[VOIPSA Best Practices] Best Practices document structure set - next question: are these the appropriate areas?

dan_york at Mitel.com dan_york at Mitel.com
Fri Jan 19 10:17:28 CST 2007 

Responding to a couple of comments at once:

Sarb,

Yes, my opinion would be that mobile devices/PDAs should fall under 
section 6 **as far as they pertain to VoIP**.  What I mean is that as long 
as they are *VoIP clients* they should be addressed, i.e. we're not 
writing about how to secure my mobile phone, but if my mobile phone also 
has a VoIP client that runs over the data connection of my mobile phone, 
then *that* VoIP client would fall under the umbrella of section 6.

So, yes, I agree with Raul's suggested renaming below to include 
"clients".

Raul,

5. Yes, I agree that 'Securing Servers" should be about more than just the 
"operating system"... but I think we have to be a bit cautious about 
"scope creep" here.  The end goal is not to wind up with a 300 page 
security textbook (but also not with 5 pages of marketing fluff)... we're 
trying to create a document that hits these audiences:

End customers trying to understand how best to secure their systems. 
Security professionals looking for a security baseline for VoIP systems. 
System administrators, technicians, students and others looking to enter 
into working with VoIP systems. 
Press/media who want to understand how VoIP systems can be secured. 

and I think we need to keep it focused on VoIP as much as possible.  If we 
can, I personally think it would be great to be able to reference other 
lists of best practices for securing operating systems, etc., i.e. we have 
a best practice in our doc that states:

   - Applications running on commercially available operating systems 
should be secured according to standard industry best practices, as noted 
here:
        Microsoft Windows:  .....(some doc name and URL from some other 
neutral or govt entity)...........
        Linux:   .................
        UNIX:   ................

The question for us would be to look at those best practices docs and 
determine if they would play nice with VoIP applications.  Is some 
"industry standard" best practice *different* for VoIP servers?  If so, we 
need to document it.

6. Yes, I agree that the name should be IP Endpoints/Clients... with again 
the focus on what is special about securing VoIP with perhaps pointers to 
other best practices docs for client operating systems.

7. Agreed, again with the caveat about trying to avoid scope creed.  In my 
mind, when I was thinking about "Securing the TCP/IP network", I was also 
including things like SNMP, NTP and other services which might typically 
be running on a VoIP server and have some reason to be required for VoIP 
management apps, etc.

Thanks for the great feedback.

Regards,
Dan





"Raul Siles" <raul.siles at gmail.com>
01/19/2007 08:36 AM
 
        To:     "dan_york at mitel.com" <dan_york at mitel.com>
        cc:     bestpractices at voipsa.org
        Subject:        Re: [VOIPSA Best Practices] Best Practices 
document structure set - next question: are these the appropriate areas?


Hi Dan,
Good to see this is moving forward. The list is pretty exhaustive, 
although I would make some minor changes (including some of the issues 
pointed out by Greg and Sarb):

5.         Securing Servers and Operating Systems
>From my perspective, section 5 should focus on "Securing Servers", and 
this includes not only the OS, but the common applications running on the 
server and any recommended server security software: personal firewall, 
HIDS, file integrity tool... 

6.        Securing IP Endpoints (ex. sets, softphones, etc.) 
>From my perspective, section 6 should focus on "Securing IP 
Endpoints/Clients", and this includes the client OS/firmware, and the 
common client applications and any recommended security software: personal 
firewall, AV, HIDS... This section should be about clients, any client, 
including mobile/PDAs, wireless IP phones... (Sarb)

7.        Securing the TCP/IP network (ex. VLANs, 802.1X, wireless, etc.) 
>From my perspective, section 7 should focus on "Securing the TCP/IP 
network and the basic TCP/IP services", and this includes layer 2 
protocols (as the ones you've mentioned), but also layer 3/4 basic 
protocols required for the networking infrastructure, such as DNS, NTP, 
Syslog, SNMP (v3? ;-))... (Greg)

Thoughts?
-- 
Raúl Siles
GSE
www.raulsiles.com


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://voipsa.org/pipermail/bestpractices_voipsa.org/attachments/20070119/39129254/attachment.htm>

More information about the bestpractices mailing list