|
|
|
|
07-02-2003, 03:26 AM
|
#1 |
Call Manager encryption
Does the Avvid system have encryption on the voice phone conversations. We
need to be able to protect calls to the police dept. from being eavesdropped or port copied. I saw a demo of the Avaya system today that can do it on an optional/mandatory level. bJ Bobby Janow |
|
|
|
07-02-2003, 05:27 AM
|
#2 |
|
Posts: n/a
|
Re: Call Manager encryption
On Wed, 02 Jul 2003 02:26:21 GMT, "Bobby Janow" <>
wrote: >Does the Avvid system have encryption on the voice phone conversations. We >need to be able to protect calls to the police dept. from being eavesdropped >or port copied. I saw a demo of the Avaya system today that can do it on an >optional/mandatory level. No it does not encrypt the voice data at all. Proper use of vlans will help, but not prevent someone from sniffing the call. |
|
|
|
07-02-2003, 01:25 PM
|
#3 |
|
Posts: n/a
|
Re: Call Manager encryption
Thanks for the quick reply. I know a VLAN can segment and protect the data
traffic at the police department. But if I have a call originating at the High School from the principal, going to the chief of police regarding an incident that happened, would the conversation be open to a knowledgeable student with available hacker tools? Couldn't they just port spoof or port forward the entire conversation thus compromising all kinds of confidentiality laws? bJ <> wrote in message news:... > On Wed, 02 Jul 2003 02:26:21 GMT, "Bobby Janow" <> > wrote: > > >Does the Avvid system have encryption on the voice phone conversations. We > >need to be able to protect calls to the police dept. from being eavesdropped > >or port copied. I saw a demo of the Avaya system today that can do it on an > >optional/mandatory level. > > > No it does not encrypt the voice data at all. Proper use of vlans > will help, but not prevent someone from sniffing the call. |
|
|
|
07-04-2003, 01:34 AM
|
#4 |
|
Posts: n/a
|
Re: Call Manager encryption
On Wed, 02 Jul 2003 12:25:09 GMT, "Bobby Janow" <>
wrote: >Thanks for the quick reply. I know a VLAN can segment and protect the data >traffic at the police department. But if I have a call originating at the >High School from the principal, going to the chief of police regarding an >incident that happened, would the conversation be open to a knowledgeable >student with available hacker tools? Couldn't they just port spoof or port >forward the entire conversation thus compromising all kinds of >confidentiality laws? Arp spoofing would help them sniff the traffic, provided that had access to a port in the correct vlan. Also note that the 79xx phones echo all of the phone data on the pc port (at least for the firmware loads I've seen). |
|
|
|
07-06-2003, 01:13 AM
|
#5 |
|
Posts: n/a
|
Re: Call Manager encryption
Thanks again. I believe the key here is that they would need access to the
port. The Avaya thing might just be smoke and mirrors due to the fact that they were in a lab setting with total access to all traffic and ports. bJ <> wrote in message news:... > On Wed, 02 Jul 2003 12:25:09 GMT, "Bobby Janow" <> > wrote: > > >Thanks for the quick reply. I know a VLAN can segment and protect the data > >traffic at the police department. But if I have a call originating at the > >High School from the principal, going to the chief of police regarding an > >incident that happened, would the conversation be open to a knowledgeable > >student with available hacker tools? Couldn't they just port spoof or port > >forward the entire conversation thus compromising all kinds of > >confidentiality laws? > > Arp spoofing would help them sniff the traffic, provided that had > access to a port in the correct vlan. Also note that the 79xx phones > echo all of the phone data on the pc port (at least for the firmware > loads I've seen). |
|
|
|
07-07-2003, 03:11 AM
|
#6 |
|
Posts: n/a
|
Re: Call Manager encryption
I'll check out the webinar for sure. Avaya is using some form of encryption
on the phone or in their call manager. They are castigating the use of VPNs due to the cost, complexity, and user difficulty. Cisco is talking VPN if you want total security. In reality, however, if someone wanted to tap a phone they could just clip those little doo-hickeys onto the wires outside like they do in the movies. bJ "A.User" <> wrote in message news:... > On Sun, 06 Jul 2003 00:13:54 GMT, "Bobby Janow" <> > wrote: > > This application is a prime example of the security issues surrounding > VoIP and the adaption of it in the enterprise. All VoIP vendors know > that the voice packets placed on the "wire" are not secure and lend > themselves to intercept and hijacking. They are working on solutions > as is the IEEE and several other standards bodies. The bottom line is > that anyone with some knowledge of packet capture and has access to > the network can intercept or hijack a conversation. The solution to > your delima is in voice encryption. Recently some vendors are opting > for secure VPN's as a transport method for voice that needs > confidentiality but this is an interim measure at best the ultimate > solution will be encryption at the phone using PKI or certificates. If > I remember Avaya is talking VPN's while working on PKI for the > ultimate solution. There is to be a Voice security webinar presented > by International Network Services on the 30th of July. Just another > input to an open issue. > > >Thanks again. I believe the key here is that they would need access to the > >port. The Avaya thing might just be smoke and mirrors due to the fact that > >they were in a lab setting with total access to all traffic and ports. > > > >bJ > ><> wrote in message > >news:.. . > >> On Wed, 02 Jul 2003 12:25:09 GMT, "Bobby Janow" <> > >> wrote: > >> > >> >Thanks for the quick reply. I know a VLAN can segment and protect the > >data > >> >traffic at the police department. But if I have a call originating at > >the > >> >High School from the principal, going to the chief of police regarding an > >> >incident that happened, would the conversation be open to a knowledgeable > >> >student with available hacker tools? Couldn't they just port spoof or > >port > >> >forward the entire conversation thus compromising all kinds of > >> >confidentiality laws? > >> > >> Arp spoofing would help them sniff the traffic, provided that had > >> access to a port in the correct vlan. Also note that the 79xx phones > >> echo all of the phone data on the pc port (at least for the firmware > >> loads I've seen). > > > |
|
|
|
08-01-2003, 12:49 PM
|
#7 |
|
Posts: n/a
|
Re: Call Manager encryption
wrote: >>On the other hand it is possible to fill the mac-address-table of a >>switch and that makes it work like a hub. That means that there is >>no longer any 'vlan-security'. So you don't need to have access >>to the 'phone-vlan' but to the switch. We demonstrated that during >>a workshop at our university, too. >> > > Really? What switch was this on? Sorry for that late answer. It was a noname product. But we only used our phone vlan for the demo i.e. untagged packets. > > I'm aware of mac flooding to force a switch flood packets to all ports > instead of properly switching. Basically you interfere with its > ability to know which port to send a packet out on. > > I do not understand how this would affect vlan tagging, though. The > tagging is essentially part of the packet and unless the hacker was on > a trunk or access port statically assigned to that vlan, they should > not be able to sniff packets from another vlan. There are some known > issues about being able to send a packet to the wrong vlan due to > native vlan misconfiguration. > It doesn't affect vlan tagging, you're right. But as some cisco guys told me the packet is switched with the tag and only at the egress port the tag may be removed (if this port belongs to the vlan of the untagged packet). If you flood the switch you will receive that tagged packet on every port. So you have to have a look at the tag, remove it and collect every packet in a directory depending of that removed tag. So you can find every rtp stream and make it audible. -- Lothar |
|
|
