[VOIPSA Best Practices] Welcome to the VOIPSA Best Practices project... and some weekend reading for you all (if you get this)
Eugene Nechamkin
enechamkin at broadcom.com
Mon Dec 4 14:52:02 CST 2006
Hi Dan,
VSECBP looks like a promising and timely initiative. It has the
potential to provide the practical guidelines on the best practices in
VoIP Security to the organizations and companies involved into the VoIP
development and/or its practical usage, provided that such document
contains the material which is adequately structured and sufficiently
covered.
On the VSECBP document structure, based on my previous and the current
experience with the PacketCable(tm) spec development in the Cable
industry, I would think that significant (if not most) amount of the
efforts in defining the security measures are concentrated around the
interfaces between the main VoIP system components: terminal adapters,
call managers, application servers, management servers and elements,
PSTN media gateways, etc. This seems to be the shortest path to making
the recommendations practical. Besides, often, the same security threat
can (and should) be addressed by the different BP means depending on the
particular interface in the system the threat is interfering with.
Consequently, it may make sense to consider the document structure based
on the VoIP interfaces rather than on the VoIP elements (or security
threats) alone. Obviously the interface between, for example, a terminal
adapter and a call manager would also include the recommendations for
securing the elements themselves (e.g. physical security of the
elements).
Here is the potential document structure which is close to what I meant:
1. BP for Endpoint-To-Call Manager Interface (both - types of endpoints,
soft and hard to be considered)
1.1 Security Threats (references to the Threats Taxonomy Document)
1.2 Application Layer Security BP (e.g. protocols, anti-virus measures,
anti-hacking measures, etc).
1.3 Network Layer Security BP (e.g. protocols)
1.4 Physical security BP
.........
2. BP for Endpoint-To-Endpoint Interface
2.1 Security Threats (references to the Threats Taxonomy Document)
2.2 Application Layer Security BP
2.3 Network Layer Security BP
2.4 Physical security BP
.........
3. BP for Endpoint-To-Media Gateway Interface
.........
4. BP for Endpoint-To-Event Logging Server Interface
.........
5. BP for Endpoint-To-Network Management Interface
.........
6. BP for Endpoint-To-Application Servers Interface
.........
7. BP for Endpoint-To-QoS Elements Interface
.........
etc., etc., etc.
Eugene Nechamkin,
VoIP Security Architect.
Broadcom Corp.
________________________________
From: bestpractices-bounces at voipsa.org
[mailto:bestpractices-bounces at voipsa.org] On Behalf Of
dan_york at Mitel.com
Sent: Friday, December 01, 2006 8:37 PM
To: bestpractices at voipsa.org
Subject: [VOIPSA Best Practices] Welcome to the VOIPSA Best Practices
project... and some weekend reading for you all (if you get this)
VOIPSA Best Practices list,
Welcome to the Best Practices project! First off, may I just say a
huge thank you to all of you for wanting to help with this project. As
the list admin, I've been watching the subscription notices stream in
and we're now up around 90 people. I recognize many of you from the
VOIPSEC mailing list, from Blue Box podcast listeners, from
conferences... but just as many I don't recognize... and I look forward
to working with you all.
Thank you for your interest in helping. The continued escalation of
news reports about VoIP security as well as increased postings to
security lists only highlights how timely and important this project is.
I may be completely naive, but I honestly don't think this will be an
enormously long project. I think that with the collective knowledge we
have on this list, we can probably lay out most if not all of the
required best practices relatively quickly. In fact, I think the thing
that may take us the longest may be agreeing on how to structure the
document. I would like to think that this is a project we can complete
over the next couple of months, realizing that the holidays are in here,
of course. We'll see.
But before I talk about the project, let me just make a couple of points
about my style and availability, given that many/most of you have not
worked with me before:
1. As you'll see below, I've laid out a *suggestion* for how I think
things should be structured... but please keep in mind that those are
*suggestions*... I *very* much want to hear your feedback and am
definitely open to change.
2. Please know that I am VERY open to feedback/criticism/suggestions. I
have a very thick skin and enough self-confidence that I'm perfectly
okay if you tell me an idea (or text) of mine is very dumb. (Preferably
being polite while doing so.) Please do so... my objective is to get
the best possible set of Best Practices that we can- as quickly as we
can... I'm not interested in having egos (including my own) get in the
way.
3. Unfortunately I'm getting on a plane Monday afternoon (Dec 4th,
Eastern US time) heading to London, UK, where I'll be through the end of
the week (Dec 8th). There will be periods where my email connectivity
will be limited and, of course, my Verizon blackberry will not work for
email there. (The perils of living in Burlington, Vermont, where GSM
coverage is limited.)
It would actually be far better for me to wait a week to launch this
project, but I very much want to get it moving so that we can get some
work done before the holiday break.
I'll be back in the office Dec 11th and don't expect to be travelling
after that until late January.
So on to the project. If you go to the main project page in the VOIPSA
wiki:
http://wiki.voipsa.org/tiki-index.php?page=BestPracticesHome
you will see that tonight I've created the following pages:
- A proposed development process and document structure:
http://wiki.voipsa.org/tiki-index.php?page=Development+Process
- A list of proposed volunteer roles:
http://wiki.voipsa.org/tiki-index.php?page=Volunteer+Opportunities%2FTea
m+Structure
- Examples of generic best practice statements:
http://wiki.voipsa.org/tiki-index.php?page=Examples+of+Best+Practices
- References to other "Best Practices" documents:
http://wiki.voipsa.org/tiki-index.php?page=Best+Practices+References+
What I would be most interested in feedback on over the next week is the
following:
1. Can anyone point to other Best Practices documents that we can add to
the reference page? They need to be publicly available (i.e. not
requiring registration) so that people can see them.
2. What do people think about how we should best structure the document?
(See my notes on the Development Process page.)
3. Do you agree with what I identified as the target audience?
4. I've identified about 10 potential volunteer roles... do you agree
with my thoughts?
5. If so, anyone already willing to step forward and say how they'll
contribute?
6. Any thoughts on the questions I raise at the bottom of the
Development Process page?
Two final notes:
- Like other VOIPSA lists, this one is set so that, with most mail
clients, if you just hit Reply your message will go back to only the
*sender*. If you want it to go back to the list, you'll need to do
"Reply to All".
- This mailing list has a *public* message archive and the wiki is
entirely public, so please just do realize that everything you send on
this list or add to the wiki is visible to anyone on the Internet.
With that, I'll again say thank you for joining this project and I look
forward to working with all of you to make it happen. If you have any
questions about all of this, please do feel free to email or call.
Thank you,
Dan
--
Dan York, CISSP
Dir of IP Technology, Office of the CTO
Mitel Corp. http://www.mitel.com
dan_york at mitel.com +1-613-592-2122
PGP key (F7E3C3B4) available for
secure communication
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://voipsa.org/pipermail/bestpractices_voipsa.org/attachments/20061204/efea15f0/attachment.htm>
More information about the bestpractices
mailing list