Penetration Testing mailing list archives
RE: VOIP: RTP vs SRTP
From: "Bob Bell (rtbell)" <rtbell () cisco com>
Date: Fri, 10 Mar 2006 13:35:39 -0800
Franck, Chris, et al - First off, there are a number of manufacturers, (e.g. Cisco, Avaya, Nortel, etc.) that provide systems for enterprises that support SRTP. They support other security components with varying degrees of completeness in that same space. One of the issues to be considered however is that just because you support TLS or SRTP or whatever as a protocol protection, that does not necessarily mean that the system is secure or has appropriate security characteristics. Cisco's IPT solution for enterprises (CCM 4.x+) does support a very complete set of security features and functionality. And it is improving with time. Cisco has been engaged in securing their IPT offering since 1999. The first release containing a security component was CCM 3.3 which contained digitally signed images for the phones. Each release since that time has increased the security features. Other vendors are also improving their offerings. While it is true that other environments may have more limited security implementations, to say that there is absolutely no security in place for any VoIP is not very accurate. It is possible to provide appropriate protection to commercial grade IPT commensurate with the threat environments currently present. And it is getting better. It is important to understand that SRTP or any encryption of user information is probably the last and least important security feature. It matters little, for instance, if the media stream between two endpoints is encrypted if those endpoints cannot guarantee that they are directly communicating with the intended destination rather than a MITM. Schemes that provide SRTP support without strong, positive authentication of the remote endpoint basically do nothing other than to give their customers a very false sense of security. As to how much is actually realized at customer's sites, that is widely variable. In many respects, it reflects the security stances of the specific customers. SRTP as a protection mechanism for voice streams, is only implemented in certain environments today. Usually this is due to the presence of specific legal requirements. However, as it, and the other more critical security features, become both more pervasive and easier to manage, it will increase in its usage. Many businesses may not implement SRTP simply because, like email, they want to be able to listen to their customer's conversations if needed. In the US that is an option. In other countries, an employer may not be legally able to listen to such communications. In that environment, SRTP will probably be more widely implemented. Guess I need to get down off the soap box. Summary, SRTP and other security features are available to IPT customers within enterprise deployments. In the USA, deployments that activate these features are growing but are still in the minority. Non-USA deployments are actively pursuing this. Bob Bell Chief Security Architect - IPCBU Cisco Systems, Inc.
-----Original Message----- From: Chris Serafin [mailto:chris () chrisserafin com] Sent: Friday, March 10, 2006 09:55 To: defragz () hotmail com; pen-test () securityfocus com Subject: RE: VOIP: RTP vs SRTP I have been thinking of writing a paper about a VoIP security also. I my experience [solely Cisco voip] there is absolutely no security in place for any VoIP. Chris Serafin IT Security / VoIP Engineer chris () chrisserafin com -----Original Message----- From: defragz () hotmail com [mailto:defragz () hotmail com] Sent: Friday, March 10, 2006 2:23 AM To: pen-test () securityfocus com Subject: VOIP: RTP vs SRTP Hello list, Planning some internal presentations on VoIP, I was wondering if SRTP (Secure Real Time Protocol) is now really in use, as a secure replacement of RTP. More generally, from your experience, and from what you have seen in "real life", do you thing that VoIP security is getting better? Do people use crypto to protect both data and signalling? I will love to hear your feedbacks... -Franck -------------------------------------------------------------- -------------- -- This List Sponsored by: Cenzic Concerned about Web Application Security? As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com -------------------------------------------------------------- -------------- -- -------------------------------------------------------------- ---------------- This List Sponsored by: Cenzic Concerned about Web Application Security? As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com -------------------------------------------------------------- ----------------
------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com ------------------------------------------------------------------------------
Current thread:
- VOIP: RTP vs SRTP defragz (Mar 10)
- Re: VOIP: RTP vs SRTP Sebastien Tricaud (Mar 10)
- RE: VOIP: RTP vs SRTP Chris Serafin (Mar 10)
- RE: VOIP: RTP vs SRTP Robb Stacy (Mar 10)
- RE: VOIP: RTP vs SRTP Ken Kousky (Mar 12)
- Re: VOIP: RTP vs SRTP thefifth (Mar 16)
- <Possible follow-ups>
- RE: VOIP: RTP vs SRTP Noble, Kevin (Com US) (Mar 10)
- RE: VOIP: RTP vs SRTP Bob Bell (rtbell) (Mar 10)