[VOIPSEC] Securing Softphones..........???

Mark Teicher mht3 at earthlink.net
Tue Apr 19 10:33:30 CDT 2005 

Actually one can imply that securing IP softphones should be very similiar to any other application that is installed on a workstation.  One should check for this or that, but in other cases, some implementations of IP softphones actually leave the debug bit on for support purposes and in other cases they do not.  Depending on the platform the particular version of an IP softphone one is attempting to secure.  Looking for typical application issues (i.e. buffer overflow, etc) is acceptable, but it appears to more than that to IP Softphone.  

Deployment of IP Softphones requires security policy modifications (i.e. acceptable use) 
Modifications to the various operating system including hardening, some IP Softphones require certain user privileges to install correctly
What provisions an organization implements to protect the end user (i.e. anti-virus, host based firewalls, host based intrusion detection systems, etc)
What IP softphones can be locked via an automated script or installation package process (prebuilt)
What features of the IP Softphone need to be in compliance with Section 302, 404 and 409 of SOX

/m

-----Original Message-----
From: Ari Takanen <art at codenomicon.com>
Sent: Apr 18, 2005 11:52 PM
To: Randall Shimizu <rshimizu at consultant.com>
Cc: Voipsec at voipsa.org
Subject: Re: [VOIPSEC] Securing Softphones..........???

Hello all,

On Mon, Apr 18, 2005 at 10:43:38AM -0800, Randall Shimizu wrote:
> I was wondering if anyone has any recommendation for securing
> softphones....??? I know that NIST has recomenned against using
> them.

Sorry, can't avoid commenting on this topic again.

Softphone is just like any communication application on your PC:

1) See that the vendor knows about security programming practices in
   general, i.e. they know what a buffer overlow is.

2) See that they have at least minimal proactive security practices
   including robustness testing and code auditing tools, or that they
   are using more secure programming technologies such as Java or
   Symbian.

3) See that they have a programme and support for reporting security
   problems. Ask what channel security vulnerabilities are reported
   through, how much experience they have on those, and what is the
   repairing process and disclosure process.

4) Plan for rapid update process and patch deployment process of all
   softphones you are using. Try it out.

5) Secure also all applications that the softphone can launch, or
   disable that functionality.

6) If necessary, make sure that the user cannot change the settings.

Good luck!

/Ari

-- 
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
Ari Takanen                       Codenomicon Ltd.
ari.takanen at codenomicon.com       Kaitovayla 1
tel: +358-40 50 67678             FIN-90570 Oulu
http://www.codenomicon.com        Finland
PGP: http://www.codenomicon.com/codenomicon-key.asc
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-

_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list