Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2549
Views
13
Helpful
7
Replies

Switchport security best practises for Cisco IP Phones

Go to solution
caspiguru
Level 1
Level 1

‎02-28-2015 06:59 AM - edited ‎03-10-2019 12:22 AM

Hi.

I am having some trouble figuring out what the most secure method is to secure a Cisco IP Phone.

I can't find information on how to properly secure the Link between a switchport and a Cisco IP Phone, with a daisy chained computer to it.


The thing that I am specifically afraid of is how to secure against Double VLAN tagging and CDP attacks on that port.

I have searched whichever possible ressource for the answer and haven't found anything useful.

I also have a question in terms of port security on a switch: Can you set a minimum amount of Active MAC adresses and then limit the Aging period on MAC adresses on a specific switchport , such that if someone disconnects the phone and sets up a Cisco switch or another Rogue device, then the port should become Shutdown within the aging period.

 

Let me know, what you would suggest to best secure the line between the Cisco IP phone and the switch.
 

Best regards

Casper.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to Charles Hill

‎03-01-2015 08:25 AM

If you see all these as the attack-vector for your environment, there is only 802.1x that can help you.

View solution in original post

0 Helpful

Go to solution
Scott Olsen
Level 6
Level 6

‎03-03-2015 05:34 AM

I would propose that the *most* secure way to lock down the port would be to implement a full blown 802.1x EAPOL protocol.  

I'm not a VoIP guy, but this would likely contain all the information you'd need?

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.pdf

HTH.

Cheers!

Scott Olsen Solutions Specialist Bulletproof Solutions Inc. Web: www.bulletproofsi.com

View solution in original post

7 Replies 7

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎02-28-2015 07:57 AM

Check this link, it should answer your questions.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/port_sec.html#wp1094921

Go to solution
Charles Hill
VIP Alumni
VIP Alumni

‎02-28-2015 08:32 AM

In addition to what Collin provided, Here is a  link on how to secure the ip phone within Call Manager.

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/7_0_1/secugd/sec701-cm/secu_ph.html#wp1028752

To prevent switch spoofing, you can configure the access ports as:
switchport mode access
switchport nonegotiate

To prevent double vlan tagging, you should do the following:
Remove access ports from the default vlan 1.
switchport access vlan 100

Assign the native vlan on switch trunks to an unsed vlan.
switchport access vlan 100 (example)

As far as CDP attacks, you could disbale CDP on ports that do not need it.  

Another best practice is to enbable bpdu guard on your access ports.  
Here is a link that discusses bpdu guard.
https://supportforums.cisco.com/document/45136/importance-bpdu-guard-and-bpdu-filter

To restrict the number of mac addresses on a switchport, enter:
int g0/1
switchport port-secuirty maximum 3

Here is a link that discusses how to apply port security:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_portsec.html#wp1144760

 

Hope this helps.

Go to solution
caspiguru
Level 1
Level 1

‎02-28-2015 09:49 AM

Hi Cehill and Collin Clark.

I have reviewed the links you provided, but I knew those security practises already.
These counter messures would work if it were not a Cisco IP Phone that was connected to the switch.

In case of the Cisco IP Phone I believe that an attacker could launch these kinds of attacks:

 

  • The PC that is daisy chained to the IP phone could capture the mac adresses by the attacker reading it physically on the IP phone and then set the pc network port to that mac address.The attacker could then configure its own verified MAC adress on a loopback interface, thus the PC would be able to access both its Data VLAN and the former IP Phones Voice VLAN.
    And since the link between the Switch and the IP Phone acts like a trunk link VLAN hopping can occur.
     

 

  • Another attack vector would be a Cisco switch configured for CDP and configured with the same MAC address as either the IP Phone or the PC. The attacker could then gain ciritical information about the state of the Corporate switch. In order for this to work the switch would need to have STP disabled so no BPDU would get broadcasted.

 

  • The final attack I can think of is that the PC launches a Double VLAN tagging assault by tagging its packet as the Voice VLAN and then encapsulating the desired attack VLAN inside than Voice VLAN tag.
     

Correct me if I am wrong about any of this.

 

Best regards.
 

0 Helpful

Go to solution
Charles Hill
VIP Alumni
VIP Alumni
In response to caspiguru

‎02-28-2015 10:38 AM

I believe the solutions below will address your concerns. 

 

    The PC that is daisy chained to the IP phone could capture the mac adresses by the attacker reading it physically on the IP phone and then set the pc network port to that mac address.The attacker could then configure its own verified MAC adress on a loopback interface, thus the PC would be able to access both its Data VLAN and the former IP Phones Voice VLAN.
    And since the link between the Switch and the IP Phone acts like a trunk link VLAN hopping can occur.

********To prevent the end user from reading the mac address on the bottom of the phone, you could physically remove the mac label.  To prevent the end user from seeing the mac via the phone display, you would disable the Setting access setting the in the phone configuration in call manager, which would prohibit access to the settings button on the phone.
*****************************************

 

    Another attack vector would be a Cisco switch configured for CDP and configured with the same MAC address as either the IP Phone or the PC. The attacker could then gain ciritical information about the state of the Corporate switch. In order for this to work the switch would need to have STP disabled so no BPDU would get broadcasted.
***********In this scenario, you could leave stp enabled, but enable bpdu guard on the port, then if it receives any bpdus, it could place the port in err-disable state.*************

 

    The final attack I can think of is that the PC launches a Double VLAN tagging assault by tagging its packet as the Voice VLAN and then encapsulating the desired attack VLAN inside than Voice VLAN tag.
*************To prevent double vlan tagging by the pc, you would disable the pc voice vlan for the phones within the call manager.***********

 

Hope this helps. 

 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Charles Hill

‎03-01-2015 08:25 AM

If you see all these as the attack-vector for your environment, there is only 802.1x that can help you.

0 Helpful

Go to solution
Charles Hill
VIP Alumni
VIP Alumni
In response to Karsten Iwen

‎03-03-2015 08:27 AM

Our facility has implemented ISE along with 802.1x to secure our network.  It's costly and time consuming to configure correclty.  We worked with Cisco and Mobile Iron for over a month to get it working correclty and that was after the vendor installed it and walked away.

 

0 Helpful

Go to solution
Scott Olsen
Level 6
Level 6

‎03-03-2015 05:34 AM

I would propose that the *most* secure way to lock down the port would be to implement a full blown 802.1x EAPOL protocol.  

I'm not a VoIP guy, but this would likely contain all the information you'd need?

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.pdf

HTH.

Cheers!

Scott Olsen Solutions Specialist Bulletproof Solutions Inc. Web: www.bulletproofsi.com
Customers Also Viewed These Support Documents