Voice of VOIPSA

Over on his new No Jitter blog, Eric Krapf notes in his SIP Security post that at VoiceCon Orlando they will be running a SIP security talk again:

“As SIP continues to seep into the mainstream, more attention is being paid to security issues, especially in public IP networks/the Internet. At VoiceCon Orlando in March, we’re bringing back Cullen Jennings and Eric Rescorla to once again give their ‘SIP Security’ tutorial, which offers enterprises a jump on many of the key issues.”

Long-time readers will remember that I wrote about Cullen & Eric’s appearance at VoiceCon San Francisco back in August and I am glad to see they’ll be back again in Orlando. Since I’ll be down there at VoiceCon Orlando, I’ll look forward to seeing them both again (and yes, I’ll probably sit in their presentation again .

Eric also reviews a couple of the ETSI security presentations I recently mentioned, giving a better glimpse than I did here!

Technorati Tags:
cullen jennings, eric rescorla, sip, security, sip security, voip, voip security

Previously I mentioned that Hannes Tschofenig had a presentation up about SIP security that he gave at the ETSI Security Workshop early this month. We were contacted by folks at ETSI to let us know that all the workshop presentations are now available online. I haven’t looked through them yet, but the workshop agenda looked good to I am looking forward to checking these presos out. Thanks to ETSI for making them publicly available.

Technorati Tags:
sip, etsi, standards, security, voip security

After I pointed out that I’ll be speaking next week at Internet Telephony Expoin Miami, I realized that I should have also pointed out that there is are other talks about VoIP security (in order of the schedule):

• Security Challenges in the Enterprise with representatives of Foundry, Sipera Systems, Juniper Networks
• Security Today’s Networks with representatives of EMBARQ, NextPoint Networks and Integrated Customer Solutions
• Understanding SIP Security with representatives of Sipera Systems, AudioCodes and Inter-Tel/Mitel

I’ll probably only be able to get to the last one but will try to post a report here (and perhaps record it if I get appropriate permissions).

(If anyone attends either of the first two talks and would like to provide a brief writeup for this blog about what was discussed, we’d be glad to post it.)

Technorati Tags:
conferences, itexpo, internettelephonyexpo, voip, voip security, security

If any of you will be in Miami next week for Internet Telephony Expo, I will be speaking on VOIPSA’s behalf at Ingate’s SIP Trunking Seminar Series held in conjunction with IT Expo. Predictably, my session from 8:30-9:45am on Thursday, January 24th is titled “Seminar/myth 1: VoIP is not secure“. Should be fun.

If you are going to be down at IT Expo, do check out the full schedule for Ingate’s SIP Trunking Seminar Series. They have a good range of speakers and the seminars are free.

If any of you are attending either IT Expo or the SIP Trunking Seminar Series, please do drop a note as I’m always interested in meeting readers.

Technorati Tags:
sip, sip trunking, ingate, itexpo, conferences

Back at the end of September, I gave a presentation down at Astricon 2007 called “Hacking and Attacking VoIP Systems: What you need to know” which talked generically about VoIP security and then got into some specific suggestions for securing Asterisk (which I posted on this blog). A number of folks have asked for the slides… and so here they are:

| View | Upload your own

If you’ve seen other presentations I’ve given, it’s a fairly typical presentation of mine with the addition of Asterisk-specific information toward the end.

Comments are, of course, welcome.

P.S. And yes, there is an audio recording of this presentation which I will, eventually, get up as a Blue Box podcast.

Technorati Tags:
asterisk, security, voip, voip security, voipsa, conferences, astricon

Hannes Tschofenig is over at the 3rd ETSI Security Workshop in France this week and yesterday gave a talk about SIP security. He has now posted the slides to his blog – My Slides from the 3rd ETSI Security Workshop:

Yesterday I gave my presentation at the 3rd ETSI Security Workshop. My presentation title was ‘IETF Security’ and that is obviously pretty fuzzy. After looking on the agenda I decided that the most useful topic to speak about would be SIP identity management and media security. In case you are interested in this topic, please take a look at the following slide set.

His slide set does give an excellent overview of security issues in SIP, the various RFCs and approaches, etc. As he mentions, he focuses on identity and media security. A great contribution to the ongoing dialog on these issues. In fact, much of the workshop agenda looks quite intriguing. It will be interesting to see if other presenters make their slides available or if conclusions are posted anywhere.

Note to other presenters: If you do put your slides up somewhere, we’re glad to link to them here. In fact, if you use SlideShare (or a similar service), we’ll be glad to embed the presentations directly in this blog.

Technorati Tags:
ietf, security, sip, standards, voip, voip security, hannes tschofenig

If any of you are at Fall VON this week in Boston, both Martyn Davies and I (Dan York) will be there. Martyn is moderating a panel Wednesday in the Innovator’s Track and I will be speaking on Thursday about (surprise!) security on a “Strategies for Solving Security” panel. If any of you reading this will be there, feel free to drop a note and we can perhaps connect to say hello.

Technorati Tags: conferences, fallvon, security, voip, voip security, voipsa

I’ve long been a staunch opponent of the “isolate your VoIP network from your data network” strategy. I personally believe that by putting up such restrictive barriers as would be required to provide any sense of actual security, the owners and administrators of a VoIP deployment are severely limiting the potential value they are able to receive from using Internet telephony. One of the Great Promises of VoIP is the ability to integrate communications with other productivity technologies such as work-group software and CRM applications. A lot of VoIP security practitioners tout the isolation strategy as a solution for the insecurity of the VoIP core devices and endpoints when in reality it is little more than a stop-gap, and not a very good one at that. By providing a false sense of security by way of network isolation, many VoIP deployment administrators may become complacent and pay less attention to the security posture of the actual VoIP devices and endpoints themselves. If you plan to integrate your communications system into the data-flow of your business in even the most minimal way, you’ll find quickly that most types of isolation that are available either provide a barrier to the desired functionality or open up so many holes in the barrier that it may as well not be there.

(more…)

In a few hours I’ll be boarding a plane back to New York where I’ll be attending Interop New York this afternoon and tomorrow. If any of you reading this will be there, please do drop an email. Tomorrow, I’ll be on a panel at 2:45pm with Jonathan Rosenberg about “Voice-oriented Attacks”. (Side note to Interop: Please make it so that we can link to individual sessions instead of having to link to the entire list of “security”-related sessions!) If you aren’t aware of who Jonathan Rosenberg is, he works for Cisco and is a huge contributor to IETF efforts related to SIP and in fact was one of the co-authors of RFC 3261 which is the primary RFC defining SIP. He’s also the author of “The Hitchhiker’s Guide to SIP” which aims to help guide people through the maze of the many, many documents that now are part of “SIP”. More relevant to tomorrow’s session, he’s also the author of a series of NAT traversal protocols for SIP, namely STUN, TURN and now ICE. Eric Krapf, the moderator of the session, is aiming to make it a more interactive and discussion-focused session (i.e. no slideware-to-death)… we’ll see if we can make it fun as well. I’ve also asked Interop for permission to record it and run it as a Blue Box podcast – we’ll see if they give me permission.
Note that if you are a CISSP, the ISC2 is holding a member reception today (Wednesday October 24, 2007) starting at 5:30 PM in Jacob Javits Center Room 1EO2 – LEVEL 1. Assuming that everything works with my flights today, I’ll be there.
I’ll even have some new business cards to give out…

P.S. I’ve now been public about who my new employer is.

Technorati Tags: cisco, conferences, danyork, jonathanrosenberg, security, voip, voip security, voipsa, voxeo

As I mentioned previously, I was down at the AstriCon conference a few weeks back where I spoke about VoIP security in general and how it applies to Asterisk in particular. At the end of my presentation, I did put forward some suggestions for where the Asterisk community could potentially focus to improve the product’s security. While I intend to put the slides and hopefully the recording online at some point soon, I thought I’d share with you all what I laid out as my suggestions:

1. TLS-encrypted SIP – Of course, this needs SIP over TCP first…
2. Secure RTP (SRTP) – There’s a patch that’s been around for quite some time, but it needs to be integrated into the main release. However, it’s not much good without the next item…
3. SRTP Key Exchange – First an implementation of ‘sdescriptions” (although again that needs TLS-encrypted SIP) and then later DTLS or potentially ZRTP.
4. Figure out the phone configuration mess – So that the web servers on the phones can be disabled. Auto-configuration is a start, but how secure are the config files?
5. Identity – If we are to not be drowning in SPIT, one mechanism that seems pretty sure to factor in would be a way to assert the real identity of the sender. Leading candidate today appears to be RFC 4474 (SIP Identity).
6. Watch out for the APIs and the apps – Always fun when a rolodex app can crash your phone system!
7. Toll fraud – What specific tools are in Asterisk to prevent toll fraud? Can they be enhanced?
8. Testing with tools - There are a ton of VoIP security tools out there. Can Asterisk be tested with those tools?

That was my list that I spoke about at AstriCon. Do you agree? Disagree? What would your list include?

Technorati Tags: asterisk, astricon, digium, security, voip, voip security