Identity spoofing when using VTGO softphone

Driss BENATTOU · ‎11-19-2012

Hi,

I want to mitigate to identity spoofing when someone uses softphone with the same MAC Address of hard phone. what's the simple security method to block this attack.

Regards

Driss

Jonathan Schulenberg · ‎12-01-2012

If you're using a third-party SIP softphone you could define a SIP DIGEST User on the device, set a DIGEST password on that End User, and require Digest Authentication on the Phone Security Profile. William Bell wrote up a great blog on this topic.

With Cisco phones, SIP or SCCP, you would need to enable mixed mode and give the legitimate phone a LSC to present during registration and ongoing signaling operations. This is documented in Security Guide.

Please remember to rate helpful responses and identify helpful or correct answers.

Akhil Behl · ‎12-01-2012

Hi Driss,

There're a number of ways you can stop identity spoofing aka MAC / SIP spoofing in a soft phone.

1. Hardocde the device name in CUCM to something other than MAC address which someone can spoof and ensure that the end point also registers with same

2. In windows you can disable registry keys such that the end user is unable to modify the settings for the soft phone. For detailed instructions you can refer to chapter 15 of Securing Cisco IP Telephony Networks

http://www.ciscopress.com/store/securing-cisco-ip-telephony-networks-9781587142956

3. You can leverage CAPF certificates such that one MAC / identity gets only 1 certificate and cannot register without it. While with VTGO this may have limited functionality, this is usefaul in case of IP Communicator, CUPC etc.

4. You can leverage SIP authentication for third party phones. This is also covered in aforementioned book.

All in all there're various attacks which can be launched against an endpoint and various ways in which these can be mitigated. Refer to Secruing Cisco IP Telephony Networks to read about an end-to-end security construct and deploy it for your environment as per risk, cost, manpower, and other aspects.

Akhil Behl
Solutions Architect
akbehl@cisco.com

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953

Driss BENATTOU · ‎12-26-2012

Hi Akhil,

Can you please advise on how to hardcode device name to something other than MAC address ?

Regards

Driss

Akhil Behl · ‎12-26-2012

This method is specific to Cisco IP Communicator. You can add CIPC in CUCM by username or anything you like. This is shown in attached image.

As VTGO emulates physical endpoints, you cannot use this mechanism with it.

Please read Chapter 15 of Securing Cisco IP Telephony Networks to see how ytou can safeguard endpoints from attacks. Also, Chapters 6, 7, 8, 9 depict various network and application layer security specifics for UC endpoints.

http://www.amazon.com/Securing-Telephony-Networks-Networking-Technology/dp/1587142953

Akhil Behl
Solutions Architect
akbehl@cisco.com

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953

Driss BENATTOU · ‎12-26-2012

Hi,

Thank you for your answer.

Ok, I knew this method. I have a doubt that is applicable for another type of phones.

Regards

Driss