Hacking Exposed Unified Communications VoIP Security Secrets Solutions, Second Edition by Mark Collier David Endler

Author:Mark Collier, David Endler
Language: eng
Format: epub
Published: 2018-11-12T16:00:00+00:00

Manipulating or flooding ARP entries on your network can cause a serious denial of service on the local segment you’re testing, rendering the network unusable for a short time, or it might require a reboot of some of the affected network equipment.

Circumventing VLANs

Virtual LANs (VLANs) are used to segment network domains logically on the same physical switch. Ethernet frames tagged with a specific VLAN can only be viewed by members of that VLAN. VLAN membership is typically assigned in one of three ways:

• By switch port The switch port itself can be set to be a member of a VLAN. This is by far the most popular choice in deployments today.

• By MAC address The switch maintains a list of the MAC addresses that are members in each VLAN.

• By protocol The Layer 3 data within the Ethernet frame is used to assign membership based on a mapping maintained by the switch.

Enterprise-grade switches support the ability to create several VLANs on the same switch or switch port for that matter, which is a helpful component for protecting your core UC assets.

The predominant VLAN tagging protocol in use today is the IEEE standard 802.1Q ( http://standards.ieee.org/getieee802/download/802.1Q-2011.pdf). 802.1Q defines the way in which Ethernet frames are tagged with VLAN membership information. Before 802.1Q was introduced, Cisco’s ISL (Inter-Switch Link) and 3Com’s VLT (Virtual LAN Trunk) were prevalent. In some older Cisco networks, you can still find implementations of ISL VLANs today.

Most vendors recommend separating the voice and traditional data applications into different VLANs, making it more difficult for an attacker to gain access to your UC network from a compromised user desktop or network server. Although VLANs will not prevent attacks, they will add another layer of security in a traditional defense-in-depth security model. Segmentation sounds like a great idea in theory, but may not always be possible because of the converged nature of UC applications. Segmentation is difficult to implement in an environment with softphones on users’ PCs and laptops.

When VLANs are set up by port, a potential VLAN circumvention technique involves an attacker simply disconnecting the UC phone and using a PC to generate traffic. A MAC-based VLAN could be similarly circumvented by a rogue PC spoofing its MAC and including the proper VLAN tags. Obviously, with the proper spoofing tools and physical access to a switch port, an attacker could bypass a VLAN in some instances. This is one of the reasons that VLANs should be one of several defense-in-depth protection techniques.

UC networks with Layer 2 and 3 switches are also susceptible to malicious bypass attacks. When a VLAN is configured using a Layer 3 switch, it can be circumvented in some cases if there hasn’t been any filtering or access control lists defined on the Layer 2 switch.

A Linux-based tool that makes circumventing VLANs very easy is VoIP Hopper ( http://voiphopper.sourceforge.net/index.xhtml). VoIP Hopper, developed by Jason Ostrom, mimics the behavior of a UC phone by discovering the VLAN ID and creating a virtual interface on the attacking system, thereby giving the user access to the UC VLAN.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.