Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
Headset: Disable these
features to prevent eavesdropping on conversations in the office by an attacker gaining
remote control of the IP phone and listening to the sound near it.
■ PC Port: Disable the PC port to prevent a PC from connecting to the corporate network
via the IP phone’s PC port.
■ Settings Access: Disable or restrict access to the IP phone settings to avoid the risk that
details about the network infrastructure could be exposed.
222 Chapter 9: CUCM Configuration
■ Gratuitous ARP: Disable this feature to prevent GARP-based man-in-the-middle
attacks.
■ PC Voice VLAN Access: Disable this feature to stop the IP phone from forwarding
voice VLAN traffic to the PC.
■ Web Access: Disable access to the IP phone from a web browser to avoid the risk that
details about the network infrastructure could be exposed.
Figure 9-31 displays the device-level security configuration options.
Figure 9-31 IP Phone Security Configuration
PC Port
The PC port should be disabled in special areas such as a lobby or areas where no additional
PC access is allowed. This practice is not common otherwise, however, because it entails a
major functionality constraint.
Settings Access
Disabling access to settings prevents anyone with physical access to the phone from
gathering information about network settings (DHCP server, TFTP server, default router,
and CUCM IP addresses). The network settings share information about the network that
an attacker can leverage to launch attacks. CUCM Release 4.1 and later releases offer a
restricted option for settings access. With restricted access, the user can modify the contrast
and ringer settings but cannot access other settings.
Cisco IP Phones Web Services
A web browser can be used to connect to the HTTP server of the IP phone by browsing
to the IP address of the phone. The HTTP server displays similar information that can be
viewed directly on the IP phone using the Settings button, enhanced by some additional
statistics.
Hardening Cisco IP Phones 223
Attackers can use the intelligence gained by discovering the network configuration to direct
their attacks at the most critical telephony components, such as CUCM and the TFTP
server. It is recommended that you disable web access to the phone if the highest level
of security is desired. Figure 9-32 displays the information available by pointing a web
browser to the IP address of the Cisco IP Phone. Notice that there are many hyperlinks on
this page that access more information. The web services of the IP phone can prove useful
for troubleshooting.
Figure 9-32 Cisco IP Phone Web Services
When web access is disabled, the IP phone does not accept incoming web connections and
does not provide access to sensitive information.
Disabling web access at the IP phone stops Extensible Markup Language (XML) push
applications from working. If you want to use XML push applications on some IP phones,
you cannot disable web access to the IP phone. An example of a push application is the
emergency notification sent by Cisco Emergency Responder (Cisco ER).
Gratuitous Address Resolution Protocol
Address Resolution Protocol (ARP) normally operates in a request-and-response fashion.
When a station needs to know the MAC address of a given IP address, it sends an ARP
request. The device with the corresponding IP address replies and thus provides its MAC
address. All receiving devices update their ARP cache by adding the IP and MAC address
pair.
224 Chapter 9: CUCM Configuration
Gratuitous Address Resolution Protocol (GARP) packets are packets that announce the
MAC address of the sender even though this information has not been requested. This
technique allows receiving devices to update their ARP caches with the information.
Usually such GARP messages are sent after the MAC address of a device has changed
to avoid packets being sent to the old MAC address until the related entry has timed out
in the ARP caches of the other devices.
GARP, however, can also be used by an attacker to redirect packets in a man-in-the-middle
attack and therefore should be disabled.
Cisco IP Phones, by default, accept GARP messages and update their ARP cache whenever
they receive a GARP packet.
An attacker located in the VLAN of the IP phone can repeatedly send out GARP packets
announcing its MAC address to be the MAC address of the default gateway of the IP phone.
The IP phone accepts the information, updates its ARP cache, and forwards all packets
meant for the default gateway to the attacker. Software tools, such as Ettercap, allow the
attacker to copy or modify the information and then relay it to the real destination. The user
does not notice that someone is listening to the data stream so long as the attacker does not
significantly increase the delay and does not drop packets.
In Figure 9-33, only traffic from the IP phone toward the default gateway is sent to the
attacker; but if the attacker also impersonates the IP phone toward the router, the attacker
could control bidirectional traffic. In this case, the router would also have to listen to GARP
packets.
To prevent GARP-based attacks against an IP phone, you should disable the GARP feature
of the IP phone.
NOTE There are several ways to prevent GARP attacks. You can disable GARP on end
devices, or you can use features such as Dynamic ARP Inspection (DAI) and IP Source
Guard at switches.
Hardening Cisco IP Phones 225
Figure 9-33 GARP Man-in-the-Middle Attack
PC Voice VLAN Access
By default, an IP phone sends all traffic that it receives from the switch out its PC port (as
shown in Figure 9-34). This enables the PC to see not only the traffic of the data VLAN
(untagged Ethernet traffic) but also the traffic of the voice VLAN sourced and destined
to the IP phone. When the PC receives voice VLAN traffic, the traffic can be captured,
and hence the conversation can be sniffed with tools such as Wire Shark, available at
http://www.wireshark.org.
The PC can also send packets to the voice VLAN if they are tagged accordingly. This
capability breaks the separation of voice and data traffic, because the PC that is supposed
to have access to the data VLAN can now send packets to the voice VLAN only, bypassing
all access control rules (access control lists [ACLs] in routers or firewalls) that might be
enforced between the two VLANs.
Usually the PC does not need access to the voice VLAN, and therefore you should block
PC access to the voice VLAN.
NOTE Some applications, such as call recording or supervisory monitoring in call
center applications, require access to the voice VLAN. In such situations, you cannot
disable the PC Voice VLAN Access setting.
10.10.10.1
GARP—I Am
10.10.10.1
1
PC of the
Hacker
IP
2
Gratuitous ARP* Enabled
226 Chapter 9: CUCM Configuration
Figure 9-34 PC Voice VLAN Access
Two different settings are available for blocking PC VLAN access:
■ PC Voice VLAN Access can be disabled.
When a phone is configured this way, it does not forward voice VLAN-tagged traffic
to the PC when it receives such frames from the switch. In addition, the phone does not
forward voice VLAN-tagged traffic to the switch if it receives such frames from the
PC. Although this setting is recommended for security, it makes troubleshooting more
difficult because you cannot analyze voice VLAN traffic from a PC connected to the
PC port of the IP phone. Whenever you need to capture voice VLAN traffic to analyze
network problems, you must sniff the traffic on the network devices.
This setting is supported on all current Cisco IP Phones with PC ports.
■ Span to PC Port can be disabled.
This setting has the same effect as the PC Voice VLAN setting, except it does not apply
only to voice VLAN-tagged traffic, but to traffic tagged with any VLAN ID. With Span
to PC Port disabled, the IP phone forwards only untagged frames.
This setting is not available on Cisco Unified IP Phones 7940 and 7960.
No comments:
Post a Comment