[VOIPSEC] Practical VoIP Security

Mark Teicher mht3 at earthlink.net
Wed Apr 19 04:53:09 PDT 2006


After thoroughly reading this book, the editing appears to be very choppy in some areas and in other areas the editing is above average.  Chapters that seem to invoke the read for more material doesn't, other chapters that are not particularly interesting (i.e. The chapter on Compliance, had no real material other than one can easily Google and assemble themselves).  

There too many subheadings and bold extracted quotes that give the book more of expanded feeling -- maybe there wasn't enough material.  Alot of sidebars that provided no particular value to the chapter and could be more easily translated into opinion dressed up as fact.  There are some interesting factual tidbits, but it is almost too much effort to wade through the chaff to find them. 

There are several unforgivable sins in the book especially one of not citing sources carefully. The book overall reads and looks like a compilation of articles, emails, mailing list archives, suport documents and marketing claims from a one or two sources. I do agree VoIP Security is a hot topic.  Even if it wasn't, it is a hard concept to understand the difference between VoIP, PSTN, VoIP Communication Architectures (The authors decided to highlight the most popular ones instead of just referencing the history of codecs from The Asterisk Man pages).  

The Support Protocols of VoIP environments is very light and offers very little insight to VoIP security implications of DNS, TFTP, HTTP, SNMP, DHCP, RSVP, SDP, and SKINNY, but state more of the general security implications of those listed protocols as written from a hands-off point of view instead of a hands-on VoIP security specialist who actually installs and implements VoIP infrastructures. 

Securing the whole VoIP Infrastructure sections are horribly written and by every assumption.  The authentication sections read like they were written from RFC's and whitepapers with no practicality.  
The Authorization/Authentication recommendations illustrated are slanted towards, if the World was a Utopia, this is VoIP Security should work.  The S/MIME sections provides an insight of cryptographic security for electronic messaging applications but offer no proof of their work, testing or attestation that these solutions are practical or have any technical merit beyond the concept and research room exercise.


Conclusion: It is an ok VoIP security introductory book, if ones knows nothing about VoIP, my expectations were a lot higher from the authors due to their technical abilities :(

-----Original Message-----
>From: Tobias Glemser <tglemser at tele-consulting.com>
>Sent: Apr 19, 2006 4:38 AM
>To: "Porter, Thomas (Tom)" <tporter at avaya.com>
>Cc: Voipsec at voipsa.org
>Subject: Re: [VOIPSEC] Practical VoIP Security
>
>Tom,
>
>since you asked for comments, here are mine. I got this book 2 hours ago 
>(after the book had a long travel to germany..), so I cross checked and 
>red the chapters I found the most interesting for myself.
>
>Buy this book if you look for:
>  - an asterisk installation guide
>  - round ups how to secure your environment, including techniques like
>    802.1x or PKI
>  - you want to learn sth about how H.323 and SIP/RTP protocols work
>  - you want to hear buzzwords of threats, but don't think you want them
>    to be explained technically
>
>Don't buy this book if you:
>  - know the protocols
>  - expect threats to be _explained_. Normally you have only one or two
>    sentenses per threat, and some of those really need some more
>    explanation (e. g. BYE-DoS etc). I know these threats and understand
>    in which environments they are relevant, but for those who are new to
>    this topic, they might get a false conclusion
>  - expect anything really new or mind blowing
>
>Noticeable: Discussing skype, the authors miss to clearly state that it 
>is unclear what skype communicates exactly. They only state that it 
>might not me the best option due to the "lack of information and recent 
>purchase by eBay". Sth. like "CERN doesn't allow the use of skype in 
>their network for it could potentially spy out information" would 
>sensitize the reader to this. But I guess that's a matter of opinion.
>
>Conclusion:
>If you're already into VoIP and VoIPsec the book might be a good 
>roundup, but don't expect anything new. If you are quite new to the 
>topic - this is a buy :)
>
>Cheers,
>
>Toby
>
>Porter, Thomas (Tom) wrote on 01.04.2006 11:02:
>> The book finally released this week. Your comments are appreciated.
>>  
>> Thanks, Tom
>>  
>> Thomas Porter, PHD | Senior Security Architect - Business Communications
>> Consulting | Contact Center Practice | Consulting & Systems Integration
>> | Avaya Global Services | Office: 919-967-2909 | [Mobile - USA]
>> 919-593-3130 | [Mobile - DE] +49-0163-5050427 | [SIP]
>> s00227694 at voicepulse.com | [IM] AvayaTPorter | Email: tporter at avaya.com
>>  
>> _______________________________________________
>> Voipsec mailing list
>> Voipsec at voipsa.org
>> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>> 
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org





More information about the Voipsec mailing list