[VOIPSA Best Practices] Best Practices document structure set - next question: are these the appropriate areas?

dan_york at Mitel.com dan_york at Mitel.com
Mon Jan 22 09:41:48 CST 2007 

Nhut,

Good comments. I don't actually consider that much of a scope creep 
because we've said that each best practice should note which security test 
tools could be used to test the individual best practices.  So each BP 
entry should say which tool(s) could be used to test if your system is 
vulnerable. Or another view is... implementing the BP protects you against 
attacks/probes from which tools.

Separately from the BP document, Shawn Merdinger and Dustin Trammel have 
developed a security tools list that we're planning to promote in 
conjunction to this BP document.  As this project moves along, we'll bring 
that tools list into this discussion as well.

So yes, we should include it, but the current thinking is as a separate 
list of tools.  Hmmm... however, it could be argued that we're not talking 
about best practices in how to do that testing... perhaps there is a need 
for something that is specific about issues for vulnerability testing *for 
VoIP*.

Thoughts?
Dan

P.S. Nhut, I *did* have a nice weekend... too cold and windy to go 
cross-country skiing, but at least we do have snow cover!  (Important in 
these parts (Vermont, USA) at this time of year.)

-- 
Dan York, CISSP
Dir of IP Technology, Office of the CTO
Mitel Corp.     http://www.mitel.com
dan_york at mitel.com +1-613-592-2122
PGP key (F7E3C3B4) available for 
secure communication






"Nhut Nguyen" <nnguyen at sta.samsung.com>
01/22/2007 10:28 AM
 
        To:     <dan_york at Mitel.com>, <bestpractices at voipsa.org>
        cc: 
        Subject:        RE: [VOIPSA Best Practices] Best Practices 
document structure set - next question: are these the appropriate areas?


Dan et. al.,
 
Hope that everyone had a good weekend! 
 
With the risks of “scope creeping” J, I would like to bring to the team 
attention something that occurred to me over the weekend: vulnerability 
testing! If appears to me that best practices and to VoIP security 
vulnerabilities testing may be something that VoIP practitioners, 
especially people who run VoIP networks and services, will need and 
welcome.
 
For this we can either:
 
1.      Embed a vulnerabilities testing sub-section in each of the 
sections outlined by Dan, or
2.      Have a separate section on VoIP vulnerabilities testing best 
practices (and tools) at the end of the document 
 
I think both approaches have merits and demerits, and am curious about 
what others think!
 
My apology if this issue has been discussed in the past, but thought that 
it may merit some mentioning in the BP document.
 
Cheers,
 
Nhut

From: bestpractices-bounces at voipsa.org 
[mailto:bestpractices-bounces at voipsa.org] On Behalf Of dan_york at Mitel.com
Sent: Friday, January 19, 2007 4:58 AM
To: bestpractices at voipsa.org
Subject: [VOIPSA Best Practices] Best Practices document structure set - 
next question: are these the appropriate areas?
 

Best Practices team, 

Thank you to those of you who sent in comments either on the list or 
directly to me.  A special thanks to Eugene Nechamkin who took the time to 
write up a counter-proposal. Outside of his contribution, basically all 
the feedback was for proposal #2, structuring the document around 
functional areas, and so I'm going to say we're going with that. 

Now, the next question - is this list below from the wiki the appropriate 
list of areas for VoIP-related best practices? 

1.        Securing Voice and Media stream 
2.        Securing Call Control 
3.        Securing Management Interfaces and APIs 
4.        Securing PSTN Interfaces and Traditional Telephony Issues (i.e. 
don't forget toll fraud) 
5.        Securing Servers and Operating Systems 
6.        Securing IP Endpoints (ex. sets, softphones, etc.) 
7.        Securing the TCP/IP network (ex. VLANs, 802.1X, wireless, etc.) 
8.        Physical Security, including backups, power, etc. 

Are we missing any major areas?  Should these be modified or tweaked? 

It seems to me to be a complete list, but then again, I wrote it, so of 
course it would.  Any feedback is welcome. 

Regards,
Dan 

-- 
Dan York, CISSP
Dir of IP Technology, Office of the CTO
Mitel Corp.     http://www.mitel.com
dan_york at mitel.com +1-613-592-2122
PGP key (F7E3C3B4) available for 
secure communication

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://voipsa.org/pipermail/bestpractices_voipsa.org/attachments/20070122/531735d2/attachment.htm>

More information about the bestpractices mailing list