Information Technology Reference
In-Depth Information
Chapter 7
When implementing an IP telephony network, it is essential to carefully consider security; otherwise, the network will be vulnerable
to attack and voice communications may suffer disruption.
Several different tools and techniques can be used to protect the IP telephony networks, and some of these are covered in this chapter.
DHCP Snooping
Several different tools and techniques can help protect the network against both Layer 2 and Layer 3 threats. One such technique is
DHCP snooping.
VoIP devices, such as IP phones, can use the Dynamic Host Configuration Protocol (DHCP) to obtain IP configuration parameters,
such as IP address and TFTP server address. Therefore, if an attacker is able to interfere with DHCP, he might be able to conduct a
denial-of-service (DoS) attack and prevent IP phones from operating correctly.
DHCP snooping works to prevent an attacker from interfering with DHCP operation by filtering malicious DHCP messages and
creating a DHCP snooping binding table. The table contains information such as MAC addresses, IP addresses, DHCP lease times,
and VLAN port information for clients on untrusted ports.
DHCP snooping involves trusted and untrusted switch ports. If a DHCP packet is received on a trusted port, the switch forwards it
without validation. If a DHCP packet is received on an untrusted port, the switch checks to ensure that it is from a DHCP client and
not a malicious packet sent by an attacker. Trusted ports connect to devices such as DHCP servers or DHCP relay agents.
