[VOIPSEC] How to test VoIP security

steven rivera steven.rivera at mci.com
Tue Nov 15 06:40:12 CST 2005 

Floris

VOIP Security is the delicate balance between accessibility and security.
Below is a list (no particle order) of what I have done for such VoIP
security audits is the following. I hope you find this useful.

- View the VOIP system with associated telephones as a host on your network.
Doing this allows you to treat the VoIP phone like you would any other end
device on your network and thus test for the vulnerabilities the same way
using similar tools
- You would be surprised as to the ease and simplicity of older
vulnerabilities like "smurf" attacks that are affecting VOIP Phones
- pen-tests end devices - bring the end device into a lab environment
- VoIP Network architecture - the question is: converge or not to converge
voice and data? - the more disparate they are the better for security,
although separate means more expensive and an additional layer of
complexity.
- The connectivity across the two networks can be a point of weakness and
often little thought is put into the architecture of it
- review the protocols, gateways and proxies closely
- Ensure that firewalls that are VOIP aware are being used and are
configured properly - SIP operates from outside connection initiation this
can open up a gaping hole to the network
- Other concerns that should be considered are eavesdropping / tapping and
sniffing of the voice traffic
- There are simple protocol analyzers like the "Vomit" tool that can be used
to sniff out voice traffic from network traffic. It's a freeware tool
readily available from the internet
- evaluate the integration with voicemail this is often a weak point that
the requirement of ease of use outweighs security concerns.


I hope this helps. I think that when a company chooses to bring the voice
traffic onto a data network it should be protected the same way, with the
same security countermeasures as the data. Often what I am seeing is that
most who do not view VoIP in that way may be opening themselves up for huge
security breeches. 

Sincerely,
 
Steven Rivera
Information Security Specialist
Southern New England Commercial Accounts
MCI - Rye Brook, NY
914-312-2197 Office
325-2197 VNET
914-960-9117 Cell
 
 
View our Managed Security Services Video:
http://global.mci.com/external/us/cyber_security.rm

 


-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Floris Jan Schepel
Sent: Tuesday, November 15, 2005 5:47 AM
To: voipsec at voipsa.org
Subject: [VOIPSEC] How to test VoIP security

Dear experts,

I am a IT student at TI Mon3aan, in the Netherlands, whit a work placement
at Heerema.
My study here is to find out, how to secure VoIP.
Heerema will work whit a Cisco Avaya solution. A Cisco network, whit
Catalyst 4506, 3560, and 2950 switches.
The VoIP environment will be Avaya, like the 8700 media servers, G650 Media
gateways direct to ISDN, and Avaya IPphones.(H.323)

On a lot of sites, there are explanations how to secure a VoIP environment,
but none of this sites, tell me how to test a VoIP environment. I am looking
for a tool or a appliance, with I can test and log the security of this VoIP
network. I like to use this tool or appliance on a test network.

I'ts not the purpose to knock (DoS) or Hack the VoIP network down. I have
Google'd a lot and, checked the email list, but I have failed to find
something usefull. I also have read a lot of VoIP books, like: "Switching to
VoIP", and Carrier grade Voice over IP" but none of them gives me
information of what I am looking for.

I hope, that you can help me, testing this VoIP environment without harming
it.


Thanks for you help,
Floris

_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

______________________________________________________________________
This e-mail has been scanned by MCI Managed Email Content Service, using
Skeptic technology powered by MessageLabs. For more information on MCI's
Managed Email Content Service, visit http://www.mci.com.
______________________________________________________________________


______________________________________________________________________
This e-mail has been scanned by MCI Managed Email Content Service, using Skeptic™ technology powered by MessageLabs. For more information on MCI's Managed Email Content Service, visit http://www.mci.com.
______________________________________________________________________

More information about the Voipsec mailing list