Voice of VOIPSA

Cisco Press and Patrick Park released, “Cisco: IP Communications, Voice over IP Security” in the beginning of 2009. There is a good knowledge transfer in this book for newcomers and I suspect a bit of review for seasoned practitioners. Nonetheless, you’ll be given a nice primer to VoIP security from the packet level, all the way through architecture. This book is divided into three different areas , which consists of VoIP Security Fundamentals, VoIP Security Best Practices and Lawful Interception (CALEA). I’ll briefly describe some content from each area, to give you a better idea of what is covered in the book and to help you protect your investment. I would encourage anyone reading this book to read the VoIPSA Threat Taxonomy version 1, side by side with this book, “http://voipsa.org/Activities/taxonomy.php”

The first part of the book gets into VoIP Security, where you’ll read about inherited and protocol vulnerabilities. You’ll also find that Cisco Press classifies attacks in four categories, which are threats against availability, confidentiality, integrity and social context. They explain call flows and security profiles that are associated with H.323 “D,E,F”, SIP and MGCP. If you have little to no experience with cryptography, they explain the functions and uses of a few implementations that are in use today. If you’re looking for network modeling for architecture and design they have something in the book for you as well.

Switching gears to VoIP Security Best Practices, you’ll be introduced to analysis and simulation of current threats, where they talk about mitigating DoS, sniffing, spoofing and VoIP spam. This section of the book identifies how to secure VoIP protocols with authentication, encryption, transport and network layer security, threat modeling and prevention. They will give you an overview in how SBC’s are deployed and used to resolve DoS, L.I.“Lawful Interception’’, exposed network topology, and performance issues. Then they get into Enterprise Network Devices and security devices, so you’ll be introduced to “Cisco Solutions” like Call Managers, End-Points, ASA’s, PIX’s and FWSM’s.

The last section of the book explains Lawful Interception (CALEA). They talk about requirements and standards that have been developed and implemented in Europe and the United States. There will also be a walk through in how L.I. is generally implemented and “possibly detected”, but the examples in the book are not limited to certain geographic areas or countries.

I would recommend this book to folks who are looking for a solid introduction to VoIP Security. After reading this book, along with the VoIPSA Threat Taxonomy “http://voipsa.org/Activities/taxonomy.php”, you will be aware of the different types of attacks and methods of mitigation that you may use to stop or just stall your next attacker……

It appears that there is a new book out on VoIP security named, rather simply, “Voice over IP Security“. It’s from Cisco Press and written by a Patrick Park. I haven’t seen the book yet but ITworld has an interview with the author. Amazon.com of course has some user reviews as well.

Good to see additional books coming out into the field. It will be interesting to see how this compares to the others out there.

P.S. If you have the book and would be interested in writing a review for this site, please feel free to contact me.

Technorati Tags:
voip security, books, voip, cisco, security

Catching up on my reading, I see that Dr Dobb’s Journal honoured crypto guru Bruce Schneier in their April edition with an excellence in programming award.  I’ve been a fan of DDJ since I first came across the magazine in the 1980’s, and (with my software developer hat on) once even had the thrill of contributing to DDJ.

Congratulations, Bruce, coming from one of the World’s top-rank developer publications, I think this is an accolade to really enjoy. 

Just being launched today is a brand new book on VoIP security called “Understanding Voice over IP Security” written by Alan Johnston and David Piscitello. I haven’t yet seen a copy myself but am looking forward to checking it out. Comments and reviews are definitely welcome.