Hi Dan,<br>Good to see this is moving forward. The list is pretty exhaustive, although I would make some minor changes (including some of the issues pointed out by Greg and Sarb):<br><br><font face="sans-serif" size="2">5.
</font><font size="3">Securing
Servers and Operating Systems</font><br>From my perspective, section 5 should focus on "Securing Servers", and this includes not only the OS, but the common applications running on the server and any recommended server security software: personal firewall, HIDS, file integrity tool...
<br><br><font face="sans-serif" size="2">6. </font><font size="3">Securing
IP Endpoints (ex. sets, softphones, etc.) </font><br>From my perspective, section 6 should focus on "Securing IP Endpoints/Clients", and
this includes the client OS/firmware, and the common client applications and any
recommended security software: personal firewall, AV, HIDS... This section should be about clients, any client, including mobile/PDAs, wireless IP phones... (Sarb)<br>
<br>
<font face="sans-serif" size="2">7. </font><font size="3">Securing
the TCP/IP network (ex. VLANs, 802.1X, wireless, etc.) </font><br>From my perspective, section 7 should focus on "Securing the TCP/IP network and the basic TCP/IP services", and
this includes layer 2 protocols (as the ones you've mentioned), but also layer 3/4 basic protocols required for the networking infrastructure, such as DNS, NTP, Syslog, SNMP (v3? ;-))... (Greg)<br><br>Thoughts?<br>--
<br>Raśl Siles<br>GSE<br><a href="http://www.raulsiles.com">www.raulsiles.com</a><br><br><div><span class="gmail_quote">On 1/19/07, <b class="gmail_sendername"><a href="mailto:dan_york@mitel.com">dan_york@mitel.com</a></b>
<<a href="mailto:dan_york@mitel.com">dan_york@mitel.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br><font face="sans-serif" size="2">Best Practices team,</font>
<br>
<br><font face="sans-serif" size="2">Thank you to those of you who sent in
comments either on the list or directly to me. A special thanks to
Eugene Nechamkin who took the time to write up a counter-proposal. Outside
of his contribution, basically all the feedback was for proposal #2, structuring
the document around functional areas, and so I'm going to say we're going
with that.</font>
<br>
<br><font face="sans-serif" size="2">Now, the next question - is this list
below from the wiki the appropriate list of areas for VoIP-related best
practices?</font>
<br>
<br><font face="sans-serif" size="2">1. </font><font size="3">Securing
Voice and Media stream </font>
<br><font face="sans-serif" size="2">2. </font><font size="3">Securing
Call Control </font>
<br><font face="sans-serif" size="2">3. </font><font size="3">Securing
Management Interfaces and APIs </font>
<br><font face="sans-serif" size="2">4. </font><font size="3">Securing
PSTN Interfaces and Traditional Telephony Issues (i.e. don't forget toll
fraud) </font>
<br><font face="sans-serif" size="2">5. </font><font size="3">Securing
Servers and Operating Systems </font>
<br><font face="sans-serif" size="2">6. </font><font size="3">Securing
IP Endpoints (ex. sets, softphones, etc.) </font>
<br><font face="sans-serif" size="2">7. </font><font size="3">Securing
the TCP/IP network (ex. VLANs, 802.1X, wireless, etc.) </font>
<br><font face="sans-serif" size="2">8. </font><font size="3">Physical
Security, including backups, power, etc. </font>
<br>
<br><font face="sans-serif" size="2">Are we missing any major areas? Should
these be modified or tweaked?</font>
<br>
<br><font face="sans-serif" size="2">It seems to me to be a complete list,
but then again, I wrote it, so of course it would. Any feedback is
welcome.</font>
<br>
<br><font face="sans-serif" size="2">Regards,<br>
Dan</font>
<br><span class="sg">
<br><font face="sans-serif" size="2">-- <br>
Dan York, CISSP<br>
Dir of IP Technology, Office of the CTO<br>
Mitel Corp. <a href="http://www.mitel.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://www.mitel.com</a><br>
<a href="mailto:dan_york@mitel.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">dan_york@mitel.com</a> +1-613-592-2122<br>
PGP key (F7E3C3B4) available for <br>
secure communication<br>
<br>
</font>
</span><br>_______________________________________________<br>bestpractices mailing list<br><a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:bestpractices@voipsa.org">bestpractices@voipsa.org</a><br>
<a onclick="return top.js.OpenExtLink(window,event,this)" href="http://voipsa.org/mailman/listinfo/bestpractices_voipsa.org" target="_blank">http://voipsa.org/mailman/listinfo/bestpractices_voipsa.org</a><br><br><br></blockquote>
</div><br>