RE: Converged Network Assessment

[Joseph Seanor <joseph () cibir net>]

Ken,

        Thank you for the email, however, I did not post that original email.  My email address was forged by an 
ex-employee of mine who has been doing this around the internet.

> I think one of the additional implications here is the realization
> that VoIP and multi-media will introduce new issues to the security
> community and should be factored into risk assessments. Pen tests
> should be adjusted accordingly.
>
> Several simple observations  on the convergence impact:
>
> 1) first, convergence is going to have a lot to do with integrating
> VoIP - here we should note that general managers are traditionally
> more concerned about voice privacy than email privacy (while most
> data folks know there's a lot of critical information in email,
> mgmt cares more about confidentiality on their voice
> communications) - this is likely to lead to wide-spread encryption
> of voice traffic which means it's an ideal convert channel since
> filters can't inspect encrypted data flows so look for malicious
> use of encrypted UDP packets
> 2) VoIP requires two ports (each is unidirectional) for
> conversations - some firewalls or perimeter defenses talk about pin
> holes being opened for voice; don't you love it - a hole in the
> perimeter but it's only a pin prick 2) acceptable, or functional
> latency is very different for voice and live video than for email
> or browsing; this means that many exploits that might cause a delay
> can actually produce an outage in the converged network 3) power
> dependency is an important issue since the phone grid traditionally
> carried it's own power and that's not easy to do with VoIP 4)
> location awareness is an issue as we see in the FCC battle over
> E911 for VoIP 5) spoofing of caller ID is made quite trivial in VoIP
> 6) Convergence also commonly includes wireless and new client form
> factors like cell phones and hybrid PDAs
>
> These are not all direct issues for a pen test but risk assessment
> and planning should address these and far more.
>
> Each new technology we deploy opens up new vulnerabilities and it's
> our jobs to be in front of these.
>
> Convergence is far more than market hype - it's going to bring lots
> of new vulnerabilities and will require new, enhanced defenses.
>
> And, as I've said to vendors for 30 years "it's got to be taught
> before it will be bought" so it's got to start with education.
>
>
> -----Original Message-----
> From: Bob Radvanovsky [mailto:rsradvan () unixworks net]
> Sent: Sunday, February 05, 2006 3:12 PM
> To: joseph () cibir net; pen-test () securityfocus com
> Subject: Re: Converged Network Assessment
>
> Actually, it could go either way.  The latest thing within the IT
> and security industries is "standardization".  For the security
> industries, this means converging physical, cyber and policy
> management security together. For the IT industries, this means
> converging telephone (VoIP), video, and networking together.
>
> This makes sense that what they're offering is a complete suite of
> networking assessments for telephony, video and network (data).
> They're taking advantage of the "convergence movement" lately, and
> utilizing it as a method of a one-stop-shopping for assessing ALL
> technologies under ONE quote.
>
> Makes sense, doesn't it?
>
> Bob Radvanovsky, CISM, CIFI, REM, CIPS
> "knowledge squared is information shared"
> rsradvan (at) unixworks.net | infracritical.com | ehealthgrid.com
> (630) 673-7740 | (412) 774-0373 (fax)
>
> *** DISCLAIMER NOTICE ***
> This electronic mail ("e-mail") message, including any and/or all
> attachments, is for the sole use of the intended recipient(s), and
> may contain confidential and/or privileged information, pertaining
> to business conducted under the direction and supervision of Bob
> Radvanovsky and/or his affiliates, as well as is the property of
> Bob Radvanovsky and/or his affiliates, or otherwise protected from
> disclosure.  All electronic mail messages, which may have been
> established as expressed views and/or opinions (stated either
> within the electronic mail message or any of its attachments), are
> left at the sole discretion and responsibility of that of the
> sender, and are not necessarily attributed to Bob Radvanovsky.
> Unauthorized interception, review, use, disclosure or distribution
> of any such information contained within this electronic mail
> message and/or its attachment(s), is(are) strictly prohibited.  As
> this e-mail may be legally privileged and/or confidential and is
> intended only for the use of the addressee(s), no addressee should
> forward, print, copy, or otherwise reproduce this message in any
> manner that would allow it to be viewed by any individual not
> originally listed as a recipient.  If the reader of this message is
> not the intended recipient, you are hereby notified that any
> unauthorized disclosure, dissemination, distribution, copying or
> the taking of any action in reliance upon the information herein is
> strictly prohibited.  If you have received this communication in
> error, please notify the sender immediately, followed by the
> deletion of this or any related message.
>
>
> ----- Original Message -----
> From: joseph () cibir net
> To: pen-test () securityfocus com
> Subject: Converged Network Assessment
>
>
> > I am newbie in the field of security, and stumbled across a
> > security
> company
> > advertising that they conduct Converged Network Assessments. As
> > they describe the assessment focuses on both the voice and the
> > data network, in order to expose any new security holes created
> > by a converged network.
> >
> > .The assessment covers:
> > -    External Security Assessment
> > -    Internal Security Assessment
> > -    PBX Assessment
> > -    Adjunct Assessment
> > -    Wireless Assessment
> > -    Bluetooth Assessment
> > -    Rogue Modem Assessment
> > -    IDS Assessment
> > -    SAN's Assessment
> > -    VoIP Assessment
> > -    Penetration testing
> >
> > So can someone provide me a honest answer to what a Converged
> > Network Assessment is, it sounds like a lot of marketing speak.
> >
> > thx

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------