[VOIPSEC] Securing Softphones..........???
mht3 at earthlink.net
Tue Apr 19 16:33:30 BST 2005
Actually one can imply that securing IP softphones should be very similiar to any other application that is installed on a workstation. One should check for this or that, but in other cases, some implementations of IP softphones actually leave the debug bit on for support purposes and in other cases they do not. Depending on the platform the particular version of an IP softphone one is attempting to secure. Looking for typical application issues (i.e. buffer overflow, etc) is acceptable, but it appears to more than that to IP Softphone.
Deployment of IP Softphones requires security policy modifications (i.e. acceptable use)
Modifications to the various operating system including hardening, some IP Softphones require certain user privileges to install correctly
What provisions an organization implements to protect the end user (i.e. anti-virus, host based firewalls, host based intrusion detection systems, etc)
What IP softphones can be locked via an automated script or installation package process (prebuilt)
What features of the IP Softphone need to be in compliance with Section 302, 404 and 409 of SOX
From: Ari Takanen <art at codenomicon.com>
Sent: Apr 18, 2005 11:52 PM
To: Randall Shimizu <rshimizu at consultant.com>
Cc: Voipsec at voipsa.org
Subject: Re: [VOIPSEC] Securing Softphones..........???
On Mon, Apr 18, 2005 at 10:43:38AM -0800, Randall Shimizu wrote:
> I was wondering if anyone has any recommendation for securing
> softphones....??? I know that NIST has recomenned against using
Sorry, can't avoid commenting on this topic again.
Softphone is just like any communication application on your PC:
1) See that the vendor knows about security programming practices in
general, i.e. they know what a buffer overlow is.
2) See that they have at least minimal proactive security practices
including robustness testing and code auditing tools, or that they
are using more secure programming technologies such as Java or
3) See that they have a programme and support for reporting security
problems. Ask what channel security vulnerabilities are reported
through, how much experience they have on those, and what is the
repairing process and disclosure process.
4) Plan for rapid update process and patch deployment process of all
softphones you are using. Try it out.
5) Secure also all applications that the softphone can launch, or
disable that functionality.
6) If necessary, make sure that the user cannot change the settings.
Ari Takanen Codenomicon Ltd.
ari.takanen at codenomicon.com Kaitovayla 1
tel: +358-40 50 67678 FIN-90570 Oulu
Voipsec mailing list
Voipsec at voipsa.org
More information about the Voipsec