Threats to Cisco Collaboration Networks
The first step toward securing a Cisco Collaboration solution is to understand the possible threats to infrastructure, endpoints, devices, and applications. Security threats pertinent to Cisco Collaboration networks can be broadly categorized as listed in Table 5-1.
Table 5-1 Threats to a Cisco Collaboration (Unified IP) Network
Aimed at voice and signaling sessions, leading to loss of confidentiality or integrity, or both.
Identity theft/impersonation attacks
Used to exploit information in voice and video streams, leading to loss of confidentiality.
Occurs by means of unauthorized or fraudulent use of telephony equipment or services.
Denial-of-service (DoS) attacks
Leads to degradation of voice and video services.
Targeted at services associated with or enabled by the telephony implementation, such as servers in the same zone as UC servers.
There’s no single security control or tool/mechanism to thwart all the attack types listed in Table 5-1. Defense-in-Depth, also known as a layered security approach, is required to mitigate these threats. The following sections give insight into security measures at the various layers of the OSI model.
Layer 1 Security
Physical security entails securing Cisco Collaboration assets from physical access by an intruder and from potential damage by surrounding environmental factors. The major physical security controls include
- Guards at data center or facility periphery
- Badged access to data center/facilities
- CCTV, alarms, and sensors at data center/facility entry and exits
- Cisco Collaboration equipment secured in racks in data center and in closets at user access level
- Uninterruptible power supply (UPS) for servers and network devices
Layer 2 Security
Layer 2 security can be deployed at the switching layer to prevent attacks originating from the user access layer such as:
- MAC address spoofing
- DHCP spoofing
- Spanning Tree Protocol (STP) manipulation
- ARP poisoning
- Identity spoofing
Cisco Catalyst switches have a feature called port security that helps to reduce spoofing and other attacks. Port security restricts the input to an interface by limiting and identifying MAC addresses of end devices. The port security feature can leverage MAC address learning in the following ways:
- Static secure MAC address: Manually limits the MAC addresses to be allowed on a switch port by statically configuring the MAC addresses on a per-port basis. This feature allows MAC addresses learned to be saved in Content Addressable Memory (CAM) table and running configuration.
- Sticky secure MAC address: The switch port dynamically learns the MAC addresses of connected devices (sticky) configured for sticky secure MAC addresses and stores these in the CAM table and running configuration.
- Dynamic secure MAC address: The MAC addresses learned from the switch port set up for dynamic secure MAC addresses are stored only in a switch’s CAM table and not in the running configuration.
Upon violation of the number of MAC addresses per port, you can configure violation rules in one of following three ways:
- Protect: When the switch port reaches its configured maximum number of secure MAC addresses, it starts dropping frames with an unknown source MAC address.
- Restrict: Similar to the protect option, the major difference being that the restrict option can send an SNMP trap and a syslog message. It increments the violation counter when a port security violation occurs.
- Shutdown: After a port security violation occurs, the port is shut down and put in err-disable state. This option also allows generation of the SNMP and syslog notifications, identical to the restrict option, and it will also increment a violation counter.
Example 5-1 illustrates enabling port security on a Cisco Catalyst switch for interface FastEthernet 0/10 where the maximum number of MAC addresses is set to 3 on this particular interface, and the port, upon exceeding the maximum count, will be put in err-disable mode (shut down). The mac-address command is used to set a static MAC and remember the MAC addresses connected to it (sticky).
Example 5-1 Cisco Catalyst Switch Port Security Configuration
UCSWITCH(config)# interface FastEthernet 0/10 UCSWITCH(config-if)# switchport port-security UCSWITCH(config-if)# switchport port-security maximum 3 UCSWITCH(config-if)# switchport port-security violation shutdown UCSWITCH(config-if)# switchport port-security mac-address 10BD.18DC.97F5 UCSWITCH(config-if)# switchport port-security mac-address sticky
DHCP spoofing is used to launch Man-In-The-Middle (MITM), reconnaissance, and DoS attacks. In the DHCP spoofing attack, the attacker enables a rogue DHCP server on a network. When an endpoint (Cisco Unified IP Phone or softphone) sends a broadcast request for the DHCP configuration information, the rogue DHCP server responds before the original DHCP, thereby assigning the attacker-defined IP configuration information. DHCP snooping is a Cisco Catalyst switch feature that helps prevent DHCP spoofing attacks by enabling the switch ports to be set as either trusted (DHCP server-facing interface) or untrusted (user facing). Trusted switch ports can send DHCP requests and acknowledgements, whereas untrusted ports can only forward DHCP requests. DHCP snooping enables the switch to build a DHCP binding table that maps a client MAC address, IP address, VLAN, and port ID. Example 5-2 outlines DHCP snooping configuration where FastEthernet 0/10 is set to trusted and FastEthernet 0/20 is set to untrusted.
Example 5-2 DHCP Snooping Configuration
UCSWITCH(config)# ip dhcp snooping VLAN 200 201 UCSWITCH(config)# no ip dhcp snooping information option UCSWITCH(config)# ip dhcp snooping ! UCSWITCH(config)# interface FastEthernet 0/10 UCSWITCH(config-if)# ip dhcp snooping trust ! UCSWITCH(config)# interface FastEthernet 0/20 UCSWITCH(config-if)# no ip dhcp snooping trust UCSWITCH(config-if)# ip dhcp snooping limit
DHCP snooping is also used for Dynamic ARP Inspection (DAI), as discussed later in this chapter.
Root Guard and BPDU Guard
When a Cisco switch boots up, Spanning Tree Protocol (STP) identifies one switch as a root bridge. STP uses bridge protocol data units (BPDU) to maintain a loop-free topology by blocking redundant paths between switches. An attacker can send spoofed BPDU packets to imitate a root bridge, thereby causing a reconvergence of the network traffic. The attacker can capture traffic, launch DoS attacks, or initiate MITM attacks. BPDU guard and Root Guard help prevent the DoS or MITM attacks originating as a result of STP manipulation. BPDU Guard helps stop STP manipulation by enabling port(s) that don’t accept any BPDUs. Root Guard ensures that when the root (or root bridge) is elected, a new BPDU on a designated port isn’t entertained.
The following is a configuration of BPDU Guard and Root Guard for thwarting STP manipulation:
UCSWITCH(config)# spanning-tree portfast bpduguard UCSWITCH(config)# spanning-tree guard root
Dynamic ARP Inspection
An attacker can poison the Address Resolution Protocol (ARP) table. The intent is to conceal the identity so that the attacker’s switch/PC becomes the default gateway for the telephony subnet. ARP poisoning can be implemented by replying to and poisoning the network so that the attacker’s MAC address seems to be mapped to the default gateway IP address of the endpoints. An ARP attack can be mitigated by implementing Dynamic ARP Inspection (DAI), wherein the switch checks the IP/MAC mappings in the DHCP snooping binding table, thereby establishing the authenticity of packets before forwarding the packets to the destination. DAI drops all ARP packets that do not pass the inspection process. Example 5-3 outlines the process to enable DAI on a global and per-interface basis.
Example 5-3 DAI Interface-Specific and Global Setup
UCSWITCH(config)# ip arp inspection vlan 300 ! UCSWITCH(config)# interface FastEthernet 0/1 UCSWITCH(config-if)# ip arp inspection trust
802.1x is a standard set by the IEEE 802.1 working group. It’s a framework designed to address and provide port-based access control using authentication, primarily using Extensible Authentication Protocol (EAP) as the key protocol. 802.1x is a Layer 2 protocol for transporting authentication messages (EAP) between a supplicant (user/endpoint/PC) and an authenticator (switch or access point) with an (optional) authentication server (RADIUS) at the back end to authenticate the supplicant. For wired supplicants, EAP over LAN (EAPoL) is used, and for wireless supplicants, EAP over Wireless (EAPoW) is used. Figure 5-1 shows 802.1x via EAPoL and EAPoW for wired and wireless supplicants, respectively, to a RADIUS (Cisco TACACS+) server.
Figure 5-1 802.1x in Cisco Collaboration Networks
Multidomain Authentication (MDA) helps define two domains on the same physical switch port: Voice VLAN Identifier (VVID) and Port VLAN Identifier (PVID). The 802.1x process for voice using an EAPoL and MDA approach is shown in the following steps:
- Step 1. A Cisco Unified IP Phone learns VVID from Cisco Discovery Protocol (CDP). Third-party phones use Link Layer Discovery Protocol (LLDP). 802.1x times out.
- Step 2. The switch initiates MAC Authentication Bypass (MAB).
- Step 3. Cisco TACACS+ (RADIUS server) returns Access-Accept with the IP Phone’s vendor-specific attribute (VSA).
- Step 4. IP Phone traffic is initially allowed on either VLAN until it sends an 802.1Q tagged packet. Then only voice VLAN is allowed for the IP Phone.
- Step 5. The daisy-chained PC (connected to the PC port on the IP Phone) authenticates using 802.1x or MAB. PC traffic is allowed on the data VLAN only.
Example 5-4 demonstrates the switch configuration for MDA.
Example 5-4 MDA Setup
UCSWITCH(config)# interface FastEthernet 1/1 UCSWITCH(config-if)# switchport mode access UCSWITCH(config-if)# switchport access vlan 100 UCSWITCH(config-if)# switchport voice vlan 200 UCSWITCH(config-if)# spanning-tree portfast UCSWITCH(config-if)# authentication event fail action next-method UCSWITCH(config-if)# authentication host-mode multi-domain UCSWITCH(config-if)# authentication order dot1x mab UCSWITCH(config-if)# dot1x pae authenticator UCSWITCH(config-if)# authentication port-control auto UCSWITCH(config-if)# dot1x timeout tx-period 10 UCSWITCH(config-if)# dot1x max-req 2 UCSWITCH(config-if)# mab
Layer 3 Security
At Layer 3 of the OSI model, the following security mechanisms help restrain attacks from within and outside of a network:
- Deploying RFC 2827 filtering, uRPF, and IP source guard (prevents IP spoofing)
- Using routing protocol authentication
- Disabling unnecessary Cisco IOS services (hardening)
RFC 2827 Filtering
To prevent IP spoofing attacks emerging from outside your network, RFC 1918 addresses should be filtered using IP access control lists (ACL). These addresses include the following:
In addition to these addresses, the multicast range of 220.127.116.11/4, 18.104.22.168/8, and 240.0.0.0/5 and the broadcast address of 255.255.255.255 should be blocked.
IP Source Guard
The IP source guard feature can be enabled on untrusted switch ports. This feature blocks all IP traffic initially, except for DHCP packets captured by the DHCP snooping process. When a client receives a valid IP address from the trusted DHCP server, a port ACL (PACL) is applied to the port. This restricts the traffic only from known client source IP addresses configured in the binding, disregarding any other IP traffic. The following configuration enables IP source guard on the FastEthernet 0/10 interface of a Cisco Catalyst switch:
UCSwitch(config)# interface FastEthernet 0/10 UCSwitch(config-if)# ip verify source
Unicast Reverse Path Forwarding
Unicast Reverse Path Forwarding (uRPF) is a Cisco IOS feature that can be employed on Cisco IOS routers to prevent attempts to send packets with spoofed source IP addresses. The uRPF feature looks for the source IP address of a packet arriving on the inbound interface of a router in its routing table. If the source IP address exists in the network behind the router, and the routing table contains an entry for the same, the packet is allowed. uRPF requires Cisco Express Forwarding (CEF) to be enabled. The following snippet outlines the configuration of uRPF on FastEthernet 1/1 of a Cisco IOS router:
UCRouter(config)# interface FastEthernet 1/1 UCRouter(config-if)# ip verify unicast reverse-path
Routing Protocols Security
An attacker can attempt to manipulate the routing tables of routers by injecting his own malicious routes, thereby causing the router to send all voice and data network traffic to his own PC/router or drop the traffic altogether. To protect against such an attack, routing protocols should be secured by using authentication via plain-text authentication or MD5. MD5-based authentication creates a hash value from the key and sends it to the neighbors, where the neighboring router recalculates the hash value with the configured key to verify the integrity of the message. MD5 authentication is supported with the following routing protocols:
Cisco IOS routers can be hardened by disabling services such as finger, TCP and UDP small servers, BootP, and Proxy ARP.
(Firewall) Security for Layers 4 Through 7
Firewalls such as Cisco Adaptive Security Appliance (ASA) enable protection of a Cisco Collaboration network by filtering traffic at Layer 3, Layer 4, and higher layers. In an ideal design, the firewall intercepts the traffic coming from or going to remote sites and the Internet to or from the internal network (data center) and consequently filters based on certain criteria such as source/destination based on subnet, inspection, or ports.
Cisco ASA works in routed mode, transparent mode, or multiple-context mode. In routed mode Cisco ASA appears as a hop in the network—that is, it works at Layer 3. Routed mode supports multiple interfaces and practically all Cisco Collaboration services/applications. For Cisco Collaboration network deployments, Cisco ASA should be configured in a single (default) context as a routed firewall.
Cisco ASA, on the other hand, also works in transparent mode where it is a Layer 2 firewall that acts like a bump in the wire. In transparent mode, Cisco ASA has some limitations pertinent to voice and video traffic:
- Limited to the use of two traffic forwarding interfaces
- Lack of support for QoS or Network Address Translation (NAT)
- Lack of support for multicast routing
- No site-to-site VPN (except for management of the firewall itself)
Cisco ASA also supports multiple-context mode, also known as multimode. In multiple-context mode, the firewall is regarded as multiple separate virtual firewalls on the same physical hardware. However, multiple-mode also has some feature limitations (in addition to those defined for transparent firewall):
- Lack of support for VPN remote-access services
- Lack of support for Phone Proxy
- Lack of support for dynamic routing