This week the SIP Network Operators Conference (SIPNOC) takes place in Herndon, Virginia, and the SIPNOC agenda turns out to have a great focus on security as it relates to VoIP and IP-based communications in general. The security-related sessions include:
- The Growth of Robocalling SPIT
- Communications Service Providers and Threat Intelligence Sharing
- Panel Discussion: Anatomy of a VoIP DMZ
- VoIP Theft: Werewolf or Hydra
- Who are You Really Calling? How DNSSEC Can Help
There will also be a “VoIP Security Birds-of-a-feather (BOF)” session tomorrow evening where we’ll be sharing information about VoIP security issues and learning from each other about what issues people are seeing.
Sponsored by the SIP Forum, SIPNOC is an educational event that brings together primarily technical and operations staff from a wide range of telecommunications and VoIP service providers. It is not a trade show, i.e. there is no exhibit hall. It is just focused on providing educational sessions and networking opportunities.
I’ll be there at SIPNOC speaking about DNSSEC, IPv6 and moderating the VoIP security BOF and the VoIP DMZ panel . I look forward to meeting up again with many of the folks who have attended SIPNOC in the past years. The event is not livestreamed, but if you are in the DC area and want to attend, registration is still open.
If you are there at SIPNOC 2013, please do say hello!
This week at the SIPNOC event near DC, an attendee asked if I knew of any hosted services that would scan the external interface of a network to see if the VoIP services were secure. He sells SIP connectivity to small businesses, many of whom typically have purchased an IP-PBX from somewhere like a retail store and have minimal IT expertise. He wondered if there was a service he could refer these small businesses to so that they could check the security of their system. Basically something for VoIP along the lines of hosted services like “Shields Up” that will check the security of your firewall.
I didn’t know of such a service, but posted the question to the VOIPSEC mailing list. A couple of people contacted me privately about some services in the works, but then someone did pass along a link to a public service available now:
Now, I’ve not used this service but I’m certainly aware of Sandro Gauci and a number of the different tools he has been working on, including SIPVicious and VOIPPACK. After watching his short video and seeing the sample report, this definitely looks like an interesting service.
Of course, with any hosted service my security paranoia is heightened and I want to know what will be done with my data. Will the scan of my IP-PBX be recorded on the Voipscanner.com servers? Will a copy of my report be saved there? Basically… can I trust the site? In looking through the terms of service after you click the graphic to “apply” for access I didn’t see any wording around this… but it’s also Friday and I’m tired… I could have missed it.
Anyway, this service is out there and for those of you comfortable with using such a service it may be useful for you. If you know of other similar services I’d also love to hear about them.
Tomorrow I will be in Herndon, Virginia, outside of Washington, DC, at “SIPNOC: The SIP Network Operators Conference“. I will be speaking in two sessions (details here), one of which is a panel about “SIP Adoption and Network Security” and will include two other panelists from Acme Packet and Sipera Systems.
The panel discussion is planned to be about what are the primary security issues related to wider deployment of SIP at the network operator / service provider level, and what can we do about them. The discussion will be in a room full of people from various large operators / service providers.
I have my list of topics I intend to raise, but I’m curious about what you all might say… if you were to stand up in front of a room of network operators to talk about how they could improve the security of their SIP networks… or what the major issues are that you see… what would you say?
If you have thoughts, please do leave them as comments here. As I am on the panel representing VOIPSA, I’m certainly glad to incorporate comments from the wider community.
P.S. If you are at SIPNOC this week, please do say hello!