<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.2912" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=402252119-04122006><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=402252119-04122006><FONT face=Arial
color=#0000ff size=2>Hi Dan,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=402252119-04122006><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=402252119-04122006><FONT face=Arial
color=#0000ff size=2>VSECBP looks like </FONT></SPAN><SPAN
class=402252119-04122006><FONT face=Arial color=#0000ff size=2>a promising and
timely initiative. It has the potential to provide the practical
guidelines on the best practices in VoIP Security to the organizations and
companies involved into the VoIP development and/or its practical usage,
provided that such document contains the material which is adequately structured
and sufficiently covered.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=402252119-04122006><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=402252119-04122006><FONT face=Arial
color=#0000ff size=2>On the <SPAN class=402252119-04122006><FONT face=Arial
color=#0000ff size=2>VSECBP </FONT></SPAN>document structure, based on my
previous and the current experience with the PacketCable(tm) spec development in
the Cable industry, I would think that significant (if not most) amount of the
efforts in defining the security measures are concentrated around the interfaces
between the main VoIP system components: terminal adapters, call managers,
application servers, management servers and elements, PSTN media gateways, etc.
This seems to be the shortest path to making the recommendations practical.
Besides, often, the same security threat can (and should) be addressed by the
different BP means depending on the particular interface in the system the
threat is interfering with.</FONT></SPAN></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV><SPAN class=402252119-04122006></SPAN><FONT face=Arial color=#0000ff
size=2><SPAN class=402252119-04122006>Consequently, it may make sense to
consider the document structure based on the VoIP interfaces rather than on the
VoIP elements (or security threats) alone. Obviously the interface between, for
example, a terminal adapter and a call manager would also include the
recommendations for securing the elements themselves (e.g. physical security of
the elements).</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=402252119-04122006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=402252119-04122006>Here
is the potential document structure which is close to what I
meant:</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=402252119-04122006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=402252119-04122006>1. BP for Endpoint-To-Call Manager Interface (both
- types of endpoints, soft and hard to be considered)</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=402252119-04122006>1.1
Security Threats (references to the Threats Taxonomy
Document)</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=402252119-04122006>1.2
Application Layer Security BP (e.g. protocols, anti-virus measures, anti-hacking
measures, etc).</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=402252119-04122006>1.3
Network Layer Security BP (e.g. protocols)</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=402252119-04122006>1.4
Physical security BP</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=402252119-04122006>.........</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=402252119-04122006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=402252119-04122006>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=402252119-04122006>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=402252119-04122006>2. BP for Endpoint-To-Endpoint
Interface</SPAN></FONT></DIV></SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=402252119-04122006>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=402252119-04122006>2.1
Security Threats (references to the Threats Taxonomy
Document)</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=402252119-04122006>2.2
Application Layer Security BP</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=402252119-04122006>2.3
Network Layer Security BP</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=402252119-04122006>2.4
Physical security BP</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=402252119-04122006>.........</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=402252119-04122006></SPAN></FONT> </DIV></SPAN></FONT></DIV></SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=402252119-04122006>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=402252119-04122006>3. BP for Endpoint-To-Media Gateway
Interface</SPAN></FONT></DIV></SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=402252119-04122006>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=402252119-04122006>.........</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=402252119-04122006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=402252119-04122006>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=402252119-04122006><FONT
face=Arial color=#0000ff size=2><SPAN class=402252119-04122006><FONT face=Arial
color=#0000ff size=2><SPAN class=402252119-04122006><FONT face=Arial
color=#0000ff size=2><SPAN class=402252119-04122006>4. BP for
Endpoint-To-Event Logging Server Interface</SPAN></FONT></DIV>
<DIV>
<DIV></SPAN></FONT>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=402252119-04122006>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=402252119-04122006>.........</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=402252119-04122006></SPAN></FONT> </DIV></SPAN></FONT></DIV></DIV></DIV></SPAN></FONT></SPAN></FONT></SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=402252119-04122006>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=402252119-04122006>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=402252119-04122006>5. BP for Endpoint-To-Network Management
Interface</SPAN></FONT></DIV></SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=402252119-04122006>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=402252119-04122006>.........</SPAN></FONT></DIV></SPAN></FONT></DIV></SPAN></FONT></DIV></SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=402252119-04122006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=402252119-04122006>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=402252119-04122006>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=402252119-04122006>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=402252119-04122006>6. BP for Endpoint-To-Application Servers
Interface</SPAN></FONT></DIV></SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=402252119-04122006>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=402252119-04122006>.........</SPAN></FONT></DIV></SPAN></FONT></DIV></SPAN></FONT></DIV></SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=402252119-04122006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=402252119-04122006>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=402252119-04122006>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=402252119-04122006>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=402252119-04122006>7. BP for Endpoint-To-QoS Elements
Interface</SPAN></FONT></DIV></SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=402252119-04122006>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=402252119-04122006>.........</SPAN></FONT></DIV></SPAN></FONT></DIV></SPAN></FONT></DIV></SPAN></FONT></DIV>
<DIV><FONT face=Arial><FONT color=#0000ff><FONT
size=2></FONT></FONT></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=402252119-04122006><FONT
face=Arial color=#0000ff size=2><SPAN class=402252119-04122006><FONT face=Arial
color=#0000ff size=2><SPAN class=402252119-04122006>
<DIV>
<DIV>
<DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=402252119-04122006>etc.,
etc., etc.</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=402252119-04122006></SPAN></FONT> </DIV></SPAN></FONT></DIV></SPAN></FONT></DIV></SPAN></FONT></DIV></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=402252119-04122006>Eugene
Nechamkin,</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=402252119-04122006>V<SPAN
class=402252119-04122006>oIP Security Architect.</SPAN><BR>Broadcom
Corp.</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> bestpractices-bounces@voipsa.org
[mailto:bestpractices-bounces@voipsa.org] <B>On Behalf Of
</B>dan_york@Mitel.com<BR><B>Sent:</B> Friday, December 01, 2006 8:37
PM<BR><B>To:</B> bestpractices@voipsa.org<BR><B>Subject:</B> [VOIPSA Best
Practices] Welcome to the VOIPSA Best Practices project... and some weekend
reading for you all (if you get this)<BR></FONT><BR></DIV>
<DIV></DIV><BR><FONT face=sans-serif size=2>VOIPSA Best Practices list,</FONT>
<BR><BR><FONT face=sans-serif size=2>Welcome to the Best Practices project!
First off, may I just say a huge thank you to all of you for wanting to
help with this project. As the list admin, I've been watching the
subscription notices stream in and we're now up around 90 people. I
recognize many of you from the VOIPSEC mailing list, from Blue Box podcast
listeners, from conferences... but just as many I don't recognize... and I look
forward to working with you all.</FONT> <BR><BR><FONT face=sans-serif
size=2>Thank you for your interest in helping. The continued escalation of
news reports about VoIP security as well as increased postings to security lists
only highlights how timely and important this project is.</FONT> <BR><BR><FONT
face=sans-serif size=2>I may be completely naive, but I honestly don't think
this will be an enormously long project. I think that with the collective
knowledge we have on this list, we can probably lay out most if not all of the
required best practices relatively quickly. In fact, I think the thing
that may take us the longest may be agreeing on how to structure the document. I
would like to think that this is a project we can complete over the next couple
of months, realizing that the holidays are in here, of course. We'll
see.</FONT> <BR><BR><FONT face=sans-serif size=2>But before I talk about the
project, let me just make a couple of points about my style and availability,
given that many/most of you have not worked with me before:</FONT> <BR><BR><FONT
face=sans-serif size=2>1. As you'll see below, I've laid out a *suggestion* for
how I think things should be structured... but please keep in mind that those
are *suggestions*... I *very* much want to hear your feedback and am definitely
open to change.</FONT> <BR><FONT face=sans-serif size=2>2. Please know that I am
VERY open to feedback/criticism/suggestions. I have a very thick skin and
enough self-confidence that I'm perfectly okay if you tell me an idea (or text)
of mine is very dumb. (Preferably being polite while doing so.) Please do
so... my objective is to get the best possible set of Best Practices that
we can- as quickly as we can... I'm not interested in having egos (including my
own) get in the way.</FONT> <BR><FONT face=sans-serif size=2>3. Unfortunately
I'm getting on a plane Monday afternoon (Dec 4th, Eastern US time) heading to
London, UK, where I'll be through the end of the week (Dec 8th). There
will be periods where my email connectivity will be limited and, of course, my
Verizon blackberry will not work for email there. (The perils of living in
Burlington, Vermont, where GSM coverage is limited.) <BR>It would actually
be far better for me to wait a week to launch this project, but I very much want
to get it moving so that we can get some work done before the holiday break.
<BR>I'll be back in the office Dec 11th and don't expect to be travelling
after that until late January.</FONT> <BR><BR><FONT face=sans-serif size=2>So on
to the project. If you go to the main project page in the VOIPSA
wiki:</FONT> <BR><BR><FONT face=sans-serif size=2>
http://wiki.voipsa.org/tiki-index.php?page=BestPracticesHome</FONT>
<BR><BR><FONT face=sans-serif size=2>you will see that tonight I've created the
following pages:</FONT> <BR><BR><FONT face=sans-serif size=2>- A proposed
development process and document structure:
http://wiki.voipsa.org/tiki-index.php?page=Development+Process</FONT>
<BR><FONT face=sans-serif size=2>- A list of proposed volunteer roles:
http://wiki.voipsa.org/tiki-index.php?page=Volunteer+Opportunities%2FTeam+Structure</FONT>
<BR><FONT face=sans-serif size=2>- Examples of generic best practice statements:
http://wiki.voipsa.org/tiki-index.php?page=Examples+of+Best+Practices</FONT>
<BR><FONT face=sans-serif size=2>- References to other "Best Practices"
documents:
http://wiki.voipsa.org/tiki-index.php?page=Best+Practices+References+</FONT>
<BR><BR><FONT face=sans-serif size=2>What I would be most interested in feedback
on over the next week is the following:</FONT> <BR><BR><FONT face=sans-serif
size=2>1. Can anyone point to other Best Practices documents that we can add to
the reference page? They need to be publicly available (i.e. not requiring
registration) so that people can see them.</FONT> <BR><FONT face=sans-serif
size=2>2. What do people think about how we should best structure the document?
(See my notes on the Development Process page.)</FONT> <BR><FONT
face=sans-serif size=2>3. Do you agree with what I identified as the target
audience? </FONT> <BR><FONT face=sans-serif size=2>4. I've identified
about 10 potential volunteer roles... do you agree with my thoughts?
</FONT><BR><FONT face=sans-serif size=2>5. If so, anyone already willing
to step forward and say how they'll contribute?</FONT> <BR><FONT face=sans-serif
size=2>6. Any thoughts on the questions I raise at the bottom of the Development
Process page?</FONT> <BR><BR><FONT face=sans-serif size=2>Two final
notes:</FONT> <BR><BR><FONT face=sans-serif size=2>- Like other VOIPSA lists,
this one is set so that, with most mail clients, if you just hit Reply your
message will go back to only the *sender*. If you want it to go back to
the list, you'll need to do "Reply to All".</FONT> <BR><FONT face=sans-serif
size=2>- This mailing list has a *public* message archive and the wiki is
entirely public, so please just do realize that everything you send on this list
or add to the wiki is visible to anyone on the Internet.</FONT> <BR><BR><FONT
face=sans-serif size=2>With that, I'll again say thank you for joining this
project and I look forward to working with all of you to make it happen.
If you have any questions about all of this, please do feel free to email
or call.</FONT> <BR><BR><FONT face=sans-serif size=2>Thank you,</FONT> <BR><FONT
face=sans-serif size=2>Dan</FONT> <BR><BR><FONT face=sans-serif size=2>--
<BR>Dan York, CISSP<BR>Dir of IP Technology, Office of the CTO<BR>Mitel Corp.
http://www.mitel.com<BR>dan_york@mitel.com +1-613-592-2122<BR>PGP
key (F7E3C3B4) available for <BR>secure
communication<BR><BR></FONT></BODY></HTML>