Threats Targeting Endpoints

As shown in Figure 23-1, there are many attack paths against an IP phone, including a connection through the network or through the integrated switch port to which a PC is attached. Corrupt images and altered configuration files can sabotage the IP telephony environment. Further attacks can be started from an infiltrated IP phone that is generally trusted and has access to the network. The physical access to the IP phone can be misused for violations of the IP phone integrity and the privacy of the user. Information can be gathered by browsing to the IP phone as well. In addition, IP phone conversations are vulnerable to various attacks when the network has been infiltrated, so the privacy of calls must be protected.

Figure 23-1. Attacks Against IP Phone Endpoints

Endpoints are a common target of attacks because they are usually less protected than strategic devices, such as servers or network infrastructure devices. If an attacker gets control of an endpoint, such as an IP phone, the attacker could use that device as a jumping-off point for further attacks. Because the endpoints are trusted devices and have certain permissions in the network, an attacker can use them to target devices that they would not be able to reach directly. To get control of an IP phone, an attacker could try to modify the image and configuration file (for example, by spoofing the TFTP server or by replacing the file on the TFTP server itself or while in transit).

Another major threat is eavesdropping on conversations. If an attacker has physical access to the IP phone, the attacker can "tap the wire," either by connecting between the IP phone and the switch or by connecting to the PC port of the IP phone. If the attacker does not have physical access to the IP phone or its network connection, the attacker could launch a man-in-the-middle attack from any network between two communicating endpoints. In a man-in-the-middle attack, the attacker pretends to be a neighboring system (such as the default gateway when the communication is between two IP networks or a peer on the same IP network) and, hence, receives all packets. A common type of man-in-the-middle attack is to use gratuitous Address Resolution Protocol (ARP) for redirection of packets at the MAC address layer.

A lot about the IP phone and the telephony infrastructure can be learned just by looking into the network settings or browsing to the built-in HTTP server of the IP phone. This information contains Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), default router, TFTP, and Cisco CallManager addresses. With this information, a hacker can direct an attack at the TFTP or Cisco CallManager server, because Windows hosts are generally more vulnerable than network components.

Overall, attacks on the endpoints can be broken down into four major categories:

  • Eavesdropping on VoIP conversations
  • Modifying the IP phone image
  • Attacking system and CallManager services
  • Hacking network devices and services

The simplest way to eavesdrop on the conversations of a user is to tap the wire between the IP phone and the PC attached to it. A variety of tools exist to accomplish this feat:

  • Ettercap A suite for man-in-the-middle attacks that allows sniffing and on-the-fly manipulation of data
  • Voice Over Misconfigured Internet Telephones (VOMIT) A tool that can create .wav files from captured G.711 conversations
  • Ethereal A sniffer and network protocol analyzer that allows both capturing conversations and converting them to playable files

An attacker could also try to get control of an IP phone by modifying the IP phone image or configuration file. This attack is carried out either at the TFTP server by manipulating the files themselves or by replacing the content while it is in transit. For the first method, the attacker needs access to the directory of the TFTP server; for the second, the attacker has to launch a successful man-in-the-middle attack.

The hacker might want to direct the attack at the most critical telephony components: the servers. An easy way to gather information about the IP addresses of critical components (such as the Cisco CallManager addresses, default gateway address, TFTP server address, DNS server address, and voice VLAN ID) is to retrieve them from the IP phone. This retrieval can be done locally at an IP phone by using the Settings button or by connecting to the IP address of the IP phone with a web browser. From the retrieved information, the hacker can build a topology map, associate it with services, and use the topology map to attack relevant devices.

If the attacker manages to get access to network devices, such as routers and switches, the attacker could redirect traffic to any destination using various kinds of tunnels. These include Generic Route Encapsulation (GRE), IPsec, Layer 2 Protocol Tunneling (L2TP), or Switched Port Analyzer (SPAN).

Part I: Cisco CallManager Fundamentals

Introduction to Cisco Unified Communications and Cisco Unified CallManager

Cisco Unified CallManager Clustering and Deployment Options

Cisco Unified CallManager Installation and Upgrades

Part II: IPT Devices and Users

Cisco IP Phones and Other User Devices

Configuring Cisco Unified CallManager to Support IP Phones

Cisco IP Telephony Users

Cisco Bulk Administration Tool

Part III: IPT Network Integration and Route Plan

Cisco Catalyst Switches

Configuring Cisco Gateways and Trunks

Cisco Unified CallManager Route Plan Basics

Cisco Unified CallManager Advanced Route Plans

Configuring Hunt Groups and Call Coverage

Implementing Telephony Call Restrictions and Control

Implementing Multiple-Site Deployments

Part IV: VoIP Features

Media Resources

Configuring User Features, Part 1

Configuring User Features, Part 2

Configuring Cisco Unified CallManager Attendant Console

Configuring Cisco IP Manager Assistant

Part V: IPT Security

Securing the Windows Operating System

Securing Cisco Unified CallManager Administration

Preventing Toll Fraud

Hardening the IP Phone

Understanding Cryptographic Fundamentals

Understanding the Public Key Infrastructure

Understanding Cisco IP Telephony Authentication and Encryption Fundamentals

Configuring Cisco IP Telephony Authentication and Encryption

Part VI: IP Video

Introducing IP Video Telephony

Configuring Cisco VT Advantage

Part VII: IPT Management

Introducing Database Tools and Cisco Unified CallManager Serviceability

Monitoring Performance

Configuring Alarms and Traces

Configuring CAR

Using Additional Management and Monitoring Tools

Part VIII: Appendix

Appendix A. Answers to Review Questions


Authorized Self-Study Guide Cisco IP Telephony (CIPT)
Cisco IP Telephony (CIPT) (Authorized Self-Study) (2nd Edition)
ISBN: 158705261X
EAN: 2147483647
Year: 2004
Pages: 329 © 2008-2020.
If you may any questions please contact us: