Firewall Wizards mailing list archives
Re: VOIP versus PBX
From: Mark Teicher <mht3 () earthlink net>
Date: Thu, 21 Jul 2005 20:54:32 -0400
At 11:25 AM 7/21/2005, Marcus J. Ranum wrote:
Yehuda Goldenberg wrote: >What else do I have to worry about with VOIP? We don't know much about the security of VOIP PBXes but since they werelargely developed by "phone guys" I'm comfortable assuming that there is littleor none. So you have the issue of accidental or deliberate denial-of-service against desktop phones, but also the potential that the PBX can be attacked over the in-band network that's used to manage it. Because you *KNOW* that whoever manages the PBX will want to access it from their desktop workstation not a workstation on a separate VLAN.
>> Historically, most telecommunication folks who managed PBX prior to IP enabled PBX would hide in the telco/phone room a majority of the day to do moves, adds, changes and deletes, always standing by with their 66/110 punchdown tool, butt-set with appropriate gator clips to validate whether a traditional analog pair is working. This even goes for 911 or alarm lines.
As the migration towards VOIP PBXes is occurring, the telecommunications folks are a bit skiddish of moving towards a desktop workstation environment and would rather rely on their SAT Terminal connected via Serial Connection to the back end of the PBX. Most telecommunications folks get all befuddled when H.323/SIP speak is talked about and usually see through the B.S of the VoIP vendors
Most crusty old or experienced PBX admins are a bit more crusty at moving to the newer solutions especially when it involves screwing with dial tone for their users. Cutovers to VoIP PBXes are much more tricky, especially when migrating a call center environment or a financial trading firm. Disruption in phone service could impact their business greater than network disruption.
Much different POV then "ripping out old Gauntlet firewalls for the latest and greatest cobbled together "neat color scheme" all-in one appliance. :) Old motto: if ain't broke, don't fix it.
Ensuring a VOIP solution works in default mode is not easy, especially when considering large enterprise type entities are used to just coming into their office picking up their analog phone and retrieving their daily voicemail with little to no complexity.
Migration to a VOIP PBX solution can be a very complex and daunting, especially when dealing with QOS, MOS, jitter even if implementing a default configuration without turning on all the security features.
The scariest issue is did the VoIP PBX vendor implement the various VoIP protocols correctly and ensure their solution plays well with the various firewall, VPN, Intrusion Detection and Intrusion Prevention vendors out there. Most are still in the process of working out all the features to ensure users are not impacted to much.
P.S. I disavow any hands-on knowledge of VoIP PBX or traditional PBX security.. :)
The protocols used for VOIP are "problematic" let us say. "Designed by people who ignored security" might be a less tactful way to say it. "Moronic" also comes to mind. That said, there appear to be so many of them that it's hard to nail down whether you'll have a problem or not; it depends on what you wind up using and where/how. The situation is comparable to wireless - getting it all working in default mode is easy. Getting it all working safely is hard and may be impossible. Lastly, inevitably, someone will want to do VOIP with the outside world. For cost saving reasons, or whatever (but really so they can talk to their kid in college for "free") so there will be a move to let the VOIP through your firewall. Then you will discover VOIP-spam. Of course the guys who designed VOIP systems didn't take that into account, either. Like every other "new widget technology" VOIP will eventually mature just around the time that it's being replaced by some cool new new widget technology that didn't take into account any lessons learned from the last new widget technology. But there will be loads of vendors with a $15,000 1-U rack-mount appliance that offers a complete solution that fixes all those problems. mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- VOIP versus PBX Yehuda Goldenberg (Jul 21)
- Message not available
- Re: VOIP versus PBX Marcus J. Ranum (Jul 21)
- Re: VOIP versus PBX Mark Teicher (Jul 21)
- Re: VOIP versus PBX Marcus J. Ranum (Jul 21)
- Message not available
- Re: VOIP versus PBX Scott Stursa (Jul 21)
- Re: VOIP versus PBX Patrick M. Hausen (Jul 21)
- <Possible follow-ups>
- FW: VOIP versus PBX Yehuda Goldenberg (Jul 21)
- Re: FW: VOIP versus PBX Paul D. Robertson (Jul 21)
- Re: FW: VOIP versus PBX Michael H (Jul 21)
- Re: FW: VOIP versus PBX Paul D. Robertson (Jul 21)
- Re: FW: VOIP versus PBX Michael H (Jul 21)
- Re: VOIP versus PBX Elizabeth Zwicky (Jul 21)
- Re: VOIP versus PBX Paul D. Robertson (Jul 21)
- Re: FW: VOIP versus PBX Paul D. Robertson (Jul 21)