Voice over IP voice messages can be seen and overheard by wireshark

Unanswered Question
May 28th, 2008

a user put wireshark onto a voice port and was able to record other users voice mails. We are thinking about using port security to stop this but I think that spoofing the mac address of the phone would be to easy. I am not sure where a broadcast or multicast would take place for a user leaving a message. Is Call Manager involved, Unity or Exchange. Is there a way to make sure that all of the voice transmissions are unicast packets. Any help would be greatly appreciated because we would like to take the necessary precautions to avoid this at all cost.

Thanks,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Farrukh Haroon Thu, 05/29/2008 - 02:09

There is an option to disable the PC's access to the voice VLAN, have you disabled that?

I think it is under CM >> Device >> Phone (At the end of the page)

Regards

Farrukh

Alex Pfeil Thu, 05/29/2008 - 03:51

this was not the issue. The user actually unplugged the phone all together.

Farrukh Haroon Thu, 05/29/2008 - 08:43

Ahh sorry for not reading your initial post clearly.

The user most probably used some manipulation of his NIC card to get into the Voice Vlan in the first place, a penetration testing tool commonly used for this is Voip Hopper:

http://voiphopper.sourceforge.net/

Detailed description of the attacks can be found on:

http://www.securityfocus.com/infocus/1892

And on this presentation, that I would highly recommend you should have a look at:

http://www.secureitconf.com/documents/VigilarVoIPHopperSecureITv1-1oSTROMANDkINDERVAG.pdf

The Cisco Solution (should be combined with other security best practices like port-security, etc.)

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_37_se/configuration/guide/swvoip.html#wp1050112

The specific command is:

switchport voice detect cisco-phone

I hope this helps you to take a step in the right direction to secure your VOIP network.

If you enforce this, the user cannot access the voice vlan in the first place, left alone listen to multicast/broadcast voice mails (which I doubt happened in the first place anyway). He most probably used one of the above techniques to capture the 'unicast' VOIP traffic.

Regards

Farrukh

Actions

This Discussion