Site Map

Flanagan Consulting

Archive    15 July 2008     #69

VoIP Security Scare: vLAN Hopper Tools          
By William Flanagan, President

We have more to fear than fear itself, at least where VoIP is concerned. We'll look at one example that questions the ability of a virtual Local Area Network (vLAN) to protect voice traffic.
Many network and IT managers have deployed trials of Voice over Internet Protocol (VoIP) as a test of the performance and functionality of the technology. The goal is to see how it works and if users will like the change or not. Security issues may not be considered in great depth during a trial.

Typically, the VoIP network is isolated from the Internet in various ways:
--the enterprise firewall may be updated to be aware of voice signaling, but that step probably isn't necessary (hence not done) if the off-premises calls are placed through a gateway to analog or digital phone lines.
--if available, each IP phone might get a dedicated Cat5/6 cable and Layer 2 switch port, but this approach isn't economical in large deployments where it's more common for a desktop or user to have one Ethernet cable for both IP phone and computer. This design places both voice and data vLANs on the same physical Ethernet switch port and cable.
--for bandwidth management, or to assign priority to voice packets, many network designs assign voice to a dedicated vLAN, which many people take as a good form of security to prevent attack on the voice servers from the "data side" of the LAN where PCs live.

A vLAN does indeed simplify bandwidth management, but its value as a security measure looks weaker now. Specifically, a PC with an IP address on a "data" segment of a vLAN can pretend to be an IP phone and get itself admitted the the voice vLAN. In that position the PC can impersonate a legitimate user, eavesdrop, or hack the voice servers and IP phones.

The process involves spoofing the discovery protocol to find the Voice vLAN ID (VVID) used by the IP Phones, then signaling for an IP address like a newly installed phone. Once admitted to the voice vLAN, the PC can reach the VoIP servers as well as all IP Phones on the vLAN. Poisoning the ARP cache lets the PC take over a phone number and overcome the restrictions of a switched LAN. By watching the signaling traffic, the PC and pick out calls between specific users (CEO-VP finance; engineering-procurement; etc.) and listen in or record them.

There are several software tools freely available for download that let a PC behave like an IP phone. If you are responsible for a network that carries VoIP, you might want to try "vLAN hopping" yourself. It's good to be the first on your block to try something new.

You'll find additional information about the VoIP Hopper attack in the archived version of the VoIP Attacks are Real webinar here . This webinar by Sipera VIPER Lab presents a VoIP threat taxonomy and discusses recent vulnerability research around VoIP hopper and VoIP-to-data exploits. This webinar is the first in a three-part Defining UC Security series that continues with:
  • July 22, 11 a.m. ET: Are You Secure?
    est practices for VoIP and UC security; what’s needed in addition to existing data security
  • Aug 13, 11 a.m. ET: UC Security Requirements
    Requirements for a real-time UC security appliances to prevent attacks
You can register for these webinars on-line.
Flanagan Consulting Experts Support Litigation Professionals
Several associates are experienced in analysis of patents, trademarks,
contracts, and other intellectual property related to IT and communications.
We have assisted attorneys preparing claims, depositions, and testimony.
How can we help you? Queries to +1.703.242.8381.
New Books
FC Associate Ray Horak recently authored two books on networking.
William Flanagan was the technical editor for both. They offer extensive
coverage, and are as accurate as two old pros can make them.

The new titles are:
Telecommunications and Data Communications Handbook, 791 pages.
Webster's New World Telecom Dictionary, 568 pages.

Wiley is the publisher. Available in bookstores and on the web from multiple
merchants--do a web search for "Ray Horak" or start with Ray's profile page at
How Can Flanagan Consulting Help You?
      We understand not only the technology of networks, but also
  the surrounding business processes:  procurement, bid
  preparation/analysis, statements of work, financial analysis,
  consensus building around a solution, and more.
  Find out now:  call +1.703.242.8381
Subscriptions to ViewsLetter
    Mailman, the Linux application, keeps the mailing list.
    It is set up as "read only" -- subscribers can't post,
    but the Publisher welcomes mail at Publisher@ViewsLetter.com .
Because of the number of 'out of office' autoreplies, replies to
this message are discarded.  You can unsubscribe or subscribe at:
    You will need a password to unsubscribe, but Mailman
    will send you one on request.
Special thanks for supporting ViewsLetter to www.webtorials.com ,
your best source for communications tutorials and white papers.

"Flanagan Consulting" and "ViewsLetter" are Service Marks of W. A. Flanagan, Inc.

Flanagan Consulting
W. A. Flanagan, Inc.
45472 Holiday Drive, #3
Sterling, VA 20166
Ph:  +1.703.242.8381
Fx:  +1.703.242.8391
In Converged Networking,
We have the Experience