Penetration Testing mailing list archives

RE: VOIP: RTP vs SRTP

From: "Bob Bell (rtbell)" <rtbell () cisco com>
Date: Fri, 10 Mar 2006 13:35:39 -0800

Franck, Chris, et al - 

First off, there are a number of manufacturers, (e.g. Cisco, Avaya,
Nortel, etc.) that provide systems for enterprises that support SRTP.
They support other security components with varying degrees of
completeness in that same space. One of the issues to be considered
however is that just because you support TLS or SRTP or whatever as a
protocol protection, that does not necessarily mean that the system is
secure or has appropriate security characteristics. 

Cisco's IPT solution for enterprises (CCM 4.x+) does support a very
complete set of security features and functionality. And it is improving
with time. Cisco has been engaged in securing their IPT offering since
1999. The first release containing a security component was CCM 3.3
which contained digitally signed images for the phones. Each release
since that time has increased the security features. Other vendors are
also improving their offerings.

While it is true that other environments  may have more limited security
implementations, to say that there is absolutely no security in place
for any VoIP is not very accurate. It is possible to provide appropriate
protection to commercial grade IPT commensurate with the threat
environments currently present. And it is getting better. 

It is important to understand that SRTP or any encryption of user
information is probably the last and least important security feature.
It matters little, for instance, if the media stream between two
endpoints is encrypted if those endpoints cannot guarantee that they are
directly communicating with the intended destination rather than a MITM.
Schemes that provide SRTP support without strong, positive
authentication of the remote endpoint basically do nothing other than to
give their customers a very false sense of security.

As to how much is actually realized at customer's sites, that is widely
variable. In many respects, it reflects the security stances of the
specific customers. SRTP as a protection mechanism for voice streams, is
only implemented in certain environments today. Usually this is due to
the presence of specific legal requirements. However, as it, and the
other more critical security features, become both more pervasive and
easier to manage, it will increase in its usage. Many businesses may not
implement SRTP simply because, like email, they want to be able to
listen to their customer's conversations if needed. In the US that is an
option. In other countries, an employer may not be legally able to
listen to such communications. In that environment, SRTP will probably
be more widely implemented.

Guess I need to get down off the soap box. Summary, SRTP and other
security features are available to IPT customers within enterprise
deployments. In the USA, deployments that activate these features are
growing but are still in the minority. Non-USA deployments are actively
pursuing this.

Bob Bell
Chief Security Architect - IPCBU
Cisco Systems, Inc.

-----Original Message-----
From: Chris Serafin [mailto:chris () chrisserafin com] 
Sent: Friday, March 10, 2006 09:55
To: defragz () hotmail com; pen-test () securityfocus com
Subject: RE: VOIP: RTP vs SRTP

I have been thinking of writing a paper about a VoIP security 
also.  I my experience [solely Cisco voip] there is 
absolutely no security in place for any VoIP.

Chris Serafin
IT Security / VoIP Engineer
chris () chrisserafin com

-----Original Message-----
From: defragz () hotmail com [mailto:defragz () hotmail com]
Sent: Friday, March 10, 2006 2:23 AM
To: pen-test () securityfocus com
Subject: VOIP: RTP vs SRTP

Hello list,

Planning some internal presentations on VoIP, I was wondering 
if SRTP (Secure Real Time Protocol) is now really in use, as 
a secure replacement of RTP. 

More generally, from your experience, and from what you have 
seen in "real life", do you thing that VoIP security is 
getting better? Do people use crypto to protect both data and 
signalling?
I will love to hear your feedbacks...
-Franck


--------------------------------------------------------------
--------------
--
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
As attacks through web applications continue to rise, you 
need to proactively protect your applications from hackers. 
Cenzic has the most comprehensive solutions to meet your 
application security penetration testing and vulnerability 
management needs. You have an option to go with a managed 
service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm).

Download FREE whitepaper on how a managed service can help you: 
http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to 
confirm your results from other product. Contact us at 
request () cenzic com
--------------------------------------------------------------
--------------
--




--------------------------------------------------------------
----------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
As attacks through web applications continue to rise, you 
need to proactively protect your applications from hackers. 
Cenzic has the most comprehensive solutions to meet your 
application security penetration testing and vulnerability 
management needs. You have an option to go with a managed 
service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). 
Download FREE whitepaper on how a managed service can help you: 
http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to 
confirm your results from other product. Contact us at 
request () cenzic com
--------------------------------------------------------------
----------------


------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
As attacks through web applications continue to rise, you need to proactively
protect your applications from hackers. Cenzic has the most comprehensive
solutions to meet your application security penetration testing and
vulnerability management needs. You have an option to go with a managed
service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm).
Download FREE whitepaper on how a managed service can help you:
http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request () cenzic com
------------------------------------------------------------------------------

Current thread:

VOIP: RTP vs SRTP defragz (Mar 10)
- Re: VOIP: RTP vs SRTP Sebastien Tricaud (Mar 10)
- RE: VOIP: RTP vs SRTP Chris Serafin (Mar 10)
  - RE: VOIP: RTP vs SRTP Robb Stacy (Mar 10)
  - RE: VOIP: RTP vs SRTP Ken Kousky (Mar 12)
    - Re: VOIP: RTP vs SRTP thefifth (Mar 16)
- <Possible follow-ups>
- RE: VOIP: RTP vs SRTP Noble, Kevin (Com US) (Mar 10)
- RE: VOIP: RTP vs SRTP Bob Bell (rtbell) (Mar 10)