<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Batang;
panose-1:2 3 6 0 0 1 1 1 1 1;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:sans-serif;
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"\@Batang";
panose-1:2 3 6 0 0 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:1615014140;
mso-list-type:hybrid;
mso-list-template-ids:-1233072088 860099560 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Dan et. al.,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Hope that everyone had a good weekend! <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>With the risks of “scope creeping”
</span></font><font size=2 color=navy face=Wingdings><span style='font-size:
10.0pt;font-family:Wingdings;color:navy'>J</span></font><font size=2
color=navy face=Arial><span style='font-size:10.0pt;font-family:Arial;
color:navy'>, I would like to bring to the team attention something that occurred
to me over the weekend: vulnerability testing! If appears to me that best
practices and to VoIP security vulnerabilities testing may be something that VoIP
practitioners, especially people who run VoIP networks and services, will need
and welcome.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>For this we can either:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<ol style='margin-top:0in' start=1 type=1>
<li class=MsoNormal style='color:navy;mso-list:l0 level1 lfo1'><font size=2
color=navy face=Arial><span style='font-size:10.0pt;font-family:Arial'>Embed
a vulnerabilities testing sub-section in each of the sections outlined by
Dan, or<o:p></o:p></span></font></li>
<li class=MsoNormal style='color:navy;mso-list:l0 level1 lfo1'><font size=2
color=navy face=Arial><span style='font-size:10.0pt;font-family:Arial'>Have
a separate section on VoIP vulnerabilities testing best practices (and
tools) at the end of the document <o:p></o:p></span></font></li>
</ol>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>I think both approaches have merits and
demerits, and am curious about what others think!<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>My apology if this issue has been
discussed in the past, but thought that it may merit some mentioning in the BP document.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Cheers,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Nhut<o:p></o:p></span></font></p>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=3 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>
bestpractices-bounces@voipsa.org [mailto:bestpractices-bounces@voipsa.org] <b><span
style='font-weight:bold'>On Behalf Of </span></b>dan_york@Mitel.com<br>
<b><span style='font-weight:bold'>Sent:</span></b> Friday, January 19, 2007
4:58 AM<br>
<b><span style='font-weight:bold'>To:</span></b> bestpractices@voipsa.org<br>
<b><span style='font-weight:bold'>Subject:</span></b> [VOIPSA Best Practices]
Best Practices document structure set - next question: are these the
appropriate areas?</span></font><o:p></o:p></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='margin-bottom:12.0pt'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'><br>
</span></font><font size=2 face=sans-serif><span style='font-size:10.0pt;
font-family:sans-serif'>Best Practices team,</span></font> <br>
<br>
<font size=2 face=sans-serif><span style='font-size:10.0pt;font-family:sans-serif'>Thank
you to those of you who sent in comments either on the list or directly to me. A
special thanks to Eugene Nechamkin who took the time to write up a
counter-proposal. Outside of his contribution, basically all the feedback was
for proposal #2, structuring the document around functional areas, and so I'm
going to say we're going with that.</span></font> <br>
<br>
<font size=2 face=sans-serif><span style='font-size:10.0pt;font-family:sans-serif'>Now,
the next question - is this list below from the wiki the appropriate list of
areas for VoIP-related best practices?</span></font> <br>
<br>
<font size=2 face=sans-serif><span style='font-size:10.0pt;font-family:sans-serif'>1.
</span></font>Securing Voice and Media stream <br>
<font size=2 face=sans-serif><span style='font-size:10.0pt;font-family:sans-serif'>2.
</span></font>Securing Call Control <br>
<font size=2 face=sans-serif><span style='font-size:10.0pt;font-family:sans-serif'>3.
</span></font>Securing Management Interfaces and
APIs <br>
<font size=2 face=sans-serif><span style='font-size:10.0pt;font-family:sans-serif'>4.
</span></font>Securing PSTN Interfaces and
Traditional Telephony Issues (i.e. don't forget toll fraud) <br>
<font size=2 face=sans-serif><span style='font-size:10.0pt;font-family:sans-serif'>5.
</span></font>Securing Servers and Operating Systems
<br>
<font size=2 face=sans-serif><span style='font-size:10.0pt;font-family:sans-serif'>6.
</span></font>Securing IP Endpoints (ex. sets,
softphones, etc.) <br>
<font size=2 face=sans-serif><span style='font-size:10.0pt;font-family:sans-serif'>7.
</span></font>Securing the TCP/IP network (ex.
VLANs, 802.1X, wireless, etc.) <br>
<font size=2 face=sans-serif><span style='font-size:10.0pt;font-family:sans-serif'>8.
</span></font>Physical Security, including backups,
power, etc. <br>
<br>
<font size=2 face=sans-serif><span style='font-size:10.0pt;font-family:sans-serif'>Are
we missing any major areas? Should these be modified or tweaked?</span></font>
<br>
<br>
<font size=2 face=sans-serif><span style='font-size:10.0pt;font-family:sans-serif'>It
seems to me to be a complete list, but then again, I wrote it, so of course it
would. Any feedback is welcome.</span></font> <br>
<br>
<font size=2 face=sans-serif><span style='font-size:10.0pt;font-family:sans-serif'>Regards,<br>
Dan</span></font> <br>
<br>
<font size=2 face=sans-serif><span style='font-size:10.0pt;font-family:sans-serif'>--
<br>
Dan York, CISSP<br>
Dir of IP Technology, Office of the CTO<br>
Mitel Corp. http://www.mitel.com<br>
dan_york@mitel.com +1-613-592-2122<br>
PGP key (F7E3C3B4) available for <br>
secure communication</span></font><o:p></o:p></p>
</div>
</body>
</html>