Category Archives: Conferences

Slides: SIP Trunking and Security in an Enterprise Network

Earlier this month out at ITEXPO in Los Angeles, I participated in the Ingate SIP Trunking seminars as I have been doing for the last year or so. My talk was “SIP Trunking and Security in an Enterprise Network“. The slides are available for viewing or download from my SlideShare account and I’ll also embed them here in this post.

I did record the presentation in both audio and video and hope to be making that available as a Blue Box podcast some time soon. I’ll then sync the slides to the audio. Meanwhile… enjoy the slides!

Technorati Tags:
, , , , , , , , ,

Asterisk Tag 2008 in Berlin

The German Asterisk Tag (Asterisk Day) takes place in Berlin 26-27th May, 2008. Some of the presentations will cover security issues as well as issues companies are facing when introducing VoIP. Among the speakers are Mark Spencer (Digium) and Phil Zimmermann, the latter one talking about Zfone.

Voice Biometrics conference May 14-15, 2008

VoiceBiometrics.jpgWant to learn about voice biometrics? I recently learned of the “VoiceBiometrics” conference happening May 14-15, 2008, in New York City. While the agenda does not seem to have anything about VoIP, per se, it’s obviously all about voice and looks quite interesting.

I won’t be there, but if anyone does go and wants to write up some information for this blog (or record information for the Blue Box podcast) we’d be glad to post that info.

[P.S. In full disclosure, one of the event sponsors, VoiceVerified, is a customer of my employer, Voxeo.]

Technorati Tags:
, , ,

Does VoIP Exist?

This was a question I asked at the recent VON conference in San Jose, CA. Of course we talk a lot here about VoIP Security, but actually if we take a step back, is VoIP itself any longer a meaningfully separate concept? The thing is that technology moves on, and maybe some people care whether they are connected via cable or ADSL, but pretty much, the average Joe is happy that “broadband” is magic that provides fast Internet. Today there’s still talk about “WiFi” as a distinct technology, but WiMax, LTE and mobile broadband (EVDO, UMTS etc) are on the rise, and within a couple of years, we’re all likely to have forgotten which technology we’re using to connect to the Internet.

So my thesis is that IP is so very intrinsic to the nature of all telecoms today, that it’s probably not even worth using “Vo” any longer. Why should I say that? Well firstly, SS7, the mainstay of today’s international telecoms network, in many cases uses IP to carry the signalling traffic, using the protocol family known as Sigtran. In traditional telecoms, media and signalling has long been split, with SS7 connecting the calls, and a parallel network of E1/T1 links carrying the voice calls. The long established estrangement of media and signalling continues into the NGN world, with signalling now mostly meaning SIP, and the media usually RTP, but there is still a world of choice. When SS7 meets SIP we can often find ISUP (the call control protocol most widely used by telecoms incumbents) being tunnelled using protocols like SIP-I and its twin (in the iron mask) SIP-T. In the “legit” SS7 community we find that BICC (Bearer Independent Call Control) allows us to connect calls in a way familiar to all fans of ISUP, and yet the calls themselves don’t need to be 64k bearer channels any more, but can also be the IP-friendly RTP streams.

This is not a fashion, but simply an evolution. Today, when telcos federate, it is largely using traditional TDM lines, and traditional SS7 protocols. But this is changing: it’s very cheap and convenient to interconnect using Sigtran, and there is much talk about how to connect calls using “codec free” operation: that is, to pipe the audio unchanged from end to end, to optimize audio quality and bandwidth usage. The GSM Association are promoting a system called IPX, which will allow mobile carriers to interconnect using IP, such that not only signalling and media are seamlessly interconnected (via a private intranet), but also settlement data will automatically be exchanged, so that every telco knows what they owe to every other party.

If I may press my point further, in many projects the traditional TDM core is being removed in favour of a big SIP router surrounded by a ring of session border controllers (SBCs). One major factor in these projects is that the customers are still today 80/20 connected via traditional E1/T1 or SS7 networks, which means that part of the magic is a media gateway that knows how to talk both SS7 and SIP. So SIP networks have TDM customers, and your Granny may already be using IP without even knowing it.

So does VoIP exist? When IP is such a fundamental tool in what we know as “legacy” telco networks, perhaps it does not. Consequently does VoIP Security exist? Well as we’ve often discussed here at the VoIPSA blog before, when you start moving voice traffic over your IP network, then you have all the voice system vulnerabilities plus all the IP vulnerabilities that just arrived at your doorstep. Perhaps actually the truth is that nearly all voice is already VoIP, so VoIP security is not just an enterprise concern, but is actually a core issue for every telco on the planet.

If any of you are currently at the Mobile World Congress in Barcelona…

mobileworldcongress-1.jpgIf any of you reading this are at the Mobile World Congress (formerly “3GSM”) in Barcelona, Spain, this week, VOIPSA Secretary (and Blue Box co-host) Jonathan Zar is there as well. If you are there, please do drop him an email as (schedule permitting) he is always interested to meet up with others interested in VoIP security.

Technorati Tags:
, , , , ,

VoiceCon Orlando to offer “SIP Security” talk

Over on his new No Jitter blog, Eric Krapf notes in his SIP Security post that at VoiceCon Orlando they will be running a SIP security talk again:

“As SIP continues to seep into the mainstream, more attention is being paid to security issues, especially in public IP networks/the Internet. At VoiceCon Orlando in March, we’re bringing back Cullen Jennings and Eric Rescorla to once again give their ‘SIP Security’ tutorial, which offers enterprises a jump on many of the key issues.”

Long-time readers will remember that I wrote about Cullen & Eric’s appearance at VoiceCon San Francisco back in August and I am glad to see they’ll be back again in Orlando. Since I’ll be down there at VoiceCon Orlando, I’ll look forward to seeing them both again (and yes, I’ll probably sit in their presentation again :-).

Eric also reviews a couple of the ETSI security presentations I recently mentioned, giving a better glimpse than I did here! 🙂

Technorati Tags:
, , , , , ,

More ETSI Security Workshop presentations now available online

Previously I mentioned that Hannes Tschofenig had a presentation up about SIP security that he gave at the ETSI Security Workshop early this month. We were contacted by folks at ETSI to let us know that all the workshop presentations are now available online. I haven’t looked through them yet, but the workshop agenda looked good to I am looking forward to checking these presos out. Thanks to ETSI for making them publicly available.

Technorati Tags:
, , , ,

More VoIP security talks next week at Internet Telephony Expo in Miami

After I pointed out that I’ll be speaking next week at Internet Telephony Expoin Miami, I realized that I should have also pointed out that there is are other talks about VoIP security (in order of the schedule):

I’ll probably only be able to get to the last one but will try to post a report here (and perhaps record it if I get appropriate permissions).

(If anyone attends either of the first two talks and would like to provide a brief writeup for this blog about what was discussed, we’d be glad to post it.)

Technorati Tags:
, , , , ,

VoIP Security talk at Ingate SIP Trunking Seminar Series next week in Miami

button_Miami08.gifIf any of you will be in Miami next week for Internet Telephony Expo, I will be speaking on VOIPSA’s behalf at Ingate’s SIP Trunking Seminar Series held in conjunction with IT Expo. Predictably, my session from 8:30-9:45am on Thursday, January 24th is titled “Seminar/myth 1: VoIP is not secure“. Should be fun.

If you are going to be down at IT Expo, do check out the full schedule for Ingate’s SIP Trunking Seminar Series. They have a good range of speakers and the seminars are free.

If any of you are attending either IT Expo or the SIP Trunking Seminar Series, please do drop a note as I’m always interested in meeting readers.

Technorati Tags:
, , , ,

“Hacking and Attacking VoIP Systems” – Slides from my Astricon 2007 presentation about Asterisk and VoIP security

Back at the end of September, I gave a presentation down at Astricon 2007 called “Hacking and Attacking VoIP Systems: What you need to know” which talked generically about VoIP security and then got into some specific suggestions for securing Asterisk (which I posted on this blog). A number of folks have asked for the slides… and so here they are:

If you’ve seen other presentations I’ve given, it’s a fairly typical presentation of mine with the addition of Asterisk-specific information toward the end.

Comments are, of course, welcome.

P.S. And yes, there is an audio recording of this presentation which I will, eventually, get up as a Blue Box podcast.

Technorati Tags:
, , , , , ,