Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
533
Views
10
Helpful
3
Replies

Voice over IP voice messages can be seen and overheard by wireshark

Alex Pfeil
Level 7
Level 7

‎05-28-2008 06:18 AM - edited ‎03-09-2019 08:47 PM

a user put wireshark onto a voice port and was able to record other users voice mails. We are thinking about using port security to stop this but I think that spoofing the mac address of the phone would be to easy. I am not sure where a broadcast or multicast would take place for a user leaving a message. Is Call Manager involved, Unity or Exchange. Is there a way to make sure that all of the voice transmissions are unicast packets. Any help would be greatly appreciated because we would like to take the necessary precautions to avoid this at all cost.

Thanks,

Labels:
0 Helpful
3 Replies 3

Farrukh Haroon
VIP Alumni
VIP Alumni

‎05-29-2008 02:09 AM

There is an option to disable the PC's access to the voice VLAN, have you disabled that?

I think it is under CM >> Device >> Phone (At the end of the page)

Regards

Farrukh

0 Helpful

Alex Pfeil
Level 7
Level 7
In response to Farrukh Haroon

‎05-29-2008 03:51 AM

this was not the issue. The user actually unplugged the phone all together.

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to Alex Pfeil

‎05-29-2008 08:43 AM

Ahh sorry for not reading your initial post clearly.

The user most probably used some manipulation of his NIC card to get into the Voice Vlan in the first place, a penetration testing tool commonly used for this is Voip Hopper:

http://voiphopper.sourceforge.net/

Detailed description of the attacks can be found on:

http://www.securityfocus.com/infocus/1892

And on this presentation, that I would highly recommend you should have a look at:

http://www.secureitconf.com/documents/VigilarVoIPHopperSecureITv1-1oSTROMANDkINDERVAG.pdf

The Cisco Solution (should be combined with other security best practices like port-security, etc.)

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_37_se/configuration/guide/swvoip.html#wp1050112

The specific command is:

switchport voice detect cisco-phone

I hope this helps you to take a step in the right direction to secure your VOIP network.

If you enforce this, the user cannot access the voice vlan in the first place, left alone listen to multicast/broadcast voice mails (which I doubt happened in the first place anyway). He most probably used one of the above techniques to capture the 'unicast' VOIP traffic.

Regards

Farrukh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents