[VOIPSEC] Voipsec Digest, Vol 16, Issue 26
Richard Polishak
Richard.Polishak at TELUS.COM
Tue Apr 25 12:43:06 CDT 2006
I have to agree with Bob's comments. SS7 is infinitely more secure. You simply can't walk up to any small ISP and order up a link. By default they will know your identity and interconnection point and it is a very tightly controlled interface. To Ari's point, a more appropriate representation
would be something like PRI. It is relatively simple to arrange for a PRI service from a any telco and, through manipulation of the data within it, you can perform some mildly malicious activities like spoofing your CNAM (I recall there were even some services that advertised this capability for a
while!).
To Richard's comments, the focus has to be on how to provide mechanisms and practices to help industry and end-users feel comfortable that their traffic flowing over VoIP is reliable and secure. Today, I'd agree that the proven way to go about this is the formation of what are essentially private
networks between a subscriber and the carrier. Over time, I am sure there will be increased requirements to peer directly at the IP-level between Carriers and even between organizations. There will need to be a proven way of providing security in this model and I think it this is part of what has
brought us all together. ;-)
Richard Polishak
TELUS Voice Applications Team
Chief Technology Office
E: richard.polishak at telus.com
www.telus.com
-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On Behalf Of Voipsec-request at voipsa.org
Sent: Tuesday, April 25, 2006 4:00 AM
To: Voipsec at voipsa.org
Subject: Voipsec Digest, Vol 16, Issue 26
Send Voipsec mailing list submissions to
Voipsec at voipsa.org
To subscribe or unsubscribe via the World Wide Web, visit
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
or, via email, send a message with subject or body 'help' to
Voipsec-request at voipsa.org
You can reach the person managing the list at
Voipsec-owner at voipsa.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Voipsec digest..."
Today's Topics:
1. Re: Indentity Management and VoIP and More (bob)
2. Re: Indentity Management and VoIP and More (Steve Blair)
3. Auditing of VoIP (richb2 at pegasus.rutgers.edu)
4. Re: IPSec and VoIP Security (Jon-Olov Vatn)
5. Re: IPSec and VoIP Security (dhiraj.2.bhuyan at bt.com)
----------------------------------------------------------------------
Message: 1
Date: Mon, 24 Apr 2006 14:19:59 -0700
From: "bob" <bob at bobsplanet.com>
Subject: Re: [VOIPSEC] Indentity Management and VoIP and More
To: "'Ari Takanen'" <voipsa at codenomicon.com>, "'Paine, Richard H'"
<richard.h.paine at boeing.com>
Cc: Voipsec at voipsa.org, richb2 at pegasus.rutgers.edu
Message-ID: <002501c667e4$d9cf6550$0e29a8c0 at alderan>
Content-Type: text/plain; charset="us-ascii"
How many hackers have IP connections? All of them.
How many hackers have A-links to STPs or F-links to SSPs?
I'm tempted to say zero, although I may be off by a handful.
The difference in exposure alone makes SS7 substantially more secure.
-Bob
-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On Behalf Of Ari Takanen
Sent: Monday, April 24, 2006 12:34 PM
To: Paine, Richard H
Cc: Voipsec at voipsa.org; richb2 at pegasus.rutgers.edu
Subject: Re: [VOIPSEC] Indentity Management and VoIP and More
Richard,
Excellent punch, but I think it is important to note that VOIP does not mean Internet. For consumers that want free peer-to-peer communications yes, but for enterprises a well deployed VOIP is just about replacing expensive equipment with more cost-effective and easily maintained network. Nobody
should urge enterprises to use open networks, at least without encryption and good backup solutions.
IP is just a cheap unreliable transport. Not a network. And it is feasible to build low-cost secure VOIP network with currently available technology. And it is much easier to test, and audit. I would say SS7 is a vulnerability, not SIP or any other VOIP technology. And have you noted that PSTN is
now also VOIP with the transition to Sigtran protocol? Actually PSTN has been VOIP for a long time, and in many occasions uses public Internet! Ask your provider for details.
/Ari
PS: Remember to update your telephony equipment...
On Mon, Apr 24, 2006 at 06:41:31AM -0700, Paine, Richard H wrote:
> Yes, I see it changing. The reality is that Boeing and other Fortune
> 500 companies will come to the realization that there is a massive
> vulnerability in the VOIP implementations. The reality is that VOIP
> calls, if they are Internet-only are all vulnerable to spoofing and
> tapping and man-in-the-middle attacks against their businesses. Why
> it doesn't have much emphasis right now is that the Cisco Call
> Managers and other VOIP connections are dependent and rely on the PSTN
> system that historically maintains an enterprise trust of the PSTN
> providers to provide secure voice communications. It really isn't
> secure, but it is wired and protected by the PSTNs and the courts. As
> more and more traffic stays on the Internet and does not move to the
> PSTN, the vulnerability increases. End-to-end secure sessions, like
> the Secure Mobile Architecture (SMA) provides, will eventually become
> imperative to protect VOIP communications. Until the perception that
> everything is protected is debunked, there will be a lack of interest in such systems.
> It will only take one well publicized security event and the attitudes
> will change.
>
> Richard H. Paine
> Success is getting what you want, happiness is liking what you get!
> Cell: 206-854-8199
> IPPhone: 425-373-8964
> Email: richard.h.paine at boeing.com
>
>
> -----Original Message-----
> From: richb2 at pegasus.rutgers.edu [mailto:richb2 at pegasus.rutgers.edu]
> Sent: Sunday, April 23, 2006 7:24 AM
> To: Voipsec at voipsa.org
> Subject: Re: [VOIPSEC] Indentity Management and VoIP and More
>
> Richard sorry to be emailing you directly, but I get a "daily journal"
> of the emails from this group and thus did not get the attachment
> (SMA) that you mentioned. I was a VoIP software application engineer
> in the days before Cisco took over the game, and am now getting an MBA
> in accounting, hoping to become an IT Auditor. My question regards the
> use of this SMA technlogy in the enterprise. I understand that the
> ISACA group sometimes sponsors classes on VoIP security, but not
> enough people even signed up for the one here in NY/NJ this past
> session to even have the seminar. This makes me think that VoIP
> security is not high on the list of Risks to companies. Possibly it is
> not considered a risk to the validity of the financials?
>
> Do you see this changing? Do you see a future for the VoIP
> specialization in the Auditing of IT systems?
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
--
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
Ari Takanen Codenomicon Ltd.
ari.takanen at codenomicon.com Tutkijantie 4E
tel: +358-40 50 67678 FIN-90570 Oulu
http://www.codenomicon.com Finland
PGP: http://www.codenomicon.com/codenomicon-key.asc
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
------------------------------
Message: 2
Date: Mon, 24 Apr 2006 19:05:46 -0400
From: Steve Blair <blairs at isc.upenn.edu>
Subject: Re: [VOIPSEC] Indentity Management and VoIP and More
To: Ari Takanen <voipsa at codenomicon.com>
Cc: Voipsec at voipsa.org, richb2 at pegasus.rutgers.edu
Message-ID: <444D59CA.3040807 at isc.upenn.edu>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Ari Takanen wrote:
>Richard,
>
>Excellent punch, but I think it is important to note that VOIP does not
>mean Internet. For consumers that want free peer-to-peer communications
>yes, but for enterprises a well deployed VOIP is just about replacing
>expensive equipment with more cost-effective and easily maintained
>network. Nobody should urge enterprises to use open networks, at least
>without encryption and good backup solutions.
>
>IP is just a cheap unreliable transport. Not a network. And it is
>feasible to build low-cost secure VOIP network with currently available
>technology. And it is much easier to test, and audit. I would say SS7
>is a vulnerability, not SIP or any other VOIP technology. And have you
>noted that PSTN is now also VOIP with the transition to Sigtran
>protocol? Actually PSTN has been VOIP for a long time, and in many
>occasions uses public Internet! Ask your provider for details.
>
>
>
Good points although in the Academic space we are using commodity Internet and Internet2 for IP based communication. SIP/SIMPLE based colaboration is on-going and gaining importance. Intra-organization security, privacy and identity management are active areas of interest.
-Steve
>/Ari
>
>PS: Remember to update your telephony equipment...
>
>On Mon, Apr 24, 2006 at 06:41:31AM -0700, Paine, Richard H wrote:
>
>
>>Yes, I see it changing. The reality is that Boeing and other Fortune
>>500 companies will come to the realization that there is a massive
>>vulnerability in the VOIP implementations. The reality is that VOIP
>>calls, if they are Internet-only are all vulnerable to spoofing and
>>tapping and man-in-the-middle attacks against their businesses. Why
>>it doesn't have much emphasis right now is that the Cisco Call
>>Managers and other VOIP connections are dependent and rely on the PSTN
>>system that historically maintains an enterprise trust of the PSTN
>>providers to provide secure voice communications. It really isn't
>>secure, but it is wired and protected by the PSTNs and the courts. As
>>more and more traffic stays on the Internet and does not move to the
>>PSTN, the vulnerability increases. End-to-end secure sessions, like
>>the Secure Mobile Architecture (SMA) provides, will eventually become
>>imperative to protect VOIP communications. Until the perception that
>>everything is protected is debunked, there will be a lack of interest in such systems.
>>It will only take one well publicized security event and the attitudes
>>will change.
>>
>>Richard H. Paine
>>Success is getting what you want, happiness is liking what you get!
>>Cell: 206-854-8199
>>IPPhone: 425-373-8964
>>Email: richard.h.paine at boeing.com
>>
>>
>>-----Original Message-----
>>From: richb2 at pegasus.rutgers.edu [mailto:richb2 at pegasus.rutgers.edu]
>>Sent: Sunday, April 23, 2006 7:24 AM
>>To: Voipsec at voipsa.org
>>Subject: Re: [VOIPSEC] Indentity Management and VoIP and More
>>
>>Richard sorry to be emailing you directly, but I get a "daily journal"
>>of the emails from this group and thus did not get the attachment
>>(SMA) that you mentioned. I was a VoIP software application engineer
>>in the days before Cisco took over the game, and am now getting an MBA
>>in accounting, hoping to become an IT Auditor. My question regards the
>>use of this SMA technlogy in the enterprise. I understand that the
>>ISACA group sometimes sponsors classes on VoIP security, but not
>>enough people even signed up for the one here in NY/NJ this past
>>session to even have the seminar. This makes me think that VoIP
>>security is not high on the list of Risks to companies. Possibly it is
>>not considered a risk to the validity of the financials?
>>
>>Do you see this changing? Do you see a future for the VoIP
>>specialization in the Auditing of IT systems?
>>
>>
>>_______________________________________________
>>Voipsec mailing list
>>Voipsec at voipsa.org
>>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>
>>_______________________________________________
>>Voipsec mailing list
>>Voipsec at voipsa.org
>>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>
>>
>
>
>
------------------------------
Message: 3
Date: Mon, 24 Apr 2006 19:16:31 -0400 (EDT)
From: richb2 at pegasus.rutgers.edu
Subject: [VOIPSEC] Auditing of VoIP
To: Voipsec at voipsa.org
Message-ID:
<1505.69.116.41.88.1145920591.squirrel at persephone.rutgers.edu>
Content-Type: text/plain;charset=iso-8859-1
As I explained in my last message up here, I am interested in getting involved with the auditing of VoIP. The ISACA group, which certifies the CISA exam for IT auditors, really doesn't seem too sure of where VoIP fits into an IT audit. At least I can't find anyone up there to answer my questions. Or
is Voip not really considered worth auditing? Who is doing the SAS 90 audits of VoIP? Anyone? If I wanted to look for a job doing this as a CISA, should I be looking at the Big 4, at firms that specialize in security, at business process consulting firms, at the Cisco partners (g.d help me if this
is my only path), who? Who are the people who buy VoIPShield?
------------------------------
Message: 4
Date: Tue, 25 Apr 2006 08:48:03 +0200
From: Jon-Olov Vatn <vatn at kth.se>
Subject: Re: [VOIPSEC] IPSec and VoIP Security
To: "DePietro, John" <jdepietro at starentnetworks.com>, Alexandre
Passito <alexandre.passito at gmail.com>
Cc: Joachim Orrblad <joachim at orrblad.se>, Voipsec at voipsa.org
Message-ID: <444DC623.2040508 at kth.se>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hi,
IMS is not designed to use IPSec end-to-end as far as I understand, but it would be interesting to see if those methods could be used end-to-end too.
As an alternative I suggest that you have a look at Joachim Orrblad's master thesis "Alternatives to MIKEY/SRTP to secure VoIP" where he uses MIKEY to establish the IPSec-ESP security association, and also implements experimental support for it in Minisip, see
http://www.minisip.org/publications.html
Still, one should note that Orrblad prefers "SRTP" over "IPSec-ESP"
to protect VoIP calls (see he conclusions).
You may also find some more measurements on call setup delays for MIKEY with both SRTP and IPSec-ESP in Bilien et al "Secure VoIP: call establishment and media protection" found on the same page.
BW J-O
DePietro, John wrote:
>Hi Passito,
>
>I suggest you look at the SIP AKA model for IPSEC, based on HTTP AKA. This is utilized in IMS (3GPP IMS, 3GPP2 MMD). This may give you some idea to address your second issue "(key sharing, user permissions and etc)".
>
>-----Original Message-----
>From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org]On
>Behalf Of Alexandre Passito
>Sent: Tuesday, April 04, 2006 4:50 PM
>To: Voipsec at voipsa.org
>Subject: [VOIPSEC] IPSec and VoIP Security
>
>
>Hi ALL,
>
>I'd like to start a discussion about using IPSec for end-to-end
>security in VoIP Systems. I have read some papers about the subject and
>it seens that IPSec is not completely suitable for this kind of task due to two reasons:
>damage to some QoS metrics and the problem with management (key
>sharing, user permissions and etc). I'd like to hear some ideas about
>it, future trends and if there are well deployed solutions being tested.
>
>Best regards,
>
>Passito
>
>--
>--
>Alexandre Passito - Estudante de Mestrado Universidade Federal do
>Amazonas (UFAM) Departamento de Ci?ncia da Computa??o (DCC)
>--
>Alexandre Passito - M.Sc. Student
>Federal University of Amazonas (UFAM)
>Computer Science Department (DCC)
>--
>E-mail: passito at dcc.ufam.edu.br
>Web: www.dcc.ufam.edu.br/~passito
>Manaus - AM - Brasil
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
>"This email message and any attachments are confidential information of Starent Networks, Corp. The information transmitted may not be used to create or change any contractual obligations of Starent Networks, Corp. Any review, retransmission, dissemination or other use of, or taking of any action
in reliance upon this e-mail and its attachments by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient, please notify the sender immediately -- by replying to this message or by sending an email to postmaster at starentnetworks.com -- and destroy
all copies of this message and any attachments without reading or disclosing their contents. Thank you."
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
------------------------------
Message: 5
Date: Tue, 25 Apr 2006 10:45:57 +0100
From: <dhiraj.2.bhuyan at bt.com>
Subject: Re: [VOIPSEC] IPSec and VoIP Security
To: <vatn at kth.se>, <jdepietro at starentnetworks.com>,
<alexandre.passito at gmail.com>
Cc: joachim at orrblad.se, Voipsec at voipsa.org
Message-ID:
<D3A8095FE029114F820F94C1C0D681D808EF37B4 at i2km86-ukdy.domain1.systemhost.net>
Content-Type: text/plain; charset="iso-8859-1"
3GPP IMS is going to use IPSec for hop-by-hop encryption of SIP signalling traffic. Note that session key establishment (for IPSec) between SIP client and proxy (P-CSCF) on the network is achieved using SIP-AKA (instead of IKE). 3GPP is yet to decide how to secure the media traffic.
Regards,
Dhiraj Bhuyan
Senior Security Specialist,
British Telecom
-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On Behalf Of Jon-Olov Vatn
Sent: 25 April 2006 07:48
To: DePietro, John; Alexandre Passito
Cc: Joachim Orrblad; Voipsec at voipsa.org
Subject: Re: [VOIPSEC] IPSec and VoIP Security
Hi,
IMS is not designed to use IPSec end-to-end as far as I understand, but it would be interesting to see if those methods could be used end-to-end too.
As an alternative I suggest that you have a look at Joachim Orrblad's master thesis "Alternatives to MIKEY/SRTP to secure VoIP" where he uses MIKEY to establish the IPSec-ESP security association, and also implements experimental support for it in Minisip, see
http://www.minisip.org/publications.html
Still, one should note that Orrblad prefers "SRTP" over "IPSec-ESP"
to protect VoIP calls (see he conclusions).
You may also find some more measurements on call setup delays for MIKEY with both SRTP and IPSec-ESP in Bilien et al "Secure VoIP: call establishment and media protection" found on the same page.
BW J-O
DePietro, John wrote:
>Hi Passito,
>
>I suggest you look at the SIP AKA model for IPSEC, based on HTTP AKA. This is utilized in IMS (3GPP IMS, 3GPP2 MMD). This may give you some idea to address your second issue "(key sharing, user permissions and etc)".
>
>-----Original Message-----
>From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org]On
>Behalf Of Alexandre Passito
>Sent: Tuesday, April 04, 2006 4:50 PM
>To: Voipsec at voipsa.org
>Subject: [VOIPSEC] IPSec and VoIP Security
>
>
>Hi ALL,
>
>I'd like to start a discussion about using IPSec for end-to-end
>security in VoIP Systems. I have read some papers about the subject and
>it seens that IPSec is not completely suitable for this kind of task due to two reasons:
>damage to some QoS metrics and the problem with management (key
>sharing, user permissions and etc). I'd like to hear some ideas about
>it, future trends and if there are well deployed solutions being tested.
>
>Best regards,
>
>Passito
>
>--
>--
>Alexandre Passito - Estudante de Mestrado Universidade Federal do
>Amazonas (UFAM) Departamento de Ci?ncia da Computa??o (DCC)
>--
>Alexandre Passito - M.Sc. Student
>Federal University of Amazonas (UFAM)
>Computer Science Department (DCC)
>--
>E-mail: passito at dcc.ufam.edu.br
>Web: www.dcc.ufam.edu.br/~passito
>Manaus - AM - Brasil
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
>"This email message and any attachments are confidential information of Starent Networks, Corp. The information transmitted may not be used to create or change any contractual obligations of Starent Networks, Corp. Any review, retransmission, dissemination or other use of, or taking of any action
in reliance upon this e-mail and its attachments by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient, please notify the sender immediately -- by replying to this message or by sending an email to postmaster at starentnetworks.com -- and destroy
all copies of this message and any attachments without reading or disclosing their contents. Thank you."
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
------------------------------
_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
End of Voipsec Digest, Vol 16, Issue 26
***************************************
More information about the Voipsec
mailing list