A new emerging telephony technology, Voice over IP (VoIP), proposes numerous advantages over Public Switched Telephone Network (PSTN). One of them is a relatively painless mobility of the VoIP phone. Users can easily move their phone from one such port to another in the communication network without any configuration change, just like hooking up appliances to a power outlet. However, this mobility can create a headache for VoIP network administrators. When users are allowed full freedom to move their phone, administrators can become totally blind to which phones are connected to which switch port. Failing to keep track of phone location means that correct phone position cannot be provided in case there is a request from E911 system. In addition it leaves the network susceptible to access by unauthorized devices posing as authorized devices. A rogue phone can easily tap into the network and start unauthorized service or launch an attack on others.
One proposed response to the problem is to fix one switch port to be dedicated for one VoIP phone only so that a switch forwards only the traffic originated from the Media Access Control (MAC) address of that phone. IT staff manually enters to a switch a phone MAC address to be locked up to a specific switch port. However, this one switch port per IP phone approach is too cumbersome and drains immense amount of man hours to manage.
Another alternative is to rely on a switch's automatic filter set up. In this proposed solution the switch sets the first MAC address it sees as the only authorized device. Traffic from other MAC address would then be blocked at the port. This one IP phone-per-port approach also requires human attention when a need arises to change the initial setting.
When phone access has not been encumbered in the manner disclosed, the network has been susceptible to access that could be detrimental to the network, examples of which are set out below.
Access Through a Daisy Chained Switch
As can be seen in FIG. 1, a rogue phone can be plugged in to network by daisy chaining a switch port. An inexpensive 4 or 8 port hub/switch can expand the Ethernet port easily.
The issue is that, from the viewpoint of network administrator or management tool, all of the devices hooked to the cascaded hub/switches are identified by one switch port. For example, all of the Hub/Switches 103-105 all are identified as being on the same port of switch 110. In addition all of the devices hooked to those Hub/Switches (e.g., D1 to D4) are identified as being on the same port. This makes it even harder to detect a rogue device because traffic from both legal and illegal phones can only be routed through one switch port.
Another issue that arises is that when a device is plugged to a cascaded hub/switch, an SNMP trap cannot be generated because the switch cannot detect the cable plugged into the cascaded hub/switch.
Spoofing a Legitimate IP/MAC Address
An intruder can spoof an IP/MAC address of a legitimate or authorized phone and program it on his or her device overwriting the hardware address of the intruding device. From a VoIP call server or network administrator's view, there is no way to tell if the phone is authorized or not by merely looking at the IP/MAC address. The rogue phone is treated same as legal one, resulting in two or more identical IP/MAC addresses present on network.
Layer 3 Switch
If frames generated from a device cross a subnet boundary, a system monitoring the traffic cannot grab the MAC address of that device by any means because that address is stripped off by a router. Also, if a layer 3 switch is involved in switching, the MAC address in the frame header is not necessarily that of traffic source.
In other words, when remotely monitoring traffic from IP phones, it is difficult to get a correct MAC address for that phone except when only layer 2 switch is involved in switching.
Possible Cases of Intrusion.
It can be safely anticipated that the rogue device will spoof IP/MAC address of legitimate user. In FIG. 1, a device at ending point of dotted arrow points to a legal device whose address is being spoofed by a rogue device. There can be three ways the rogue device can pick a MAC address. One technique is to pick randomly a MAC address without spoofing. A second is to spoof a device address which is on the same daisy-chain branch. A third is to spoof the address of a device that is plugged on a switch port that is different from the port to which the rogue device is connected. Depending on the MAC address that the rogue phone spoofs and the switch port to which the device is plugged in, the following possible cases of intrusion, as shown in FIG. 1, can happen.
Case A: Soft-phone on a PC
Installing a VoIP soft-phone on a legitimate PC.
Case B: Rogue Phone on Daisy-Chain
A rogue phone is connected to one hub/switch of a daisy chained port and it is stealing IP/MAC of a legitimate phone that is hooked up to the same daisy chain. Traffic generated from both phones travel through same switch port.
Most legitimate phones remain powered on 24×7 and as a result the IP/MAC addresses of those phones are always active. When a rogue phone spoofs this address, it will collide with that of legitimate phone as they are on same subnet. It is questionable if rogue phone can make a phone call and how the VoIP call server would respond to this request because of the MAC address conflict. The result might be dependent on whether a hub or a switch is used.
Case C: Rogue Phone on Daisy-Chain
A rogue phone is connected to one hub/switch of a daisy chained port and it is stealing an IP/MAC address of a phone that is hooked up to the switch directly via a different port. Traffic generated from both phones travel through different switch ports of the same switch. Both phones cannot be on-line simultaneously as the MAC address collides. However, if the legitimate phone is off or unplugged the rogue phone can use the spoofed address for access.
Case D: Rogue Phone on Switch Port Direct
A rogue phone is connected to a switch directly and it is stealing MAC address of a phone on a different subnet. Traffic generated from both phones travel through different switch ports. Both phones may be on-line simultaneously if different IP addresses are used. The rogue phone will be able to make phone calls without any problem because VoIP call server identifies a phone by MAC address not by its IP address. But this scenario is possible when there is only one VoIP call server servicing the whole campus or university. One thing that is not clear is the case when there are multiple VoIP call servers servicing different subnets. As seen in FIG. 1, say a legitimate phone is serviced by VoIP call server 1 and rogue phone by VoIP call server 2; the legitimate phone is registered on VoIP call server 1 and rogue phone is to be served by VoIP call server 2. Unless there is a database sharing or synchronization between the two VoIP call servers, the rogue phone won't be able to make phone call.
Case E: Rogue Phone on Switch Port Direct
The intruder introduces some arbitrary MAC address which is not registered on VoIP call server. It won't be able to make legitimate call but could generate a malicious attack like a denial of service (DOS).
Case F: Rogue Phone on Daisy-Chain
A rogue phone is connected to one hub/switch of a daisy chained port and it is not stealing IP/MAC address. It introduces some arbitrary MAC address which is not registered on VoIP call server.
Case G: Phone with Built-in Extra Port
IP phone usually has an extra hub port for a PC or any Ethernet device can be hooked to. A legitimate phone is directly connected to switch port and a PC is daisy chained to the phone.