As a safety skilled, primarily concerned in UC implementations, I’ve been requiring VLANs for all VoIP/UC implementations. This was based on a safety greatest apply that has been seen that this creates separation between the voice and knowledge networks. Whereas that is favored for varied causes, which we’ll focus on later, does this really create separation?
There are numerous articles on the safety implications and potential assaults on VoIP/UC VLANs, which is a considerably pertinent to right here. Nonetheless, we aren’t going to enter nice particulars on this. Jason Ostrom and John Kindervag have a fantastic write-up on VLAN Hopping and the Voiphooper software right here VoIP Hopping: A Technique of Testing VoIP safety or Voice VLANs. Total, the idea is straightforward, the attacker sniffs for CDP (Cisco Discovery Protocol) packets to acquire the VLAN ID. The subsequent step on this assault is to set your PC to that VLAN ID and acquire entry to the Voice VLAN speed bump.
As everyone knows, for essentially the most half, at this level all bets are off. Most individuals should not deploying VoIP/UC with encryption or, in the event that they do, it’s the very first thing disabled throughout name high quality troubleshooting.
Finally it’s by no means re-enabled.
In an try and mitigate this threat, many individuals have begun using port safety, which depends upon Mac handle filtering to guard the VLAN. As everyone knows, that is just about a joke. In all honesty, anybody, even these with little technical talents, can discover data on the way to change their MAC handle. Moreover, 802.1x has been proposed as one other mitigation, which may nonetheless be labored round.
Moreover, in most present deployments, comfortable telephones have gotten increasingly more widespread. This convolutes the problem much more! Smooth telephones are put in on the native PCs and the required SIP and UDP ports should be accessible from the information community. This makes life a lot simpler for an attacker, as we talked about earlier encryption is seldom enabled. Thus, this visitors may be very straightforward to intercept.
As we are able to see, with these few dangers on the Voice VLAN, I come again to my unique questions; does this really create separation? Additionally, I come to a different questions; is that this really a safety requirement?
So, as we are able to see from the knowledge talked about earlier, no, in truth, VLANs don’t really create separation. That is very true as comfortable purchasers are deployed. As we are able to see the core Voice servers are separate, to a degree. Nonetheless, there’s a particular convergence of information and voice because of the comfortable purchasers.
In reference to the second query; is that this really a safety requirement? I don’t assume so. Initially, from what I’ve learn and may collect, it was being push by the distributors to create QoS. That is improbable! With voice name high quality being is essential, as we all know. Moreover, I believe that this was, to some extent, a safety requirement because of the lack of buy-in for encryption necessities or availability of encryption from vendor’s years in the past. Thus, it has been perpetuated as a safety requirement and have for fairly some time.
So, that is all high quality and dandy! VLANs are NOT a safety requirement? They’re nice for efficiency and QoS? Nonetheless, what can we do now? If we’re to not require the utilization of VLANs for VoIP/UC, what protections can we put in place to take care of or surpass the established order of threat mitigation?
I believe the brief reply to that is requiring the utilization of encryption on each signaling and media classes. As now we have seen the first concern and points inside VoIP/UC are interception and manipulation of the voice/video stream over the wire. Additionally, authentication of the endpoints should be utilized and we should be sure that the necessities on this authentication are in compliance with at this time’s customary safety greatest practices.