Penetration Testing mailing list archives
RE: VoIP Assessment
From: "Bob Bell (rtbell)" <rtbell () cisco com>
Date: Thu, 21 Jul 2005 08:17:11 -0700
Mark - My point is that IP Telephony within an enterprise can be secure. There are many things which can be done (such as strong authentication of the endpoints [both the call control agent and the communications endpoint)in conjunction with encrypted and authenticated signaling and media flows, control of provisioning information and images in such a manner that the probability of corruption or modification is extremely low, etc. The blanket statement that "VoIP is not secure" is extremely misleading. If you apply no safeguards to the system (note I am indicating a system level protection) then I would agree with you that, just like file transfers or database access or any of the other applications that exist on a network, it is not secure. If on the other hand, reasonable measures are taken (and there are commercial products that do take them) then the level of security is commenserate with the level of risk. There are a large number of organizations today who are getting a great deal of press coverage by claiming that "the sky is falling" when they are making assumptions that are simply not true. One of the ones that really gets to me is that if you do IP Telephony, you must admit into your network directly any attempted VoIP calls that come at you by opening holes in the perimeter fire walls to admit the traffic. First of all, that is not realistic. We do not do that for web access, nor email access nor any other form of access, why in the world would we do it for voice. It will go through a gateway type device on a DMZ so that the messaging can truly be validated and verified and so that the external party does not have access to information that the corporation deems confidential. Secondly, if it is a remote worker, then the connection will involve a VPN link and so will not be admitted unchecked either. Just because the standards groups envisioned a totally uncontrolled environment, there is nothing that required enterprises (or residential users for that matter) to simply close their eyes and say "cut here". I would agree that there are some "security" consultants that may not be either as complete and accurate as they should be in this area. But that is true of all consultants and all areas. We should not blindly reject as "unprotectable" or "unsecurable" a system that has been demonstrated to be securable. We, the security forces, need to assess the risks and remediation methods to determine both effectiveness and functionality. We must make IPT or VoIP into a viable technology with the protections that are required. We cannot simply assert that there is no hope, because there is. Bob
-----Original Message----- From: Mark Teicher [mailto:mht3 () earthlink net] Sent: Wednesday, July 20, 2005 20:24 To: Bob Bell (rtbell) Cc: intel96; pen-test () securityfocus com Subject: RE: VoIP Assessment Fundamentally, VoIP is not secure, as originally stated, It depends on what an organization is attempting to validate. Network security consulting practices will attempt to dazzle an organization with their "VoIP assessment or VoIP Readiness services" . Some concentrate more on VoIP network readiness and propose bandwidth analysis utilizing tools that either home grown or commercial. This may provide some insight on jitter, latency and other such issues when implementing or migrating to a VoIP infrastructure. Discussion of security issues arise when "former security investigators" or "Ph D" types get involved in the discussion and start rattling off statements "As telephone communications move to the IP world, it will become increasingly easier to intercept and monitor telephone calls by anyone." and "How businesses handle threats to their converged network will be crucial to their success." Great buzzword statements, but they miss the questions that an organization may have r egarding the underlying security of VoIP and the various aspects of enabling options that allow for availability and ease of use for end users. At 11:24 AM 7/20/2005, Bob Bell \(rtbell\) wrote:Mark, Intel96 - There are a lot of conflicting opinions floating around as to the security of VoIP systems. One of the things that you need to do is establish whether you are dealing with a bounded system, (i.e. an enterprise PBX replacement) or an unbounded one (i.e. SKYPE) as they have considerable differences in both their vulnerability and the resources available to deal with issues. Secondly, securityof VoIP isnot a single dimensional problem. Many of the issues ofprotecting VoIPoccur a layers far below the application layer which is where VoIP lives. So, you need to examine the issue from a systems approach not simply a point solution for VoIP. Finally, there is a greatdeal moreto providing SYSTEMIC protection beyond simply protectingthe protocol.This includes things like the provisioning of the endpoints, the control of and validation of the images contained in theendpoints, theauthentication and authorization schemes for the endpointsand users,etc. If I can be of help, please feel free to contact me. Bob IPCBU Security Architect Cisco Systems, Inc. 576 S. Brentwood Ln. Bountiful, UT 84010 801-294-3034 (v) 801-294-3023 (f) 801-971-4200 (c) rtbell () cisco com-----Original Message----- From: Mark Teicher [mailto:mht3 () earthlink net] Sent: Tuesday, July 19, 2005 16:40 To: intel96 Cc: pen-test () securityfocus com Subject: Re: VoIP Assessment What specific items have you been tasked to validate? Could be as simple as : Are the components VoIP capable? If so, then what protocols have been implemented (Y/N) If x protocol, if implemented correctly (i.e when enabled, does it process the traffic correctly (Y/N) If x protocol, if implemented correctly (i.e. when x protocol is disabled, does it block VoIP traffic inbound/outbound? (Y/N) and so and so on Lots of those "security" type experts will overstate theobvious andstart rattling off big words like MITM attacks, Resourceexhaustion,H.323 attacks, SIP Overflow attacks, etc, etc, but IMHO, simplify what the tasks are, and break those tasks into simplesteps that anyformer senior security consultant can do by utilizing a checklist approach, otherwise one gets into the battle with the "puffed out chest security wannabes " /m At 01:40 PM 7/19/2005, intel96 wrote:I have been asked to look at the security of a VoIParchitecture. Hasanyone conducted a security assessment against VoIP or thecomponentsthat make up the architecture? Thanks, Intel96
Current thread:
- VoIP Assessment intel96 (Jul 19)
- Re: VoIP Assessment Mark Teicher (Jul 19)
- <Possible follow-ups>
- RE: VoIP Assessment Bob Bell (rtbell) (Jul 20)
- Message not available
- RE: VoIP Assessment Mark Teicher (Jul 20)
- Message not available
- RE: VoIP Assessment Bob Bell (rtbell) (Jul 21)
- Message not available
- RE: VoIP Assessment Mark Teicher (Jul 21)
- Message not available