<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=utf-8">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Hi Dan,<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Ad fail-over: I think it would fit to section #2, Call Control. I
think we could describe in that section the fail-over backup solutions. For SIP
based systems we could talk about the efficiency of multiple DNS SRV records (HA
vs. HP), and about sharing the registration information from UAs between
multiple registration servers. So if a UA registers to a SIP server with higher
priority which after some time broke down, then other servers with lower
priority will be used for call processing. But then it is important to share
the registration and call state information between those servers. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>BTW: It looks like the Call Control section will be a quite huge
section :)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Ad QoS: Designing a secure voip network means the L1-L7 security
but it also means a well designed a network with QoS. I think the document
should show the best practices in securing the voip on L1-L7, but it should
also show some of design paths on QoS – RSVP, CoS, ToS, DSCP, ....<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Regards,<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> Jozef<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> dan_york@Mitel.com
[mailto:dan_york@Mitel.com] <br>
<b>Sent:</b> Friday, January 19, 2007 8:18 PM<br>
<b>To:</b> Nhut Nguyen<br>
<b>Cc:</b> bestpractices@voipsa.org; Jozef Janitor<br>
<b>Subject:</b> RE: [VOIPSA Best Practices] Best Practices document structure
set -next question: are these the appropriate areas?<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
<span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Nhut,</span> <br>
<br>
<span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>(Sigh) Yes,
you're right. We probably need a Section 9 called "Emerging Areas of
Concern" or something like that[1] into which we lump SPIT and other
miscellaneous things that don't yet have solid best practices (because they're
not yet solid threats, IMHO) if only so that we can avoid the inevitable
questions "Why is it that in your entire Best Practices document you don't
mention SPIT? How are we to guard against it?" </span> <br>
<br>
<span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Jozef,</span> <br>
<br>
<span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>- I don't know
where fail-over fits. Section 8, in *my* mind (but I'm just one contributor)
was about all the physical layer stuff that many of us network geeks generally
try to ignore such as backup power, physical security, etc. I was
thinking of it from the "availability" point-of-view in that if you
lose power and don't have your IP-PBX *and* network switches powered by a UPS,
your phones are nice pretty bricks. And you should have them in locked
rooms, etc. I don't know that we'll have all that many Best Practices in
this area.</span> <br>
<br>
<span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>As to
fail-over, I'm not sure... is it in Section 8? Or is it in call control?
I'm not sure on that one... any other opinions?</span> <br>
<br>
<span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>- Yes, caller
ID spoofing is something to be addressed. Probably in Call Control? (Eric
Chen, now's probably a good time to weigh in before we assign everything to
you! :-) As for ENUM, there's probably a large debate on that one,
but as we write the best practice around caller identification the debate can
be waged then.</span> <br>
<br>
<span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>- QoS - Yes,
there is definitely a balancing act between quality and security... although
I'm not entirely sure how we create that as a best practice. Would the
best practice be something like "Install and use quality monitoring
equipment" - somewhat along the lines of what Gary was suggesting earlier?</span>
<br>
<br>
<span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Love all these
comments... keep on sending them in... this is *your* document as much as it is
mine or anyone elses. Let's make sure it's right.</span> <br>
<br>
<span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Thanks,<br>
Dan</span> <br>
<br>
<span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>[1] Or the
section can be called "Issues Related To VoIP Security That Are Over-Hyped
By The Media Because They Get Attention" (and yes, I know there are
probably several members of the media subscribed to this list)<br>
<br>
</span><br>
<br>
<o:p></o:p></p>
<table class=MsoNormalTable border=0 cellpadding=0 width="100%"
style='width:100.0%'>
<tr>
<td valign=top style='padding:.75pt .75pt .75pt .75pt'></td>
<td valign=top style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><b><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>"Nhut
Nguyen" <nnguyen@sta.samsung.com></span></b> <o:p></o:p></p>
<p><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>01/19/2007
12:35 PM</span> <o:p></o:p></p>
</td>
<td valign=top style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>
</span><br>
<span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>
To: "Jozef Janitor"
<jozjan@cnl.tuke.sk>, <dan_york@Mitel.com>,
<bestpractices@voipsa.org></span> <br>
<span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>
cc: </span> <br>
<span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>
Subject: RE: [VOIPSA Best Practices]
Best Practices document structure set -next question: are these the
appropriate areas?</span><o:p></o:p></p>
</td>
</tr>
</table>
<p class=MsoNormal><br>
<br>
<br>
<span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:navy'>Hi
All,</span> <br>
<span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:navy'> </span>
<br>
<span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:navy'>Great
discussion! </span><br>
<span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:navy'> </span>
<br>
<span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:navy'>Regarding
SPIT I am not sure if the industry has any good practices yet. I believe this
problem is emerging but solutions are still in the research stage. However, it
may be a good idea to have a stub or a place holder to document emerging
practices like these, or those that address security issues of presence
information, for example!</span> <br>
<span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:navy'> </span>
<br>
<span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:navy'>Cheers,</span>
<br>
<span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:navy'><br>
Nhut</span> <br>
<span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:navy'> </span>
<o:p></o:p></p>
<p class=MsoNormal align=center style='text-align:center'><o:p> </o:p></p>
<div class=MsoNormal align=center style='text-align:center'>
<hr size=2 width="100%" align=center>
</div>
<p class=MsoNormal><br>
<b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
bestpractices-bounces@voipsa.org [mailto:bestpractices-bounces@voipsa.org] <b>On
Behalf Of </b>Jozef Janitor<b><br>
Sent:</b> Friday, January 19, 2007 11:23 AM<b><br>
To:</b> dan_york@Mitel.com; bestpractices@voipsa.org<b><br>
Subject:</b> Re: [VOIPSA Best Practices] Best Practices document structure set
-next question: are these the appropriate areas?</span> <br>
<br>
<span style='font-size:10.0pt;color:#1F497D'>Does the point #8 describe also
the fail-over procedures? So if my primary call controller broke down then the
second call controller will automatically handle the active calls? This may
involve some clustering techniques.</span> <br>
<span style='font-size:10.0pt;color:#1F497D'> </span> <br>
<span style='font-size:10.0pt;color:#1F497D'>Also important part of voip
security is the credibility of an incoming calling number (callid). Because in
the PSTN network normally I can’t change my callid, but in the VoIP it’s
usually not a big problem. Maybe this problem could be handled with ENUM.</span>
<br>
<span style='font-size:10.0pt;color:#1F497D'> </span> <br>
<span style='font-size:10.0pt;color:#1F497D'>QoS – this is very important when
we are going to talk about security in voip. We have to consider what level of
security do we need because the encryption of traffic and other security
features are always adding additional delay to the transported voice. If the
value of this additional delay is going to be too high then our call is maybe
for 100% secured but it’s not pleasant to hear.</span> <br>
<span style='font-size:10.0pt;color:#1F497D'> </span> <br>
<span style='font-size:10.0pt;color:#1F497D'>And SpIT. We know that controlling
SPAM in our emails is very difficult . But controlling SPAM in VoIP will be
even more difficult. So I hope that some pages in this document will also cover
the possibilities of solving the SpIT problem.</span> <br>
<span style='font-size:10.0pt;color:#1F497D'> </span> <br>
<span style='font-size:10.0pt;color:#1F497D'>All the best,</span> <br>
<span style='font-size:10.0pt;color:#1F497D'> Jozef Janitor</span> <br>
<span style='font-size:10.0pt;color:#1F497D'> </span><a
href="http://www.cnl.tuke.sk/"><span style='font-size:10.0pt'>www.cnl.tuke.sk</span></a>
<br>
<span style='font-size:10.0pt;color:#1F497D'> </span> <br>
<span style='font-size:10.0pt;color:#1F497D'> </span> <br>
<span style='font-size:10.0pt;color:#1F497D'> </span> <br>
<b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
bestpractices-bounces@voipsa.org [mailto:bestpractices-bounces@voipsa.org] <b>On
Behalf Of </b>dan_york@Mitel.com<b><br>
Sent:</b> Friday, January 19, 2007 11:58 AM<b><br>
To:</b> bestpractices@voipsa.org<b><br>
Subject:</b> [VOIPSA Best Practices] Best Practices document structure set -
next question: are these the appropriate areas?</span> <br>
<br>
<span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><br>
Best Practices team,</span> <br>
<span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><br>
Thank you to those of you who sent in comments either on the list or directly
to me. A special thanks to Eugene Nechamkin who took the time to write up
a counter-proposal. Outside of his contribution, basically all the feedback was
for proposal #2, structuring the document around functional areas, and so I'm
going to say we're going with that.</span> <br>
<span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><br>
Now, the next question - is this list below from the wiki the appropriate list
of areas for VoIP-related best practices?</span> <br>
<span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><br>
1. </span>Securing Voice and Media stream <span
style='font-size:10.0pt;font-family:"Arial","sans-serif"'><br>
2. </span>Securing Call Control <span
style='font-size:10.0pt;font-family:"Arial","sans-serif"'><br>
3. </span>Securing Management Interfaces and APIs <span
style='font-size:10.0pt;font-family:"Arial","sans-serif"'><br>
4. </span>Securing PSTN Interfaces and Traditional
Telephony Issues (i.e. don't forget toll fraud) <span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'><br>
5. </span>Securing Servers and Operating Systems <span
style='font-size:10.0pt;font-family:"Arial","sans-serif"'><br>
6. </span>Securing IP Endpoints (ex. sets,
softphones, etc.) <span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><br>
7. </span>Securing the TCP/IP network (ex. VLANs, 802.1X,
wireless, etc.) <span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><br>
8. </span>Physical Security, including backups,
power, etc. <br>
<span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><br>
Are we missing any major areas? Should these be modified or tweaked?</span>
<br>
<span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><br>
It seems to me to be a complete list, but then again, I wrote it, so of course
it would. Any feedback is welcome.</span> <br>
<span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><br>
Regards,<br>
Dan</span> <br>
<span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><br>
-- <br>
Dan York, CISSP<br>
Dir of IP Technology, Office of the CTO<br>
Mitel Corp. http://www.mitel.com<br>
dan_york@mitel.com +1-613-592-2122<br>
PGP key (F7E3C3B4) available for <br>
secure communication</span> <o:p></o:p></p>
</div>
</div>
</body>
</html>