[VOIPSA Best Practices] Best Practices document structure set - next question: are these the appropriate areas?

Nhut Nguyen nnguyen at sta.samsung.com
Mon Jan 22 09:28:30 CST 2007 

Dan et. al.,

 

Hope that everyone had a good weekend! 

 

With the risks of "scope creeping" :-), I would like to bring to the
team attention something that occurred to me over the weekend:
vulnerability testing! If appears to me that best practices and to VoIP
security vulnerabilities testing may be something that VoIP
practitioners, especially people who run VoIP networks and services,
will need and welcome.

 

For this we can either:

 

1.	Embed a vulnerabilities testing sub-section in each of the
sections outlined by Dan, or
2.	Have a separate section on VoIP vulnerabilities testing best
practices (and tools) at the end of the document 

 

I think both approaches have merits and demerits, and am curious about
what others think!

 

My apology if this issue has been discussed in the past, but thought
that it may merit some mentioning in the BP document.

 

Cheers,

 

Nhut

________________________________

From: bestpractices-bounces at voipsa.org
[mailto:bestpractices-bounces at voipsa.org] On Behalf Of
dan_york at Mitel.com
Sent: Friday, January 19, 2007 4:58 AM
To: bestpractices at voipsa.org
Subject: [VOIPSA Best Practices] Best Practices document structure set -
next question: are these the appropriate areas?

 


Best Practices team, 

Thank you to those of you who sent in comments either on the list or
directly to me.  A special thanks to Eugene Nechamkin who took the time
to write up a counter-proposal. Outside of his contribution, basically
all the feedback was for proposal #2, structuring the document around
functional areas, and so I'm going to say we're going with that. 

Now, the next question - is this list below from the wiki the
appropriate list of areas for VoIP-related best practices? 

1.        Securing Voice and Media stream 
2.        Securing Call Control 
3.        Securing Management Interfaces and APIs 
4.        Securing PSTN Interfaces and Traditional Telephony Issues
(i.e. don't forget toll fraud) 
5.        Securing Servers and Operating Systems 
6.        Securing IP Endpoints (ex. sets, softphones, etc.) 
7.        Securing the TCP/IP network (ex. VLANs, 802.1X, wireless,
etc.) 
8.        Physical Security, including backups, power, etc. 

Are we missing any major areas?  Should these be modified or tweaked? 

It seems to me to be a complete list, but then again, I wrote it, so of
course it would.  Any feedback is welcome. 

Regards,
Dan 

-- 
Dan York, CISSP
Dir of IP Technology, Office of the CTO
Mitel Corp.     http://www.mitel.com
dan_york at mitel.com +1-613-592-2122
PGP key (F7E3C3B4) available for 
secure communication

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://voipsa.org/pipermail/bestpractices_voipsa.org/attachments/20070122/295112ff/attachment.htm>

More information about the bestpractices mailing list