[VOIPSA Best Practices] Best Practices document structure set - next question: are these the appropriate areas?

Raul Siles raul.siles at gmail.com
Fri Jan 19 07:36:19 CST 2007 

Hi Dan,
Good to see this is moving forward. The list is pretty exhaustive, although
I would make some minor changes (including some of the issues pointed out by
Greg and Sarb):

5.        Securing Servers and Operating Systems
>From my perspective, section 5 should focus on "Securing Servers", and this
includes not only the OS, but the common applications running on the server
and any recommended server security software: personal firewall, HIDS, file
integrity tool...

6.        Securing IP Endpoints (ex. sets, softphones, etc.)
>From my perspective, section 6 should focus on "Securing IP
Endpoints/Clients", and this includes the client OS/firmware, and the common
client applications and any recommended security software: personal
firewall, AV, HIDS... This section should be about clients, any client,
including mobile/PDAs, wireless IP phones... (Sarb)

7.        Securing the TCP/IP network (ex. VLANs, 802.1X, wireless, etc.)
>From my perspective, section 7 should focus on "Securing the TCP/IP network
and the basic TCP/IP services", and this includes layer 2 protocols (as the
ones you've mentioned), but also layer 3/4 basic protocols required for the
networking infrastructure, such as DNS, NTP, Syslog, SNMP (v3? ;-))...
(Greg)

Thoughts?
--
Raúl Siles
GSE
www.raulsiles.com

On 1/19/07, dan_york at mitel.com <dan_york at mitel.com> wrote:
>
>
> Best Practices team,
>
> Thank you to those of you who sent in comments either on the list or
> directly to me.  A special thanks to Eugene Nechamkin who took the time to
> write up a counter-proposal. Outside of his contribution, basically all the
> feedback was for proposal #2, structuring the document around functional
> areas, and so I'm going to say we're going with that.
>
> Now, the next question - is this list below from the wiki the appropriate
> list of areas for VoIP-related best practices?
>
> 1.        Securing Voice and Media stream
> 2.        Securing Call Control
> 3.        Securing Management Interfaces and APIs
> 4.        Securing PSTN Interfaces and Traditional Telephony Issues (i.e.
> don't forget toll fraud)
> 5.        Securing Servers and Operating Systems
> 6.        Securing IP Endpoints (ex. sets, softphones, etc.)
> 7.        Securing the TCP/IP network (ex. VLANs, 802.1X, wireless, etc.)
> 8.        Physical Security, including backups, power, etc.
>
> Are we missing any major areas?  Should these be modified or tweaked?
>
> It seems to me to be a complete list, but then again, I wrote it, so of
> course it would.  Any feedback is welcome.
>
> Regards,
> Dan
>
> --
> Dan York, CISSP
> Dir of IP Technology, Office of the CTO
> Mitel Corp.     http://www.mitel.com
> dan_york at mitel.com +1-613-592-2122
> PGP key (F7E3C3B4) available for
> secure communication
>
>
> _______________________________________________
> bestpractices mailing list
> bestpractices at voipsa.org
> http://voipsa.org/mailman/listinfo/bestpractices_voipsa.org
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://voipsa.org/pipermail/bestpractices_voipsa.org/attachments/20070119/edffbe52/attachment.htm>

More information about the bestpractices mailing list