[VOIPSEC] Indentity Management and VoIP and More

Ari Takanen voipsa at codenomicon.com
Mon Apr 24 12:33:52 PDT 2006


Excellent punch, but I think it is important to note that VOIP does
not mean Internet. For consumers that want free peer-to-peer
communications yes, but for enterprises a well deployed VOIP is just
about replacing expensive equipment with more cost-effective and
easily maintained network. Nobody should urge enterprises to use open
networks, at least without encryption and good backup solutions.

IP is just a cheap unreliable transport. Not a network. And it is
feasible to build low-cost secure VOIP network with currently
available technology. And it is much easier to test, and audit. I
would say SS7 is a vulnerability, not SIP or any other VOIP
technology. And have you noted that PSTN is now also VOIP with the
transition to Sigtran protocol? Actually PSTN has been VOIP for a long
time, and in many occasions uses public Internet! Ask your provider
for details.


PS: Remember to update your telephony equipment...

On Mon, Apr 24, 2006 at 06:41:31AM -0700, Paine, Richard H wrote:
> Yes, I see it changing.  The reality is that Boeing and other Fortune
> 500 companies will come to the realization that there is a massive
> vulnerability in the VOIP implementations.  The reality is that VOIP
> calls, if they are Internet-only are all vulnerable to spoofing and
> tapping and man-in-the-middle attacks against their businesses.  Why it
> doesn't have much emphasis right now is that the Cisco Call Managers and
> other VOIP connections are dependent and rely on the PSTN system that
> historically maintains an enterprise trust of the PSTN providers to
> provide secure voice communications.  It really isn't secure, but it is
> wired and protected by the PSTNs and the courts.  As more and more
> traffic stays on the Internet and does not move to the PSTN, the
> vulnerability increases.  End-to-end secure sessions, like the Secure
> Mobile Architecture (SMA) provides, will eventually become imperative to
> protect VOIP communications.  Until the perception that everything is
> protected is debunked, there will be a lack of interest in such systems.
> It will only take one well publicized security event and the attitudes
> will change.
> Richard H. Paine
> Success is getting what you want, happiness is liking what you get!
> Cell:  206-854-8199
> IPPhone:  425-373-8964
> Email:  richard.h.paine at boeing.com 
> -----Original Message-----
> From: richb2 at pegasus.rutgers.edu [mailto:richb2 at pegasus.rutgers.edu] 
> Sent: Sunday, April 23, 2006 7:24 AM
> To: Voipsec at voipsa.org
> Subject: Re: [VOIPSEC] Indentity Management and VoIP and More
> Richard sorry to be emailing you directly, but I get a "daily journal"
> of the emails from this group and thus did not get the attachment (SMA)
> that you mentioned. I was a VoIP software application engineer in the
> days before Cisco took over the game, and am now getting an MBA in
> accounting, hoping to become an IT Auditor. My question regards the use
> of this SMA technlogy in the enterprise. I understand that the ISACA
> group sometimes sponsors classes on VoIP security, but not enough people
> even signed up for the one here in NY/NJ this past session to even have
> the seminar. This makes me think that VoIP security is not high on the
> list of Risks to companies. Possibly it is not considered a risk to the
> validity of the financials?
> Do you see this changing? Do you see a future for the VoIP
> specialization in the Auditing of IT systems?
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

Ari Takanen                       Codenomicon Ltd.
ari.takanen at codenomicon.com       Tutkijantie 4E
tel: +358-40 50 67678             FIN-90570 Oulu
http://www.codenomicon.com        Finland
PGP: http://www.codenomicon.com/codenomicon-key.asc

More information about the Voipsec mailing list