Penetration Testing mailing list archives

RE: PBX Security

From: "Brennen Reynolds" <brennen-ml () off-pisteconsulting com>
Date: Mon, 10 Feb 2003 00:19:27 -0800

Razvan, et. al,

        While not about PBX security directly, I have been doing research on the
security of IP telephony in enterprise networks for the past year. I have
several publications on the subject including my Master's Thesis
(http://www.off-pisteconsulting.com/research/pubs/reynolds-ms_thesis.pdf),
NDSS 03 conference paper
(http://www.off-pisteconsulting.com/research/pubs/ndss03-reynolds.pdf) and
slides (http://www.off-pisteconsulting.com/research/pubs/ndss03-slides.ppt)
and IEEE Communication Magazine article
(http://www.off-pisteconsulting.com/research/pubs/ieee_comm.pdf). If you
have any questions about any of the material feel free to drop me an email.

Brennen

--
Brennen Reynolds - Chief Consultant/Owner - Off-Piste Consulting, LLC

Email: brennen at off-pisteconsulting dot com  Voice:  (209) 258-4584
WWW:   http://www.off-pisteconsulting.com      Fax:    (209) 258-4584

PGP Fingerprint:
E868 8B0D 175D 7394 E7AE  9E71 38CC 2B63 A1EB 9D9F

-----Original Message-----
From: Martin Walker [mailto:Martin.Walker () ctg com]
Sent: Saturday, February 08, 2003 10:08 AM
To: Rob Shein; Razvan; pen-test () securityfocus com
Subject: RE: PBX Security

Making matters worse is that the telephony vendors don't have a clue
about anything other than the telelphony side of things, and if you
harden the box yourself you'll void most vendor paper regarding support
etc.

Several steps need to be taken to effectively combat the situation.
First is that IT should own telelphony, not facilities.  Second IT needs
to recognise these devices are general purpose computing platforms and
design the secured architecture appropriately.  This would include
implementing firewalled "zones of protection" between the data access
layer (in this case the IVRS/call center), application layer (agent
applications) and the data storage back end.  Third the boxes need to be
hardened and the IT department's standard security self-certification
program applied just like any other platform.  A certification program
would include recurring certification requirements.  (I know everybody
is using some sort of internal certification program to implement and
manage security across the organization.....right?).

From: Razvan [mailto:bugtraq () risc ro]
Sent: Wednesday, February 05, 2003 2:51 AM
To: pen-test () securityfocus com
Subject: PBX Security


As promised, I return with the reasons I freaked when I saw
what a PBX can become if used unwisely.

Also, I feel unable to come up with any sort of relevant
advice on this matter. What's actually scary is the fact a
PBX owner has practically no control over such an issue. He
can have the most secure configuration, a relevant and
enforced security policy, security conscious users, etc and
he's still vulnerable. Or is he?

Waiting your thoughts on this.

Razvan Teslaru
Romanian IT Security Company



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

PBX Security Razvan (Feb 05)
- RE: PBX Security Rob Shein (Feb 06)
- Re: PBX Security Fabio Pietrosanti (naif) (Feb 10)
- <Possible follow-ups>
- RE: PBX Security Martin Walker (Feb 09)
  - RE: PBX Security Thomas Porter, Ph.D. (Feb 09)
    - RE: PBX Security Jonathan Rickman (Feb 10)
    - RE: PBX Security Jacek Lipkowski (Feb 11)
  - RE: PBX Security Brennen Reynolds (Feb 10)