Penetration Testing mailing list archives
RE: Converged Network Assessment - VoIP Security
From: Bob Radvanovsky <rsradvan () unixworks net>
Date: Tue, 07 Feb 2006 13:54:24 -0600
Since the gent hasn't specified, I did some digging and found this out. IP3's announcement from their web site: http://www.ip3seminars.com/conf.htm The VoIP Conference 2006: http://www.voip-wifi.net/ Call us: (800)473-5181 EMail us: info () voip-wifi net Send us a letter or visit us: IIT/IP3 VoIP-Wireless Conference 1320 N. Michigan Ave. Suite 6 Saginaw, MI 48602 VoIP Conference 2006 participants requirements: http://www.voip-wifi.net/docs/Prospectus.pdf About the speakers who will be present at the conference: http://www.voip-wifi.net/speakers.php Thought Leaders from Academia & Industry Ken Kousky IP3 Seminars, CEO Ken Kousky is President and CEO of IP3, Inc., an information security consulting firm, and is currently serving on the board of OpenUmbrella.org, a nonprofit organization addressing market awareness and understanding of open source technologies. He is also on the advisory boards of several private IT companies. Previously, Ken served as CEO of Wave Technologies, a NASDAQ (WAVT) company and as president of Novell's subsidiary NetWare Centers International until 1989. As an educator, Ken has taught in both the Business School and the School of Engineering at the University of Pennsylvania and Washington University. -------------------------------------------------------------------------------- Carol Davids Professor, IIT CPD Network Security Technologies "Protocol & Standards" Carol Davids has worked in the telecommunications industry for over thirty years. After a twenty-two year career with an RBOC where she was responsible for projects in a wide range of disciplines including packet-switched data networks and gateways to the Interexchange carriers, she has spent the last ten years in the vendor community developing and testing products and standards for providing telephone service over broadband networks. As the Alva C. Todd Professor at Illinois Institute of Technology's Center for Professional Development, Professor Davids created the VoIP curriculum, designing and building the laboratory which is at its core. -------------------------------------------------------------------------------- Roger Farnsworth Sr. Systems Marketing Manager IP Communications Security rfarnswo () cisco com Roger Farnsworth is an industry expert in areas of information security and IP telephony. In his current role he helps the business community understand the intersection of these key technologies. In more than ten years with Cisco, Roger Farnsworth has held several key marketing roles including Director of Voice Product and Technology Marketing, Director of the Service Provider Solutions Marketing team, Director of Marketing of the Optical Networking Group, and leadership of the Cisco Security Product Marketing team. -------------------------------------------------------------------------------- Claudia Gunter President/CEO Gunter Intelligence, Inc. Over 20 years of Business Due Diligence, Intellectual Property Investigations, Telephony Research and Development, and Business and Finance Management in the private and public sector serving in various management roles and as a Business Consultant. Her creative, bold go-to-market strategies, combined with an exceptional portfolio of versatile business partnerships, fostered her innovative and fearless desire to fine-tune her love for creating cutting-edge, commications-technology and applications for investigative and enforcement services. -------------------------------------------------------------------------------- Carl Kettler Senior System Engineer Spirent Communications Carl Kettler has over 20 years experience in data communications and networking, including experience as an application developer, network administrator, network architect and instructor. Carl Kettler has worked for enterprise organizations, with a particular focus on the financial industry as well as for IT consulting organizations and IT vendors including Bay Networks, Sun Microsystems and Micromuse. In his current role, Carl Kettler provides technical solutions for data network testing. -------------------------------------------------------------------------------- John DiGiovanni Director of Marketing Xirrus John DiGiovanni is the Director of Marketing for Xirrus, Inc., the developers of the next generation in enterprise Wi-Fi architectures - the Wireless LAN Array. In this role, DiGiovanni brings over 12-years of high-tech marketing experience and is responsible for all facets within the Company's marketing department including product strategy, global product marketing, corporate communications and public relations. Prior to joining Xirrus, Inc. in January of 2004, he was Director of Marketing at Nomadix, Inc., a leading supplier of Public-access solutions. While at Nomadix, he was instrumental in expanding the company's brand recognition and mindshare in the Wi-Fi industry. During this time, Nomadix' footprint grew to over 10,000 points of presence throughout the world resulting in the company's 4th place ranking on Deloitte & Touche's Technology Fast 50, a listing of the Los Angeles' fastest growing technology companies. Jesse Frankel Director, Systems Engineering AirMagnet "Wireless LAN Security" Jesse Frankel has been working in various areas of wireless LAN technology and applications for over 10 years. Currently he is Director, Systems Engineering for AirMagnet, the award-winning provider of wireless LAN management and monitoring tools. He is responsible for pre-sales technical support and system architecture for the Eastern US. Among his past positions, he was VP Systems Technology at Wayport, provider of broadband Internet access services for business travelers. His group was responsible for the design an implementation of 802.11b (Wi-Fi) networks in major US airports and hotels. At Telxon (acquired by Symbol Technologies in 2000), Jesse held various management and R&D positions for this designer and manufacturer of wireless mobile application systems and devices. As VP strategic Technology Consulting, he drove formulation of technical sales strategies and WLAN system architectures for major global customers, such as Wal-Mart Stores, Ford, GM, and KLM Airlines. -------------------------------------------------------------------------------- Christian Stegh IP Telephony Practice Leader, North America Avaya "Best Practices and Real World Deployment of VoIP Security" Christian Stegh is the IP Telephony Practice Leader for Avaya's North American region. His experiences include deploying and maintaining IP networks for an enterprise IT staff, designing converged networks, and integrating Avaya IP Telephony solutions into hundreds of client networks. His current responsibilities include providing Avaya's product developers with requirements, direction, and input from Avaya clients. He sits on Avaya's Security Steering Committee, multiple product decision teams, and speaks regularly at IEEE and industry events. -------------------------------------------------------------------------------- Shawn Sweeney Director, Technical Marketing Siemens Shawn Sweeney brings over 23-years of technical experience in the data communications industry to Siemens. He is responsible for the strategic positioning and promotion of the company's suite of WLAN products. Previously, Shawn was with Chantry Networks, a WLAN start-up company that was acquired by Siemens in January 2005. He has a long history in the networking industry with management positions at Legra Systems, Allegro Networks, RiverDelta Networks (later acquired by Motorola), Packet Engines and Bay Networks. He began his career with a 14-year stint at Motorola. Shawn graduated Summa Cum Laude from Roger Williams University in Bristol, RI and is a Certified Information Systems Security Professional (CISSP). -------------------------------------------------------------------------------- Kenneth Dort Partner Gordon & Glickson LLC Kenneth Dort's practice focuses on information technology and intellectual property law issues, including software development and licensing, systems development and integration, trade secret protection, and copyright/trademark licensing and protection. He is an experienced litigator who has handled cases at the trial and appellate levels throughout the United States in the above areas and others, such as copyright and trademark infringement, information systems development and implementation failures, trade secret protection, and related areas of complex commercial litigation. He also advises clients on general corporate issues, business strategies and related areas of information technology law. Mr. Dort represents national and regional businesses throughout the United States. -------------------------------------------------------------------------------- Chris McGugan Sr. Director, Product Marketing Symbol Technologies Chris McGugan is an industry expert in the areas of Ethernet, Wireless, and Layer 3 technologies with 15 years of experience in developing and marketing products for the networking industry. He is responsible for the ongoing product development strategy, direction, and marketing for Symbol’s wireless portfolio. Prior to joining Symbol, Chris held key leadership roles in research, product marketing, and technical marketing with Cisco Systems focused on LAN switching, core routing, and broadband services. He has been active in many standards bodies and industry consortia driving the advancement of network technology. Margaret Grayson President AEP Networks "Secure Wireless Application: Myth or Reality?" Margaret E. Grayson is the President of AEP Government Solutions Group and Executive Vice President of AEP Networks, a specialist in providing secure networking, application access, and information sharing solutions, and a pioneer in the development of Internet cyber security protection using application layer SSL VPN technology. AEP offers a suite of enterprise class software products and hardware appliances that provide a complete virtual private network solution for AEP’s customers. Fortune 1000 corporations and sensitive government agencies worldwide use AEP’s innovative technology for both wired and wireless integrated authentication, encryption and access control. -------------------------------------------------------------------------------- Shane Cleckler Manager of Systems Engineering Ingate Systems "Firewalls and VLANS - Creating and Managing a Segmented Network" Shane Cleckler joined Ingate Systems after a six-year tenure at WorldCom, where he rose through the telecommunications engineering ranks. At WorldCom, Cleckler’s main responsibilities revolved around the execution of product evaluation and system integration testing of SIP-capable firewalls for use in next generation VoIP networks. Before WorldCom, Cleckler held the position of bench technician and quality assurance monitor at Universal Computer Systems where he was responsible for system to component level fault isolation testing and restoration. In his role at Ingate, Cleckler supports Ingate’s US customers before and after purchase. He has extensive experience with security technology, system integration, product support and customer service. He holds a bachelor of science in electrical engineering from Texas A&M University. -------------------------------------------------------------------------------- Andrew Graydon VP Technology BorderWare Andrew Graydon is responsible for leading the technology innovations at BorderWare, ensuring our position as a leader in the messaging security field. Bringing his technical expertise and years of working worldwide with customers and technical communities, his vision, energy and enthusiasm drive BorderWare products to being the best-of-breed in messaging security. Prior to joining BorderWare, Andrew was the V.P. Customer Engineering at Wysdom, a privately held company which pioneered the Software Delivery Platform for wireless devices, allowing wireless telcos to enable their internal infrastructure for secure delivery of functionality to external developers. In this role he helped to internally define the technology and concepts while working with the customers and the technical community. In his previous position as Director, Development with Origins Software Company, a startup in Boston bought by Wysdom, he architected the product and led the development team for Active Blueprints, a fourth generation development environment for generating N-tiered application code for mobile devices from graphical design flow diagrams. Andrew holds a B.Sc(Hons) from Dublin City University, Ireland, in Applied Physics with specializations in Computational and Mathematical Physics. -------------------------------------------------------------------------------- Craig Forbes Vice President, Strategic Initiatives Net.com As vice president of strategic initiatives, Craig Forbes drives new business and sales opportunities, partnerships, alliances and/or joint ventures consistent with the company's strategic direction. Forbes leads the company in driving initiatives of the Broadband Services Forum, an organization formed by the merger of the Broadband Content Delivery Forum and the Service Creation Community. He is vice chairman of the BSF and is a director of ATIS, the Alliance for Telecommunications Industry Solutions. -------------------------------------------------------------------------------- Gerald M. Hoffman President The Gerald Hoffman Company LLC Gerald Hoffman is a consultant, an educator, and an author. His field of expertise is the management of information technology. He has done pioneering work in helping organizations get value from their information technology investments, in identifying and mapping technology trends and their effects on organizations, and in developing business strategies to exploit these trends. He is co-chairman of the Committee on Corporate Governance of a medium sized health care system. Most recently he has investigated the causes of IT project failures and developed a methodology called Meta Planning to help insure IT project success. He is an adjunct professor at Illinois Institute of Technology, and has lectured in executive education programs in both corporate and academic settings. Bob Radvanovsky, CISM, CIFI, REM, CIPS "knowledge squared is information shared" rsradvan (at) unixworks.net | infracritical.com | ehealthgrid.com (630) 673-7740 | (412) 774-0373 (fax) ----- Original Message ----- From: Mark Teicher [mailto:mht3 () earthlink net] To: Ken Kousky [mailto:kkousky () ip3inc com], 'Giancarlo Paolillo' [mailto:gpaolillo () earthlink net], 'Bob Radvanovsky' [mailto:rsradvan () unixworks net], pen-test () securityfocus com Subject: RE: Converged Network Assessment - VoIP Security
What are the speaker qualifications your conference is looking for? -----Original Message-----From: Ken Kousky <kkousky () ip3inc com> Sent: Feb 7, 2006 9:48 AM To: 'Giancarlo Paolillo' <gpaolillo () earthlink net>, 'Bob Radvanovsky'<rsradvan () unixworks net>, joseph () cibir net, pen-test () securityfocus comSubject: RE: Converged Network Assessment - VoIP Security We recently released a call for speakers and a call for sponsors for the second annual VoIP Security Conference at Illinois Institute of Technology this May. If anyone on this list is interested in presenting or simply attending let me know and we'll send info regards Ken Kousky IP3 www.ip3security.com -----Original Message----- From: Giancarlo Paolillo [mailto:gpaolillo () earthlink net] Sent: Monday, February 06, 2006 8:58 PM To: 'Ken Kousky'; 'Bob Radvanovsky'; joseph () cibir net; pen-test () securityfocus com Subject: RE: Converged Network Assessment Ken, all of your points are quite true.. I can additionally tell you from experience that none of the major firewall companies will actually "certify" DPI on VoIP. Pin holes for both ports (5060 and 5061, UDP) is not even enough since some companies are changing to bypass well known ports as they may be getting blocked by ISPs. Solutions from Cisco or even Avaya's VoIP PBX solution will fail if DPI is turned on. For example, on a netscreen, you have to turn on "Ignore Type" just to allow that traffic to get through... not really more effective than a simple ACL on your border router... Then you have to worry about the actual devices and application! We found in some cases that some of the third party MTA vendors would begin retransmitting SIP messages several times per second if it failed the 1st time... imagine what that will do to your firewalls when your normal traffic may be 100K sessions on a 500k session fwll.... all of a sudden you have a DOS scenario which is due to non-standard of device/protocol/error management. It gets "better" from there.... Giancarlo -----Original Message----- From: Ken Kousky [mailto:kkousky () ip3inc com] Sent: Monday, February 06, 2006 9:07 AM To: 'Bob Radvanovsky'; joseph () cibir net; pen-test () securityfocus com Subject: RE: Converged Network Assessment I think one of the additional implications here is the realization that VoIP and multi-media will introduce new issues to the security community and should be factored into risk assessments. Pen tests should be adjusted accordingly. Several simple observations on the convergence impact: 1) first, convergence is going to have a lot to do with integrating VoIP - here we should note that general managers are traditionally more concerned about voice privacy than email privacy (while most data folks know there's a lot of critical information in email, mgmt cares more about confidentiality on their voice communications) - this is likely to lead to wide-spread encryption of voice traffic which means it's an ideal convert channel since filters can't inspect encrypted data flows so look for malicious use of encrypted UDP packets 2) VoIP requires two ports (each is unidirectional) for conversations - some firewalls or perimeter defenses talk about pin holes being opened for voice; don't you love it - a hole in the perimeter but it's only a pin prick 2) acceptable, or functional latency is very different for voice and live video than for email or browsing; this means that many exploits that might cause a delay can actually produce an outage in the converged network 3) power dependency is an important issue since the phone grid traditionally carried it's own power and that's not easy to do with VoIP 4) location awareness is an issue as we see in the FCC battle over E911 for VoIP 5) spoofing of caller ID is made quite trivial in VoIP 6) Convergence also commonly includes wireless and new client form factors like cell phones and hybrid PDAs These are not all direct issues for a pen test but risk assessment and planning should address these and far more. Each new technology we deploy opens up new vulnerabilities and it's our jobs to be in front of these. Convergence is far more than market hype - it's going to bring lots of new vulnerabilities and will require new, enhanced defenses. And, as I've said to vendors for 30 years "it's got to be taught before it will be bought" so it's got to start with education. -----Original Message----- From: Bob Radvanovsky [mailto:rsradvan () unixworks net] Sent: Sunday, February 05, 2006 3:12 PM To: joseph () cibir net; pen-test () securityfocus com Subject: Re: Converged Network Assessment Actually, it could go either way. The latest thing within the IT and security industries is "standardization". For the security industries, this means converging physical, cyber and policy management security together. For the IT industries, this means converging telephone (VoIP), video, and networking together. This makes sense that what they're offering is a complete suite of networking assessments for telephony, video and network (data). They're taking advantage of the "convergence movement" lately, and utilizing it as a method of a one-stop-shopping for assessing ALL technologies under ONE quote. Makes sense, doesn't it? Bob Radvanovsky, CISM, CIFI, REM, CIPS "knowledge squared is information shared" rsradvan (at) unixworks.net | infracritical.com | ehealthgrid.com (630) 673-7740 | (412) 774-0373 (fax) *** DISCLAIMER NOTICE *** This electronic mail ("e-mail") message, including any and/or all attachments, is for the sole use of the intended recipient(s), and may contain confidential and/or privileged information, pertaining to business conducted under the direction and supervision of Bob Radvanovsky and/or his affiliates, as well as is the property of Bob Radvanovsky and/or his affiliates, or otherwise protected from disclosure. All electronic mail messages, which may have been established as expressed views and/or opinions (stated either within the electronic mail message or any of its attachments), are left at the sole discretion and responsibility of that of the sender, and are not necessarily attributed to Bob Radvanovsky. Unauthorized interception, review, use, disclosure or distribution of any such information contained within this electronic mail message and/or its attachment(s), is(are) strictly prohibited. As this e-mail may be legally privileged and/or confidential and is intended only for the use of the addressee(s), no addressee should forward, print, copy, or otherwise reproduce this message in any manner that would allow it to be viewed by any individual not originally listed as a recipient. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance upon the information herein is strictly prohibited. If you have received this communication in error, please notify the sender immediately, followed by the deletion of this or any related message. ----- Original Message ----- From: joseph () cibir net To: pen-test () securityfocus com Subject: Converged Network AssessmentI am newbie in the field of security, and stumbled across a securitycompanyadvertising that they conduct Converged Network Assessments. As they describe the assessment focuses on both the voice and the data network, in order to expose any new security holes created by aconvergednetwork. .The assessment covers: - External Security Assessment - Internal Security Assessment - PBX Assessment - Adjunct Assessment - Wireless Assessment - Bluetooth Assessment - Rogue Modem Assessment - IDS Assessment - SAN's Assessment - VoIP Assessment - Penetration testing So can someone provide me a honest answer to what a Converged Network Assessment is, it sounds like a lot of marketing speak. thx------------------------------------------------------------------------ ------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------ ------- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down serversarefutile against web application hacking. Check your website forvulnerabilitiesto SQL injection, Cross site scripting and other web attacks before hackersdo!Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- RE: Converged Network Assessment - VoIP Security Bob Radvanovsky (Feb 07)
- <Possible follow-ups>
- RE: Converged Network Assessment - VoIP Security Mark Teicher (Feb 07)