Penetration Testing mailing list archives
RE: Converged Network Assessment - VoIP Security
From: Mark Teicher <mht3 () earthlink net>
Date: Tue, 7 Feb 2006 14:38:01 -0500 (GMT-05:00)
What are the speaker qualifications your conference is looking for? -----Original Message-----
From: Ken Kousky <kkousky () ip3inc com> Sent: Feb 7, 2006 9:48 AM To: 'Giancarlo Paolillo' <gpaolillo () earthlink net>, 'Bob Radvanovsky' <rsradvan () unixworks net>, joseph () cibir net, pen-test () securityfocus com Subject: RE: Converged Network Assessment - VoIP Security We recently released a call for speakers and a call for sponsors for the second annual VoIP Security Conference at Illinois Institute of Technology this May. If anyone on this list is interested in presenting or simply attending let me know and we'll send info regards Ken Kousky IP3 www.ip3security.com -----Original Message----- From: Giancarlo Paolillo [mailto:gpaolillo () earthlink net] Sent: Monday, February 06, 2006 8:58 PM To: 'Ken Kousky'; 'Bob Radvanovsky'; joseph () cibir net; pen-test () securityfocus com Subject: RE: Converged Network Assessment Ken, all of your points are quite true.. I can additionally tell you from experience that none of the major firewall companies will actually "certify" DPI on VoIP. Pin holes for both ports (5060 and 5061, UDP) is not even enough since some companies are changing to bypass well known ports as they may be getting blocked by ISPs. Solutions from Cisco or even Avaya's VoIP PBX solution will fail if DPI is turned on. For example, on a netscreen, you have to turn on "Ignore Type" just to allow that traffic to get through... not really more effective than a simple ACL on your border router... Then you have to worry about the actual devices and application! We found in some cases that some of the third party MTA vendors would begin retransmitting SIP messages several times per second if it failed the 1st time... imagine what that will do to your firewalls when your normal traffic may be 100K sessions on a 500k session fwll.... all of a sudden you have a DOS scenario which is due to non-standard of device/protocol/error management. It gets "better" from there.... Giancarlo -----Original Message----- From: Ken Kousky [mailto:kkousky () ip3inc com] Sent: Monday, February 06, 2006 9:07 AM To: 'Bob Radvanovsky'; joseph () cibir net; pen-test () securityfocus com Subject: RE: Converged Network Assessment I think one of the additional implications here is the realization that VoIP and multi-media will introduce new issues to the security community and should be factored into risk assessments. Pen tests should be adjusted accordingly. Several simple observations on the convergence impact: 1) first, convergence is going to have a lot to do with integrating VoIP - here we should note that general managers are traditionally more concerned about voice privacy than email privacy (while most data folks know there's a lot of critical information in email, mgmt cares more about confidentiality on their voice communications) - this is likely to lead to wide-spread encryption of voice traffic which means it's an ideal convert channel since filters can't inspect encrypted data flows so look for malicious use of encrypted UDP packets 2) VoIP requires two ports (each is unidirectional) for conversations - some firewalls or perimeter defenses talk about pin holes being opened for voice; don't you love it - a hole in the perimeter but it's only a pin prick 2) acceptable, or functional latency is very different for voice and live video than for email or browsing; this means that many exploits that might cause a delay can actually produce an outage in the converged network 3) power dependency is an important issue since the phone grid traditionally carried it's own power and that's not easy to do with VoIP 4) location awareness is an issue as we see in the FCC battle over E911 for VoIP 5) spoofing of caller ID is made quite trivial in VoIP 6) Convergence also commonly includes wireless and new client form factors like cell phones and hybrid PDAs These are not all direct issues for a pen test but risk assessment and planning should address these and far more. Each new technology we deploy opens up new vulnerabilities and it's our jobs to be in front of these. Convergence is far more than market hype - it's going to bring lots of new vulnerabilities and will require new, enhanced defenses. And, as I've said to vendors for 30 years "it's got to be taught before it will be bought" so it's got to start with education. -----Original Message----- From: Bob Radvanovsky [mailto:rsradvan () unixworks net] Sent: Sunday, February 05, 2006 3:12 PM To: joseph () cibir net; pen-test () securityfocus com Subject: Re: Converged Network Assessment Actually, it could go either way. The latest thing within the IT and security industries is "standardization". For the security industries, this means converging physical, cyber and policy management security together. For the IT industries, this means converging telephone (VoIP), video, and networking together. This makes sense that what they're offering is a complete suite of networking assessments for telephony, video and network (data). They're taking advantage of the "convergence movement" lately, and utilizing it as a method of a one-stop-shopping for assessing ALL technologies under ONE quote. Makes sense, doesn't it? Bob Radvanovsky, CISM, CIFI, REM, CIPS "knowledge squared is information shared" rsradvan (at) unixworks.net | infracritical.com | ehealthgrid.com (630) 673-7740 | (412) 774-0373 (fax) *** DISCLAIMER NOTICE *** This electronic mail ("e-mail") message, including any and/or all attachments, is for the sole use of the intended recipient(s), and may contain confidential and/or privileged information, pertaining to business conducted under the direction and supervision of Bob Radvanovsky and/or his affiliates, as well as is the property of Bob Radvanovsky and/or his affiliates, or otherwise protected from disclosure. All electronic mail messages, which may have been established as expressed views and/or opinions (stated either within the electronic mail message or any of its attachments), are left at the sole discretion and responsibility of that of the sender, and are not necessarily attributed to Bob Radvanovsky. Unauthorized interception, review, use, disclosure or distribution of any such information contained within this electronic mail message and/or its attachment(s), is(are) strictly prohibited. As this e-mail may be legally privileged and/or confidential and is intended only for the use of the addressee(s), no addressee should forward, print, copy, or otherwise reproduce this message in any manner that would allow it to be viewed by any individual not originally listed as a recipient. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance upon the information herein is strictly prohibited. If you have received this communication in error, please notify the sender immediately, followed by the deletion of this or any related message. ----- Original Message ----- From: joseph () cibir net To: pen-test () securityfocus com Subject: Converged Network AssessmentI am newbie in the field of security, and stumbled across a securitycompanyadvertising that they conduct Converged Network Assessments. As they describe the assessment focuses on both the voice and the data network, in order to expose any new security holes created by aconvergednetwork. .The assessment covers: - External Security Assessment - Internal Security Assessment - PBX Assessment - Adjunct Assessment - Wireless Assessment - Bluetooth Assessment - Rogue Modem Assessment - IDS Assessment - SAN's Assessment - VoIP Assessment - Penetration testing So can someone provide me a honest answer to what a Converged Network Assessment is, it sounds like a lot of marketing speak. thx------------------------------------------------------------------------ ------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------ ------- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- RE: Converged Network Assessment - VoIP Security Bob Radvanovsky (Feb 07)
- <Possible follow-ups>
- RE: Converged Network Assessment - VoIP Security Mark Teicher (Feb 07)