Hello experts,
So I was reviewing some information on the SRND for 6.X and found the
following
Gratuitous ARP
Just like any other data device on the network, the phones are vulnerable to
traditional data attacks. The phones have features to prevent some of the
common data attacks that can occur on a corporate network. One such feature is
Gratuitous ARP (Gratuitous Address Resolution Protocol, or GARP). This feature
helps to prevent man-in-the-middle (MITM) attacks to the phone. A MITM attack
involves an attacker who tricks an end station into believing that he is the
router and tricks the router into believing that he is the end station. This
scheme makes all the traffic between the router and the end station travel
through the attacker, thus enabling the attacker to log all of the traffic or
inject new traffic into the data conversation. Gratuitous ARP helps protect
the phones from having an attacker capture the signaling and RTP voice streams
from the phone if the attacker was able to get onto the voice segment of the
network. This feature protects only the phones; it does not protect the rest
of the infrastructure from a Gratuitous ARP attack. This feature is of less
importance if you are running a Cisco infrastructure because the switch port
provides features that protect both the phones and the network gear. For a
description of these switch port features see the section on Switch Port, page
20-13. Advantages The Gratuitous ARP feature protects the phone from a
traditional MITM attack on the signaling and RTP voice streams that are
sourced from the phone to the network. Disadvantages The downstream signaling
and RTP voice streams coming from another phone or coming across the network
are not protected by this feature in the phone. Only the data coming from the
phone that has this feature enabled is protected. (See Figure 20-3.) If the
default gateway is running Hot Standby Router Protocol (HSRP), if the HSRP
configuration uses the burned-in MAC address rather than the virtual MAC
address for the default gateway, and if the primary router fails-over to a
secondary router that has a new MAC address, the phones could maintain the old
MAC address of the default gateway. This scenario could cause an outage for up
to 40 minutes. Always use the virtual MAC address in an HSRP environment to
avoid this potential problem.
Yet in the phone hardening guide and other reference materials it states to
turn off GARP as such
Advantages The Gratuitous ARP feature protects the phone from a traditional
MITM attack on the signaling and RTP voice streams that are sourced from the
phone to the network. Disadvantages The downstream signaling and RTP voice
streams coming from another phone or coming across the network are not
protected by this feature in the phone. Only the data coming from the phone
that has this feature enabled is protected. (See Figure 20-3.) If the default
gateway is running Hot Standby Router Protocol (HSRP), if the HSRP
configuration uses the burned-in MAC address rather than the virtual MAC
address for the default gateway, and if the primary router fails-over to a
secondary router that has a new MAC address, the phones could maintain the old
MAC address of the default gateway. This scenario could cause an outage for up
to 40 minutes. Always use the virtual MAC address in an HSRP environment to
avoid this potential problem.
Yet in the phone hardening guide and other reference materials it states to
turn off GARP as such
Yet in the phone hardening guide and other reference materials it states to
turn off GARP as such
By default, Cisco IP Phones accept Gratuitous ARP, or GARP, packets. GARPs,
which are used by devices, announce the presence of the device on the network.
However, attackers can use these packets to spoof a valid network device; for
example, an attacker could send out a GARP that claims to be the default
router. If you choose to do so, you can disable Gratuitous ARP in the Phone
Configuration window of Cisco CallManager Administration.
Can someone please clarify this?
Thanks,
James
Blogs and organic groups at http://www.ccie.net
Received on Wed Jan 20 2010 - 12:40:56 ART
This archive was generated by hypermail 2.2.0 : Thu Feb 04 2010 - 20:28:41 ART