<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.2995" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=422373722-19012007>Raúl,</SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=422373722-19012007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=422373722-19012007>> </SPAN>is/should-be
an international document, so if we decide to </DIV>
<DIV dir=ltr align=left><SPAN class=422373722-19012007>> </SPAN>cover this
area, not only CALEA should be there </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=422373722-19012007>Correct. CALEA in my posting was rather the pointer to
the Law Enforcement area of VoIP systems we may not want to
ignore.</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=422373722-19012007></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=422373722-19012007>Regards,</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=422373722-19012007>Eugene Nechamkin.</SPAN></FONT></DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> bestpractices-bounces@voipsa.org
[mailto:bestpractices-bounces@voipsa.org] <B>On Behalf Of </B>Raul
Siles<BR><B>Sent:</B> Friday, January 19, 2007 2:36 PM<BR><B>To:</B> Jozef
Janitor; dan_york@mitel.com<BR><B>Cc:</B>
bestpractices@voipsa.org<BR><B>Subject:</B> Re: [VOIPSA Best Practices] Best
Practices document structure set -next question: are these the appropriate
areas?<BR></FONT><BR></DIV>
<DIV></DIV>Dan,<BR>I completely agree with the points you clarified from my
previous mail. When I wrote it, I had in my mind what you exactly described:
referencing other security BP documents for OS and standard applications (not
directly related with VoIP, but required), and covering in our BP document the
specific VoIP shades. This applies to sections #5, #6 and #7, both to OS,
applications and protocols. <BR>Example.-<FONT face=sans-serif size=2> DNS
service should be secured according to standard industry best practices, as
noted here [x]. From a secure VoIP perspective, DNS should be setup in this and
that way.</FONT><BR><BR>Although my previous mail didn't accurately reflected
it, the document scope must be 100% VoIP related, with external references to
general security BP's when required. <BR><BR>Re fail-over, I think it should be
included in the section associated to the resources where the fail-over solution
is applied. That is, if we're covering fail-over for the call controller (as
Jozef suggested), then it should go into Section #2, Call Control, but if we
recommend fail-over for other types of servers, IMHO, it should go in Sectiom
#5, Securing Servers. If we recommend fail-over for DNS records, then it should
go to Section #7, Securing the TCP/IP net and basic services. And so on and so
forth. <BR><BR>I see fail-over as any other security countermeasure/solution,
like encryption, that will be covered in multiple sections: encryption for the
voice and media streams, encryption for call management...<BR><BR>For Qos I
suggest to point to other external references more focused on QoS than in
security, although there is an obvious relationship between both. I think QoS
should be pointed out in Section #6, when describing the network requirements.
<BR><BR>I like the idea of Section #9 about cutting-edge and emerging threats
(and related BP's).<BR><BR>Re Eugene comment about covering law implications,
take into account this is/should-be an international document, so if we decide
to cover this area, not only CALEA should be there :-) <BR>--<BR>Raúl
Siles<BR>GSE <BR><A
href="http://www.raulsiles.com">www.raulsiles.com</A><BR><BR>
<DIV><SPAN class=gmail_quote>On 1/19/07, <B class=gmail_sendername>Jozef
Janitor</B> <<A href="mailto:jozjan@cnl.tuke.sk"> jozjan@cnl.tuke.sk</A>>
wrote:</SPAN>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
<DIV lang=EN-US vlink="purple" link="blue">
<DIV>
<P><SPAN style="FONT-SIZE: 11pt; COLOR: rgb(31,73,125)">Hi Dan,</SPAN></P>
<P><SPAN style="FONT-SIZE: 11pt; COLOR: rgb(31,73,125)"></SPAN> </P>
<P><SPAN style="FONT-SIZE: 11pt; COLOR: rgb(31,73,125)">Ad fail-over: I think
it would fit to section #2, Call Control. I think we could describe in that
section the fail-over backup solutions. For SIP based systems we could talk
about the efficiency of multiple DNS SRV records (HA vs. HP), and about
sharing the registration information from UAs between multiple registration
servers. So if a UA registers to a SIP server with higher priority which after
some time broke down, then other servers with lower priority will be used for
call processing. But then it is important to share the registration and call
state information between those servers. </SPAN></P>
<P><SPAN style="FONT-SIZE: 11pt; COLOR: rgb(31,73,125)">BTW: It looks like the
Call Control section will be a quite huge section :)</SPAN></P>
<P><SPAN style="FONT-SIZE: 11pt; COLOR: rgb(31,73,125)"></SPAN> </P>
<P><SPAN style="FONT-SIZE: 11pt; COLOR: rgb(31,73,125)">Ad QoS: Designing a
secure voip network means the L1-L7 security but it also means a well designed
a network with QoS. I think the document should show the best practices in
securing the voip on L1-L7, but it should also show some of design paths on
QoS – RSVP, CoS, ToS, DSCP, ....</SPAN></P>
<P><SPAN style="FONT-SIZE: 11pt; COLOR: rgb(31,73,125)"></SPAN> </P>
<P><SPAN style="FONT-SIZE: 11pt; COLOR: rgb(31,73,125)"></SPAN> </P>
<P><SPAN style="FONT-SIZE: 11pt; COLOR: rgb(31,73,125)">Regards,</SPAN></P>
<P><SPAN style="FONT-SIZE: 11pt; COLOR: rgb(31,73,125)">
Jozef</SPAN></P>
<P><SPAN style="FONT-SIZE: 11pt; COLOR: rgb(31,73,125)"></SPAN> </P>
<P><SPAN style="FONT-SIZE: 11pt; COLOR: rgb(31,73,125)"></SPAN> </P>
<DIV
style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0cm; BORDER-TOP: medium none; PADDING-LEFT: 4pt; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1.5pt solid; PADDING-TOP: 0cm; BORDER-BOTTOM: medium none">
<DIV>
<DIV
style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0cm; BORDER-TOP: rgb(181,196,223) 1pt solid; PADDING-LEFT: 0cm; PADDING-BOTTOM: 0cm; BORDER-LEFT: medium none; PADDING-TOP: 3pt; BORDER-BOTTOM: medium none">
<P><B><SPAN style="FONT-SIZE: 10pt">From:</SPAN></B><SPAN
style="FONT-SIZE: 10pt"> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="mailto:dan_york@Mitel.com" target=_blank>dan_york@Mitel.com</A>
[mailto:<A onclick="return top.js.OpenExtLink(window,event,this)"
href="mailto:dan_york@Mitel.com" target=_blank>dan_york@Mitel.com</A>]
<BR><B>Sent:</B> Friday, January 19, 2007 8:18 PM<BR><B>To:</B> Nhut
Nguyen<BR><B>Cc:</B> <A onclick="return top.js.OpenExtLink(window,event,this)"
href="mailto:bestpractices@voipsa.org"
target=_blank>bestpractices@voipsa.org</A>; Jozef Janitor
<DIV><SPAN class=e id=q_1103c4a1f606b8a2_1><BR><B>Subject:</B> RE: [VOIPSA
Best Practices] Best Practices document structure set -next question: are
these the appropriate areas?</SPAN></DIV></SPAN>
<P></P></DIV></DIV>
<DIV><SPAN class=e id=q_1103c4a1f606b8a2_3>
<P> </P>
<P style="MARGIN-BOTTOM: 12pt"><BR><SPAN style="FONT-SIZE: 10pt">Nhut,</SPAN>
<BR><BR><SPAN style="FONT-SIZE: 10pt">(Sigh) Yes, you're right. We
probably need a Section 9 called "Emerging Areas of Concern" or something like
that[1] into which we lump SPIT and other miscellaneous things that don't yet
have solid best practices (because they're not yet solid threats, IMHO) if
only so that we can avoid the inevitable questions "Why is it that in your
entire Best Practices document you don't mention SPIT? How are we to
guard against it?" </SPAN> <BR><BR><SPAN
style="FONT-SIZE: 10pt">Jozef,</SPAN> <BR><BR><SPAN style="FONT-SIZE: 10pt">-
I don't know where fail-over fits. Section 8, in *my* mind (but I'm just one
contributor) was about all the physical layer stuff that many of us network
geeks generally try to ignore such as backup power, physical security, etc.
I was thinking of it from the "availability" point-of-view in that if
you lose power and don't have your IP-PBX *and* network switches powered by a
UPS, your phones are nice pretty bricks. And you should have them in
locked rooms, etc. I don't know that we'll have all that many Best
Practices in this area.</SPAN> <BR><BR><SPAN style="FONT-SIZE: 10pt">As to
fail-over, I'm not sure... is it in Section 8? Or is it in call control?
I'm not sure on that one... any other opinions?</SPAN> <BR><BR><SPAN
style="FONT-SIZE: 10pt">- Yes, caller ID spoofing is something to be
addressed. Probably in Call Control? (Eric Chen, now's probably a good
time to weigh in before we assign everything to you! :-) As for
ENUM, there's probably a large debate on that one, but as we write the best
practice around caller identification the debate can be waged then.</SPAN>
<BR><BR><SPAN style="FONT-SIZE: 10pt">- QoS - Yes, there is definitely a
balancing act between quality and security... although I'm not entirely sure
how we create that as a best practice. Would the best practice be
something like "Install and use quality monitoring equipment" - somewhat along
the lines of what Gary was suggesting earlier?</SPAN> <BR><BR><SPAN
style="FONT-SIZE: 10pt">Love all these comments... keep on sending them in...
this is *your* document as much as it is mine or anyone elses. Let's
make sure it's right.</SPAN> <BR><BR><SPAN
style="FONT-SIZE: 10pt">Thanks,<BR>Dan</SPAN> <BR><BR><SPAN
style="FONT-SIZE: 10pt">[1] Or the section can be called "Issues Related To
VoIP Security That Are Over-Hyped By The Media Because They Get Attention"
(and yes, I know there are probably several members of the media subscribed to
this list)<BR><BR></SPAN><BR><BR></P>
<TABLE style="WIDTH: 100%" cellPadding=0 width="100%" border=0>
<TBODY>
<TR>
<TD
style="PADDING-RIGHT: 0.75pt; PADDING-LEFT: 0.75pt; PADDING-BOTTOM: 0.75pt; PADDING-TOP: 0.75pt"
vAlign=top><BR></TD>
<TD
style="PADDING-RIGHT: 0.75pt; PADDING-LEFT: 0.75pt; PADDING-BOTTOM: 0.75pt; PADDING-TOP: 0.75pt"
vAlign=top>
<P><B><SPAN style="FONT-SIZE: 7.5pt">"Nhut Nguyen" <<A
onclick="return top.js.OpenExtLink(window,event,this)"
href="mailto:nnguyen@sta.samsung.com"
target=_blank>nnguyen@sta.samsung.com</A>></SPAN></B> </P>
<P><SPAN style="FONT-SIZE: 7.5pt">01/19/2007 12:35 PM</SPAN> </P></TD>
<TD
style="PADDING-RIGHT: 0.75pt; PADDING-LEFT: 0.75pt; PADDING-BOTTOM: 0.75pt; PADDING-TOP: 0.75pt"
vAlign=top>
<P><SPAN style="FONT-SIZE: 7.5pt">
</SPAN><BR><SPAN style="FONT-SIZE: 7.5pt">
To: "Jozef Janitor" <<A
onclick="return top.js.OpenExtLink(window,event,this)"
href="mailto:jozjan@cnl.tuke.sk"
target=_blank>jozjan@cnl.tuke.sk</A>>, <<A
onclick="return top.js.OpenExtLink(window,event,this)"
href="mailto:dan_york@Mitel.com" target=_blank>
dan_york@Mitel.com</A>>, <<A
onclick="return top.js.OpenExtLink(window,event,this)"
href="mailto:bestpractices@voipsa.org"
target=_blank>bestpractices@voipsa.org</A>></SPAN> <BR><SPAN
style="FONT-SIZE: 7.5pt"> cc:
</SPAN> <BR><SPAN style="FONT-SIZE: 7.5pt">
Subject: RE: [VOIPSA Best
Practices] Best Practices document structure set -next question: are
these the appropriate areas?</SPAN></P></TD></TR></TBODY></TABLE>
<P><BR><BR><BR><SPAN style="FONT-SIZE: 10pt; COLOR: navy">Hi All,</SPAN>
<BR><SPAN style="FONT-SIZE: 10pt; COLOR: navy"> </SPAN> <BR><SPAN
style="FONT-SIZE: 10pt; COLOR: navy">Great discussion! </SPAN><BR><SPAN
style="FONT-SIZE: 10pt; COLOR: navy"> </SPAN> <BR><SPAN
style="FONT-SIZE: 10pt; COLOR: navy">Regarding SPIT I am not sure if the
industry has any good practices yet. I believe this problem is emerging but
solutions are still in the research stage. However, it may be a good idea to
have a stub or a place holder to document emerging practices like these, or
those that address security issues of presence information, for
example!</SPAN> <BR><SPAN style="FONT-SIZE: 10pt; COLOR: navy"> </SPAN>
<BR><SPAN style="FONT-SIZE: 10pt; COLOR: navy">Cheers,</SPAN> <BR><SPAN
style="FONT-SIZE: 10pt; COLOR: navy"><BR>Nhut</SPAN> <BR><SPAN
style="FONT-SIZE: 10pt; COLOR: navy"> </SPAN> </P>
<P style="TEXT-ALIGN: center" align=center> </P>
<DIV style="TEXT-ALIGN: center" align=center>
<HR align=center width="100%" SIZE=2>
</DIV>
<P><BR><B><SPAN style="FONT-SIZE: 10pt">From:</SPAN></B><SPAN
style="FONT-SIZE: 10pt"> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="mailto:bestpractices-bounces@voipsa.org"
target=_blank>bestpractices-bounces@voipsa.org</A> [mailto:<A
onclick="return top.js.OpenExtLink(window,event,this)"
href="mailto:bestpractices-bounces@voipsa.org" target=_blank>
bestpractices-bounces@voipsa.org</A>] <B>On Behalf Of </B>Jozef
Janitor<B><BR>Sent:</B> Friday, January 19, 2007 11:23 AM<B><BR>To:</B> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="mailto:dan_york@Mitel.com" target=_blank>dan_york@Mitel.com</A>; <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="mailto:bestpractices@voipsa.org"
target=_blank>bestpractices@voipsa.org</A><B><BR>Subject:</B> Re: [VOIPSA Best
Practices] Best Practices document structure set -next question: are these the
appropriate areas?</SPAN> <BR> <BR><SPAN
style="FONT-SIZE: 10pt; COLOR: rgb(31,73,125)">Does the point #8 describe also
the fail-over procedures? So if my primary call controller broke down then the
second call controller will automatically handle the active calls? This may
involve some clustering techniques.</SPAN> <BR><SPAN
style="FONT-SIZE: 10pt; COLOR: rgb(31,73,125)"> </SPAN> <BR><SPAN
style="FONT-SIZE: 10pt; COLOR: rgb(31,73,125)">Also important part of voip
security is the credibility of an incoming calling number (callid). Because in
the PSTN network normally I can't change my callid, but in the VoIP it's
usually not a big problem. Maybe this problem could be handled with
ENUM.</SPAN> <BR><SPAN
style="FONT-SIZE: 10pt; COLOR: rgb(31,73,125)"> </SPAN> <BR><SPAN
style="FONT-SIZE: 10pt; COLOR: rgb(31,73,125)">QoS – this is very important
when we are going to talk about security in voip. We have to consider what
level of security do we need because the encryption of traffic and other
security features are always adding additional delay to the transported voice.
If the value of this additional delay is going to be too high then our call is
maybe for 100% secured but it's not pleasant to hear.</SPAN> <BR><SPAN
style="FONT-SIZE: 10pt; COLOR: rgb(31,73,125)"> </SPAN> <BR><SPAN
style="FONT-SIZE: 10pt; COLOR: rgb(31,73,125)">And SpIT. We know that
controlling SPAM in our emails is very difficult . But controlling SPAM in
VoIP will be even more difficult. So I hope that some pages in this document
will also cover the possibilities of solving the SpIT problem.</SPAN>
<BR><SPAN style="FONT-SIZE: 10pt; COLOR: rgb(31,73,125)"> </SPAN>
<BR><SPAN style="FONT-SIZE: 10pt; COLOR: rgb(31,73,125)">All the best,</SPAN>
<BR><SPAN style="FONT-SIZE: 10pt; COLOR: rgb(31,73,125)"> Jozef
Janitor</SPAN> <BR><SPAN style="FONT-SIZE: 10pt; COLOR: rgb(31,73,125)">
</SPAN><A onclick="return top.js.OpenExtLink(window,event,this)"
href="http://www.cnl.tuke.sk/" target=_blank><SPAN
style="FONT-SIZE: 10pt">www.cnl.tuke.sk</SPAN> </A><BR><SPAN
style="FONT-SIZE: 10pt; COLOR: rgb(31,73,125)"> </SPAN> <BR><SPAN
style="FONT-SIZE: 10pt; COLOR: rgb(31,73,125)"> </SPAN> <BR><SPAN
style="FONT-SIZE: 10pt; COLOR: rgb(31,73,125)"> </SPAN> <BR><B><SPAN
style="FONT-SIZE: 10pt">From:</SPAN></B><SPAN style="FONT-SIZE: 10pt"> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="mailto:bestpractices-bounces@voipsa.org"
target=_blank>bestpractices-bounces@voipsa.org</A> [mailto:<A
onclick="return top.js.OpenExtLink(window,event,this)"
href="mailto:bestpractices-bounces@voipsa.org" target=_blank>
bestpractices-bounces@voipsa.org</A>] <B>On Behalf Of </B><A
onclick="return top.js.OpenExtLink(window,event,this)"
href="mailto:dan_york@Mitel.com"
target=_blank>dan_york@Mitel.com</A><B><BR>Sent:</B> Friday, January 19, 2007
11:58 AM<B><BR>To:</B> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="mailto:bestpractices@voipsa.org"
target=_blank>bestpractices@voipsa.org</A><B><BR>Subject:</B> [VOIPSA Best
Practices] Best Practices document structure set - next question: are these
the appropriate areas?</SPAN> <BR> <BR><SPAN
style="FONT-SIZE: 10pt"><BR>Best Practices team,</SPAN> <BR><SPAN
style="FONT-SIZE: 10pt"><BR>Thank you to those of you who sent in comments
either on the list or directly to me. A special thanks to Eugene
Nechamkin who took the time to write up a counter-proposal. Outside of his
contribution, basically all the feedback was for proposal #2, structuring the
document around functional areas, and so I'm going to say we're going with
that.</SPAN> <BR><SPAN style="FONT-SIZE: 10pt"><BR>Now, the next question - is
this list below from the wiki the appropriate list of areas for VoIP-related
best practices?</SPAN> <BR><SPAN style="FONT-SIZE: 10pt"><BR>1.
</SPAN>Securing Voice and Media stream <SPAN
style="FONT-SIZE: 10pt"><BR>2. </SPAN>Securing Call
Control <SPAN style="FONT-SIZE: 10pt"><BR>3.
</SPAN>Securing Management Interfaces and APIs <SPAN
style="FONT-SIZE: 10pt"><BR>4. </SPAN>Securing PSTN
Interfaces and Traditional Telephony Issues (i.e. don't forget toll fraud)
<SPAN style="FONT-SIZE: 10pt"><BR>5.
</SPAN>Securing Servers and Operating Systems <SPAN
style="FONT-SIZE: 10pt"><BR>6. </SPAN>Securing IP
Endpoints (ex. sets, softphones, etc.) <SPAN style="FONT-SIZE: 10pt"><BR>7.
</SPAN>Securing the TCP/IP network (ex. VLANs,
802.1X, wireless, etc.) <SPAN style="FONT-SIZE: 10pt"><BR>8.
</SPAN>Physical Security, including backups, power, etc.
<BR><SPAN style="FONT-SIZE: 10pt"><BR>Are we missing any major areas?
Should these be modified or tweaked?</SPAN> <BR><SPAN
style="FONT-SIZE: 10pt"><BR>It seems to me to be a complete list, but then
again, I wrote it, so of course it would. Any feedback is
welcome.</SPAN> <BR><SPAN style="FONT-SIZE: 10pt"><BR>Regards,<BR>Dan</SPAN>
<BR><SPAN style="FONT-SIZE: 10pt"><BR>-- <BR>Dan York, CISSP<BR>Dir of IP
Technology, Office of the CTO<BR>Mitel Corp. <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://www.mitel.com" target=_blank>http://www.mitel.com</A><BR><A
onclick="return top.js.OpenExtLink(window,event,this)"
href="mailto:dan_york@mitel.com" target=_blank>dan_york@mitel.com</A>
+1-613-592-2122<BR>PGP key (F7E3C3B4) available for <BR>secure
communication</SPAN>
</P></SPAN></DIV></DIV></DIV></DIV><BR>_______________________________________________<BR>bestpractices
mailing list<BR><A onclick="return top.js.OpenExtLink(window,event,this)"
href="mailto:bestpractices@voipsa.org">bestpractices@voipsa.org</A><BR><A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://voipsa.org/mailman/listinfo/bestpractices_voipsa.org"
target=_blank>http://voipsa.org/mailman/listinfo/bestpractices_voipsa.org</A><BR><BR><BR></BLOCKQUOTE></DIV><BR></BODY></HTML>