[VOIPSEC] VOIP and Forensics

Ari Takanen art at codenomicon.com
Sat Mar 12 12:20:00 CST 2005 

Hello all,

Difficulty with VoIP should be no news to any forensics experts. It is
yet another IP-enabled service and has all the same logs that need to
be monitored. It is on the other hand a nightmare to your security
policy, and system administrators, as you need to have practices in
monitoring and updating all devices and services related to VoIP. This
is needed for enabling forensics in any level.

It means so much more than just SIP. These devices have tens of
vulnerable interfaces such as HTTP, TFTP, DNS, SNMP, ... Maintaining
te whole VoIP infrastructure requires good planning and good
analysis, and knowledge about the devices you choose to use. 

Each of these devices, whether it is a SBC or an UA, is typically
running a set of services on top of standard operating systems, each
of which need to be secured if they are to be trusted, monitored and
updated. You would be surprised where e.g. Linux OS is used
nowadays. Is your VoIP phone running a mail server? Do you know what
web server your UA is running? Do you know how to update that? Are you
collecting logs from it?

VoIP is a combination of two worlds. You need your telco people to
understand call frauds and other security issues related to the telco
world, and you need your networking and security experts to bring the
expertice on different platforms, services and monitoring of those
protocols. You have hardware such as memory-based hard-drives and
means of dumping the contents of such devices in various places.

Security is not a product, it is a process. A set of proactive
processes is required, such as security policies, securing of
operating systems and services, robustness and penetration testing of
those services that you cannot close. You also have a set of reactive
practices for shutting down services and systems after the eventual
incident, collecting and dumping data from the device and analyzing
that data.

You cannot select your VoIP infrastructure based on the telco
functionality only. Bring in your security experts into the purchase
process and make informed decissions there. And with security experts
I mean those technical people who end up doing the forensigs if
everything fails.

Update your VoIP devices often!

Best regards,

/Ari Takanen, CEO
 Codenomicon Ltd. "Robustness Testing Tools!"
 http://www.codenomicon.com/testtools/sip/
 http://www.codenomicon.com/testtools/tls/


On Fri, Mar 11, 2005 at 11:00:05PM -0600, Christopher A. Martin wrote:
> This type of task will require correlation of many different types of logs,
> not just VoIP, but also possibly router/firewall logs, source/destination
> pairings, common sources (even if they are spoofed), possible tagging by
> tools that can detect 0 day attacks...etc... It's hard in the traditional
> world, but may be easier combined with the telephony patterns...
> 
> Christopher A. Martin
> P.O. Box 1264
> Cedar Hill, Texas 75106
> Chris at InfraVAST.com
> 
> > -----Original Message-----
> > From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
> > Behalf Of Mark Teicher
> > Sent: Friday, March 11, 2005 6:16 AM
> > To: Voipsec at voipsa.org
> > Subject: [VOIPSEC] VOIP and Forensics
> > 
> > Has anyone examined how to produce evidence for legal proceedings to prove
> > actual VOIP fraud?
> > As this is question I have posed to a few companies who offer Managed
> > Security Services for IPT and none of them provided a response .
> > The only response I have received so far: "We have network+ certified and
> > CCNA experts and currently scheduled for Juniper/Extreme training"
> > Interesting that people are being trained and certified, but as I recall
> > being trained on a product does not necessarily mean that one is qualified
> > to produce evidence to prove VOIP fraud.
> > 
> > /mht
> > 
> > 
> > 
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> 
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

-- 
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
Ari Takanen                       Codenomicon Ltd.
ari.takanen at codenomicon.com       Kaitovayla 1
tel: +358-40 50 67678             FIN-90570 Oulu
http://www.codenomicon.com        Finland
PGP: http://www.codenomicon.com/codenomicon-key.asc
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-

More information about the Voipsec mailing list