[VOIPSEC] Practical VoIP Security

Mark Teicher mht3 at earthlink.net
Wed Apr 19 07:39:54 CDT 2006 

Tom,

Thank for your compliment.. I will always cherish your words of wisdom and your flavorful f-bombed emails to me especially during our working together at Avaya..   Again, I expected so much more out of this book due to its fanfare and the people who worked together on assembling your book.

back to your normally scheduled program  :)

-----Original Message-----
>From: "Porter, Thomas (Tom)" <tporter at avaya.com>
>Sent: Apr 19, 2006 8:22 AM
>To: Mark Teicher <mht3 at earthlink.net>, Voipsec at voipsa.org
>Subject: RE: [VOIPSEC] Practical VoIP Security
>
>I think it is fair to balance out his *review* with a note that Mark is
>an ex-member of the Avaya security consulting practice, and, since
>leaving Avaya, has a well known history of attacking Avaya products, and
>past security consulting team members, whenever he has the chance. 
>
>Thus, while Mark is entitled to an opinion, it is hardly an unbiased
>one.
>
>Best, Tom  
>
>
>Thomas Porter, PHD | Senior Security Architect - Business Communications
>Consulting | Contact Center Practice | Consulting & Systems Integration
>| Avaya Global Services | Office: 919-967-2909 | [Mobile - USA]
>919-593-3130 | [Mobile - DE] +49-0163-5050427 | [SIP]
>s00227694 at voicepulse.com | [IM] AvayaTPorter | Email: tporter at avaya.com
>
>-----Original Message-----
>From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
>Behalf Of Mark Teicher
>Sent: Wednesday, April 19, 2006 7:53 AM
>To: Voipsec at voipsa.org
>Subject: Re: [VOIPSEC] Practical VoIP Security
>
>After thoroughly reading this book, the editing appears to be very
>choppy in some areas and in other areas the editing is above average.
>Chapters that seem to invoke the read for more material doesn't, other
>chapters that are not particularly interesting (i.e. The chapter on
>Compliance, had no real material other than one can easily Google and
>assemble themselves).  
>
>There too many subheadings and bold extracted quotes that give the book
>more of expanded feeling -- maybe there wasn't enough material.  Alot of
>sidebars that provided no particular value to the chapter and could be
>more easily translated into opinion dressed up as fact.  There are some
>interesting factual tidbits, but it is almost too much effort to wade
>through the chaff to find them. 
>
>There are several unforgivable sins in the book especially one of not
>citing sources carefully. The book overall reads and looks like a
>compilation of articles, emails, mailing list archives, suport documents
>and marketing claims from a one or two sources. I do agree VoIP Security
>is a hot topic.  Even if it wasn't, it is a hard concept to understand
>the difference between VoIP, PSTN, VoIP Communication Architectures (The
>authors decided to highlight the most popular ones instead of just
>referencing the history of codecs from The Asterisk Man pages).  
>
>The Support Protocols of VoIP environments is very light and offers very
>little insight to VoIP security implications of DNS, TFTP, HTTP, SNMP,
>DHCP, RSVP, SDP, and SKINNY, but state more of the general security
>implications of those listed protocols as written from a hands-off point
>of view instead of a hands-on VoIP security specialist who actually
>installs and implements VoIP infrastructures. 
>
>Securing the whole VoIP Infrastructure sections are horribly written and
>by every assumption.  The authentication sections read like they were
>written from RFC's and whitepapers with no practicality.  
>The Authorization/Authentication recommendations illustrated are slanted
>towards, if the World was a Utopia, this is VoIP Security should work.
>The S/MIME sections provides an insight of cryptographic security for
>electronic messaging applications but offer no proof of their work,
>testing or attestation that these solutions are practical or have any
>technical merit beyond the concept and research room exercise.
>
>
>Conclusion: It is an ok VoIP security introductory book, if ones knows
>nothing about VoIP, my expectations were a lot higher from the authors
>due to their technical abilities :(
>
>-----Original Message-----
>>From: Tobias Glemser <tglemser at tele-consulting.com>
>>Sent: Apr 19, 2006 4:38 AM
>>To: "Porter, Thomas (Tom)" <tporter at avaya.com>
>>Cc: Voipsec at voipsa.org
>>Subject: Re: [VOIPSEC] Practical VoIP Security
>>
>>Tom,
>>
>>since you asked for comments, here are mine. I got this book 2 hours 
>>ago (after the book had a long travel to germany..), so I cross checked
>
>>and red the chapters I found the most interesting for myself.
>>
>>Buy this book if you look for:
>>  - an asterisk installation guide
>>  - round ups how to secure your environment, including techniques like
>>    802.1x or PKI
>>  - you want to learn sth about how H.323 and SIP/RTP protocols work
>>  - you want to hear buzzwords of threats, but don't think you want
>them
>>    to be explained technically
>>
>>Don't buy this book if you:
>>  - know the protocols
>>  - expect threats to be _explained_. Normally you have only one or two
>>    sentenses per threat, and some of those really need some more
>>    explanation (e. g. BYE-DoS etc). I know these threats and
>understand
>>    in which environments they are relevant, but for those who are new
>to
>>    this topic, they might get a false conclusion
>>  - expect anything really new or mind blowing
>>
>>Noticeable: Discussing skype, the authors miss to clearly state that it
>
>>is unclear what skype communicates exactly. They only state that it 
>>might not me the best option due to the "lack of information and recent
>
>>purchase by eBay". Sth. like "CERN doesn't allow the use of skype in 
>>their network for it could potentially spy out information" would 
>>sensitize the reader to this. But I guess that's a matter of opinion.
>>
>>Conclusion:
>>If you're already into VoIP and VoIPsec the book might be a good 
>>roundup, but don't expect anything new. If you are quite new to the 
>>topic - this is a buy :)
>>
>>Cheers,
>>
>>Toby
>>
>>Porter, Thomas (Tom) wrote on 01.04.2006 11:02:
>>> The book finally released this week. Your comments are appreciated.
>>>  
>>> Thanks, Tom
>>>  
>>> Thomas Porter, PHD | Senior Security Architect - Business 
>>> Communications Consulting | Contact Center Practice | Consulting & 
>>> Systems Integration
>>> | Avaya Global Services | Office: 919-967-2909 | [Mobile - USA]
>>> 919-593-3130 | [Mobile - DE] +49-0163-5050427 | [SIP] 
>>> s00227694 at voicepulse.com | [IM] AvayaTPorter | Email: 
>>> tporter at avaya.com
>>>  
>>> _______________________________________________
>>> Voipsec mailing list
>>> Voipsec at voipsa.org
>>> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>> 
>>
>>_______________________________________________
>>Voipsec mailing list
>>Voipsec at voipsa.org
>>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>

More information about the Voipsec mailing list