Security

last person joined: 7 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

LLDP Spoofing?

This thread has been viewed 4 times

  • 1.  LLDP Spoofing?

    Posted Nov 25, 2016 11:38 AM

     

    We are looking at rolling out AAA authentication on our network. We use Aruba MAS switches and Aruba APs with Avaya IP phones. I was looking at setting up override conditions on the AAA Profile for the phones and APs to get diverted to a corporate access vlan and skip CPPM role assignment. for the APs I was planning to use a device-group ap profile to override the interface-group AAA profile. Similar to this:

     

    device-group ap
      enable

      switching-profile "AP"

     

    For the phones I was looking at setting a derivation rule on the AAA profile similar to this:

     

    aaa derivation-rules user test
      set vlan condition device-type equals "phone" set-value XXX

     

    My question is how secure is this setup? Can the proprietary LLDP TLVs be spoofed easily so that a hacker PC could mimic a phone or AP and get diverted straight into a corporate access vlan bypassing the rest of the AAA profile role assignment conditions?

     

     

     



  • 2.  RE: LLDP Spoofing?

    EMPLOYEE
    Posted Nov 26, 2016 06:04 AM

    LLDP can be easily spoofed (as can CDP). Tools to do so, like VoipHopper (CDP) and LLDP Generator (LLDP) are publicly available.

     

    Example with LLDP Generator:

    ./tool.py -p lldp -tlv sys-name "FakePhone" -tlv sys-desc "See, I can spoof LLDP" -tlv chid -ipv4 "123.45.67.89"

    Will show on your switch like:

    HPE-Aruba-Lab3810# show lldp info remote-device 4

 LLDP Remote Device Information Detail

  Local Port   : 4
  ChassisType  : network-address     
  ChassisId    : 123.45.67.89             
  PortType     : mac-address                            PortId       : 30 85 a9 aa aa aa                      SysName      : FakePhone                       
  System Descr : See, I can spoof LLDP                  PortDescr    :                                        Pvid         :                          
  System Capabilities Supported  : 
  System Capabilities Enabled    : 
  Remote Management Address

    I did not take the time so spoof the system capabilities, but that should not be that hard to fake your Avaya Phone. So it is okay to use LLDP as a convenience feature, probably not to use it as a securlty feature as there is no protection whatsoever in the protocol.

     

    The more secure solution would be to really authenticate the phone with 802.1X; the required securlty level depends on what is acceptable in your environment and was the outcome of the security assessment.