A basic security rule is that endpoints cannot be trusted until the identity of the endpoint is confirmed, or authenticated. In the case of VoIP, a method for authentication of IP phones is the hardware or MAC address. The MAC (Media Access Control) address is a six-byte address that usually is represented as hex numbers in the form AA-BB-CC-DD-EE-FF or AA:BB:CC:DD:EE:FF. The first three bytes represent the vendor ID and the remaining three bytes form a unique address for any network connected device. There are potentially 248 or 281,474,976,710,656 possible MAC addresses. The Web site http://coffer.com/mac_find/ is useful for doing MAC/Vendor lookups.
MAC Authentication
If an IP phone with an unknown MAC address attempts to download a configuration from a registration server, then that device should not receive a configuration assuming automatic registration has been disabled. This setup prevents someone from placing a rogue phone or sniffer into the network, unless of course the person spoofs the MAC address in hopes of intercepting calls.
ARP Spoofing
ARP spoofing is an essential part of call interception. If an attacker cannot successfully meddle with the switchs ARP table then eavesdropping is virtually eliminated. Of course, unrestrained console access to a switch also offers the chance for call interception; however, appropriate physical security controls and good passwords will minimize this threat.
Port Security
Since 802.1x is still an emerging technology, not all devices support it. Devices that do not support 802.1x can be controlled by Media Access Control (MAC) address authentication. Devices with static IP addresses that do not support 802. 1x (such as printers and some IP phones) can be accommodated by utilizing various port security commands without the use of 802.1x (different switch vendors have different names for these commands). These devices should also be placed into their own VLAN.
1 comment:
thank you for the post , visit us for
best telephone solution for business
Post a Comment