[VOIPSEC] Policy modifications for VOIP

Coulombe, Anne L Anne.Coulombe at enterasys.com
Mon Mar 21 12:44:04 CST 2005 

Mark & All,

 

I think you just opened a larger subject when VoIP is part of true
convergence infrastructure, as policy is not only dealing with the
business continuity and security mods anymore. It is also as case of:

*         Physical and networking access 

*         Redundancies, fail overs, fail safe, back-up power

*         Authentication onto the network

*         Authorization to access network resources and services

*         Network policies (at port, user, app level) during 'normal'
operations

*         Network policies, QoS, CoS and other setting during a threat
event  ... is VoIP the most important application?  Should VoIP keep
running no matter what, should it run for say 1 hour, then another
convergence app such as the HVAC system takes precedence?

*         Which leads to detection of a threat event whether external or
internal, and the reaction from the network as well as the VoIP
application/environment ... update policies on the fly e.g. protocol
lock-out, user quarantine, redirection, location detection, permitted
users, permitted application, bandwidth prioritization, etc

*         Who controls all this?  Central admin? Automated responses?
Manual intervention? Are policies supported by your networking
equipment? 

*         Is security built-into your infrastructure or is it a bolt-on
or an after-thought?

*         What is your corporate decision on what has priority, as well
as the security position for voice, video and data

 

Let's just say there are a few things to think about, and I haven't
addressed the processes and procedures around security recommendations.

 

Anne L. Coulombe

Director, Secure Convergence

Enterasys Networks

 

-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Mark Teicher
Sent: Thursday, March 17, 2005 1:28 PM
To: Voipsec at voipsa.org
Subject: [VOIPSEC] Policy modifications for VOIP

 

it seems that organizations that is contemplating migrating to VOIP or
has completed  a trial of VOIP may also want to examine modifications to
their Business Continuity policies, since dial tone is no longer a TDM
based issue. 

 

What items needs to be examined in order to make certain changes to
policies, procedures, processes for VOIP.??  

What is the back up plan if network connectivity is lost by accident?
For example, some big surly looking dude with a bum knee who may have
just been woken from his work day nap (hard to find good security people
these days)  as the VOIP vendor inserts changes into the network.   The
surly guy upset rips out all the network wiring and then can't figure
out why their is no dial tone, but yet the cross-connect wires look
punched down correctly.

 

Understanding the changes to a network environment prior to trial and
error is probably the first step in many security recommendations to a
converged network.

 

1. Business Continuity policy modifications (example above)

2. Security policy modification

3. .....

 

Can anyone think of others ??

 

 

 

 

 

_______________________________________________

Voipsec mailing list

Voipsec at voipsa.org

http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list