Despite
this minimal network infrastructure, the Avaya VoIP package has several
intrinsic security mechanisms. However, the Avaya topology call control
information is not encrypted and the passwords used for IP phone authentication
are not very powerful.
Our
hackers learned a lot by querying Avaya's IP phones via SNMP, using the
"public" universal default SNMP community name. But phones cannot be
reconfigured, disabled or otherwise exploited via SNMP sets (writes).
Avaya
took home the lessons learned from the first round and returned with a harder
and safer setup.
Officially,
Avaya claims that its IP telephony package is independent of the switch, as far
as the Layer 2 and Layer 3 equipment on which the VoIP infrastructure is based.
So the Avaya Cajun P333 switch used in the first test round was replaced in the
second round with the Extreme Layer 2 / Layer 3 switches, with which Avaya
collaborates.
No comments:
Post a Comment