Re: VOIP versus PBX

["Marcus J. Ranum" <mjr () ranum com>]

Yehuda Goldenberg wrote:
> What else do I have to worry about with VOIP?

We don't know much about the security of VOIP PBXes but since they were
largely developed by "phone guys" I'm comfortable assuming that there is little
or none. So you have the issue of accidental or deliberate denial-of-service
against desktop phones, but also the potential that the PBX can be attacked
over the in-band network that's used to manage it. Because you *KNOW*
that whoever manages the PBX will want to access it from their desktop
workstation not a workstation on a separate VLAN.

The protocols used for VOIP are "problematic" let us say. "Designed by
people who ignored security" might be a less tactful way to say it.
"Moronic" also comes to mind. That said, there appear to be so many of
them that it's hard to nail down whether you'll have a problem or not; it
depends on what you wind up using and where/how. The situation is
comparable to wireless - getting it all working in default mode is easy.
Getting it all working safely is hard and may be impossible.

Lastly, inevitably, someone will want to do VOIP with the outside world.
For cost saving reasons, or whatever (but really so they can talk to their
kid in college for "free") so there will be a move to let the VOIP through
your firewall. Then you will discover VOIP-spam. Of course the guys
who designed VOIP systems didn't take that into account, either.

Like every other "new widget technology" VOIP will eventually mature
just around the time that it's being replaced by some cool new new
widget technology that didn't take into account any lessons learned
from the last new widget technology. But there will be loads of vendors
with a $15,000 1-U rack-mount appliance that offers a complete solution
that fixes all those problems.

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards