended for security features. However, some started seeing it this way because, by default, a PC wasn’t a member of the Voice VLAN, and Voice would have the highest priority on the network in the event of a malware outbreak on the “data” access VLAN, and so forth. This is still QoS – not security. A network with properly configured QoS at layer 2 or 3 doesn’t distinguish a virus outbreak from an extremely chatty file transfer application. In either case, VoIP will take the highest precedence through the network. Then we started hearing “VLAN is not a security measure” and now we are coming back full circle.
Voice VLANs are never going to die off due to their perceived security limitations. In fact, they are brilliant . They make it easier to deploy VoIP and other new and promising UC applications, like IP Video. Applications like IP video that are heavily reliant on QoS. This helps us all. The best thing we can do is recognize their security limitations and that they were never intended for security to begin with. Which brings me to my final point.
Why?
Many of you reading this are already well aware of this. But that doesn’t necessarily signify that others who deploy or own VoIP do as well. Just the other day, I had a conversation with a Network Engineer who had deployed VoIP for a major US sports stadium. This person believed that the IP Phones configured in the luxury suites were protected against VLAN Hop just because they had deployed MAC Address filtering on the switch ports. We all know that Voice VLAN Hop and MAC Address spoofing can be automated via myriad tools. But still, that doesn’t mean everyone else does.
I’m writing you today to ask for your help as VoIP Security professional in spreading awareness about this issue. I am open to hearing what you are seeing (specifically vendors and configurations in remote areas, and how the application is being used) or any other friendly comments or suggestions. This is an area of research and interest. Please email jostrom {at} viperlab {dot} net.
Voice VLANs do not make it easier to deploy UC (Unified Communication) applications like IP video on a unified communications device — a PC. Rather, Voice VLANs have the exact opposite effect.
If a network has a Voice VLAN, a PC cannot ‘join’ the Voice VLAN; rather, the PC is stuck in data VLAN and the only way for its incoming or outgoing traffic to get into the Voice VLAN is through some sort of RTP proxy device. A mere firewall won’t be effective if the Voice VLAN and the data VLAN have different IP numbering plans (some do, for ‘additional security’).
Good point about PCs that have IP video applications resident. By Voice VLAN making it easier to deploy UC applications, I was referring to IP Video phones that use CDP or DHCP for VVID discovery. You’re right though – not all “devices” are IP Video Phones though. There are all kinds of devices.
I think we are talking about two different things. By “join” the Voice VLAN, I meant 802.1q VLAN tagging to have an IP address and subnet mask in the Voice VLAN – which a PC can easily do. I’m talking about layer 2 and I think you are talking about layer 3 routing / filtering of traffic from the PC data VLAN to the Voice VLAN. Yes, in that case good point about the RTP proxy device for protection.
OK I have been following the VOIPSA for years. Primarily the threat to a business executive is who is listening to my conversation or identifying who i am calling. Has a detailed checklist or questionnaire been developed to ask questions to these concerns and to set for a straight countermeasures process.
Executives do not want their calls monitored by anyone and therefore task the telecom manager with prevention. What basic steps should he take to protect his bosses voip telephone, conversation and contacts.
He really is not concerned anout DOS attacks as he can make the call on his cellphone if he cannot make the call.
What is the true threat to a company when the VOIP telecom system shares the company network?
Most telecom guys are still lost in the wiring, moves and changes.
Thanks for your comments. Regarding a detailed checklist and questionnaire, I recently stumbled across a new book, “Network Security Auditing” by Chris Jackson, that has a good chapter (12) on UC Security. Starting on pp. 439, there is an audit checklist for understanding the security environment of VoIP and your required security controls. The checklist is specific to a Cisco UC solution, but it could be extended to being vendor agnostic with certain security requirements.
Regarding your question about the true threats, that’s a little too large for this blog comment, but there are a lot of good resources out there. Dan York’s new book, 7 Deadliest UC Attacks, can get you started.
You make some fantastic points. I am currently trying to get other security folks in my organization to understand that Voice VLANs should not be a security requirement. I completely agree that it helps create separation and QoS. In an initial conversation with some other security professionals, I was more or less told that my argument could be utilized on other implementations and that they needed to better understand what VLANing provides V VoIP and what other security measures can be put in place to provide the same or greater protections. I did make the point that encryption along with other security measures would fulfill this requirement. We will see where this conversation with them goes. I think I will be able to create a case to show its not a security feature but a performance feature.