Penetration Testing mailing list archives
RE: PBX Security
From: "Brennen Reynolds" <brennen-ml () off-pisteconsulting com>
Date: Mon, 10 Feb 2003 00:19:27 -0800
Razvan, et. al, While not about PBX security directly, I have been doing research on the security of IP telephony in enterprise networks for the past year. I have several publications on the subject including my Master's Thesis (http://www.off-pisteconsulting.com/research/pubs/reynolds-ms_thesis.pdf), NDSS 03 conference paper (http://www.off-pisteconsulting.com/research/pubs/ndss03-reynolds.pdf) and slides (http://www.off-pisteconsulting.com/research/pubs/ndss03-slides.ppt) and IEEE Communication Magazine article (http://www.off-pisteconsulting.com/research/pubs/ieee_comm.pdf). If you have any questions about any of the material feel free to drop me an email. Brennen -- Brennen Reynolds - Chief Consultant/Owner - Off-Piste Consulting, LLC Email: brennen at off-pisteconsulting dot com Voice: (209) 258-4584 WWW: http://www.off-pisteconsulting.com Fax: (209) 258-4584 PGP Fingerprint: E868 8B0D 175D 7394 E7AE 9E71 38CC 2B63 A1EB 9D9F
-----Original Message----- From: Martin Walker [mailto:Martin.Walker () ctg com] Sent: Saturday, February 08, 2003 10:08 AM To: Rob Shein; Razvan; pen-test () securityfocus com Subject: RE: PBX Security Making matters worse is that the telephony vendors don't have a clue about anything other than the telelphony side of things, and if you harden the box yourself you'll void most vendor paper regarding support etc. Several steps need to be taken to effectively combat the situation. First is that IT should own telelphony, not facilities. Second IT needs to recognise these devices are general purpose computing platforms and design the secured architecture appropriately. This would include implementing firewalled "zones of protection" between the data access layer (in this case the IVRS/call center), application layer (agent applications) and the data storage back end. Third the boxes need to be hardened and the IT department's standard security self-certification program applied just like any other platform. A certification program would include recurring certification requirements. (I know everybody is using some sort of internal certification program to implement and manage security across the organization.....right?).From: Razvan [mailto:bugtraq () risc ro] Sent: Wednesday, February 05, 2003 2:51 AM To: pen-test () securityfocus com Subject: PBX Security
As promised, I return with the reasons I freaked when I saw what a PBX can become if used unwisely. Also, I feel unable to come up with any sort of relevant advice on this matter. What's actually scary is the fact a PBX owner has practically no control over such an issue. He can have the most secure configuration, a relevant and enforced security policy, security conscious users, etc and he's still vulnerable. Or is he? Waiting your thoughts on this. Razvan Teslaru Romanian IT Security Company
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- PBX Security Razvan (Feb 05)
- RE: PBX Security Rob Shein (Feb 06)
- Re: PBX Security Fabio Pietrosanti (naif) (Feb 10)
- <Possible follow-ups>
- RE: PBX Security Martin Walker (Feb 09)
- RE: PBX Security Thomas Porter, Ph.D. (Feb 09)
- RE: PBX Security Jonathan Rickman (Feb 10)
- RE: PBX Security Jacek Lipkowski (Feb 11)
- RE: PBX Security Thomas Porter, Ph.D. (Feb 09)
- RE: PBX Security Brennen Reynolds (Feb 10)