Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Question on VoIP security

from [Hayes, Ian] Network Security [Permanent Link]
Subject: RE: Question on VoIP security
Date: Mon, 19 Dec 2005 11:34:48 -0800 
-----Original Message-----
From: Rodrigo Blanco [mailto:rodrigo.blanco.r@gmail.com]
Sent: Sunday, December 18, 2005 5:01 AM
To: security-basics@securityfocus.com
Subject: Question on VoIP security

Hello list,

I am currently facing an Intranet VoIP project (will be restricted to
1 organization's Intranet, geographically disperse), from the security
standpoint. So, I have to propose a security architecture for a
SIP-based VoIP deployment. Vendor is still a variable, so it should be
as vendor-independent as possible (but it will probably be Cisco /
Nortel).

Does anyone have information on the currently security practices used
to protect the confidentiality, integrity and guarantee access control
in the VoIP services network?

If you can provide me with general principles, and perhaps links to
documents describing the security problems I should consider, these
would be more than welcome.


Having done a fairly large VoIP implementation that has a lot of public
facing phones, we had a lot of issues we had to tackle especially when
dealing with 24/7 availability and security.

Obviously I can't go into the specifics here on how we did our VoIP
network, but treat the security side of it as you would any data port.
The good thing about having dedicated jacks for VoIP is that your work
just got a little easier as the phones are all going to have the same
access profile. Work with your vendor to work up a good access profile
for your devices and firewall them off ruthlessly. Lock the edge down
using every control you have- MAC locks, protocol locks, firewalls...
you *have* to control the edge. If you can't then someone's going to
plug something other than a phone into the network and it's Game Over.

I really prefer having separate networks for voice vs data as it's more
secure and simplifies administration a bit, and the QoS is improved on
both sides as you're not competing for bandwidth. While you're at it,
don't skimp on getting budget networking gear. If you're putting in a
fair sized VoIP network, you're going to need bandwidth. Phones are a
"public side" of IT and even the least technical person can use one and
expects a certain level of quality. You *will* hear about it if calls
are coming in broken or distorted, especially if it's the CEO on a call
trying to show off his shiny new VoIP network to his buddies. A few
bucks spent now can prevent a lot of headaches in the future.

For your remote offices, I'd recommend firewall-to-firewall VPN tunnels,
even if you're using point-to-point circuits.

I would look to see if the system you're considering does end-to-end
encryption to protect the voice data. A lot of them do now, but also
look at how secure the key exchange is. Encryption is no good if an
attacker is sniffing the wire and the encryption key is send in the
plain before the voice part of the call actually kicks in.

If you follow the basic practices for securing a data network, I really
think that the holes are going to come from the phone switch itself.
It's a ripe target. Look at some of the mailing lists and see if a
particular vendor has a history of getting their products exploited, and
ask how responsive they are to fixing holes as they are reported.

Most importantly, don't let your vendors tell you that can't do
something. Put all your requirements in the Requirements Doc before your
vendor pool starts planning and bidding. The security portion really
should be a non-negotiable deal-breaker. For everything a VoIP phone
does, they're still just network devices and should be treated as such.

--
Ian Hayes | Senior Systems Engineer
Wynn Las Vegas
3131 South Las Vegas Blvd, Las Vegas, NV 89109
Ph (702) 770-3252 | Cell (702) 266-6002
Ian.hayes@wynnlasvegas.com



---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfoc_ml
----------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Why can't Firefox and Thunderbird find their own updates?, Bénoni MARTIN
Next by Date:  SF new article announcement: OpenSSH cutting edge, Kelly Martin
Previous by Thread:  RE: Question on VoIP security, Chris Serafin
Next by Thread:  RE: Question on VoIP security, Chris Serafin
Indexes:  [Date] [Thread] [Top] [All Lists]