[VOIPSEC] Indentity Management and VoIP and More

Steve Blair blairs at isc.upenn.edu
Mon Apr 24 16:05:46 PDT 2006



Ari Takanen wrote:

>Richard,
>
>Excellent punch, but I think it is important to note that VOIP does
>not mean Internet. For consumers that want free peer-to-peer
>communications yes, but for enterprises a well deployed VOIP is just
>about replacing expensive equipment with more cost-effective and
>easily maintained network. Nobody should urge enterprises to use open
>networks, at least without encryption and good backup solutions.
>
>IP is just a cheap unreliable transport. Not a network. And it is
>feasible to build low-cost secure VOIP network with currently
>available technology. And it is much easier to test, and audit. I
>would say SS7 is a vulnerability, not SIP or any other VOIP
>technology. And have you noted that PSTN is now also VOIP with the
>transition to Sigtran protocol? Actually PSTN has been VOIP for a long
>time, and in many occasions uses public Internet! Ask your provider
>for details.
>
>  
>
Good points although in the Academic space we are using commodity 
Internet and Internet2 for IP based communication. SIP/SIMPLE based 
colaboration is on-going and gaining importance. Intra-organization 
security, privacy and identity management are active areas of interest.

-Steve

>/Ari
>
>PS: Remember to update your telephony equipment...
>
>On Mon, Apr 24, 2006 at 06:41:31AM -0700, Paine, Richard H wrote:
>  
>
>>Yes, I see it changing.  The reality is that Boeing and other Fortune
>>500 companies will come to the realization that there is a massive
>>vulnerability in the VOIP implementations.  The reality is that VOIP
>>calls, if they are Internet-only are all vulnerable to spoofing and
>>tapping and man-in-the-middle attacks against their businesses.  Why it
>>doesn't have much emphasis right now is that the Cisco Call Managers and
>>other VOIP connections are dependent and rely on the PSTN system that
>>historically maintains an enterprise trust of the PSTN providers to
>>provide secure voice communications.  It really isn't secure, but it is
>>wired and protected by the PSTNs and the courts.  As more and more
>>traffic stays on the Internet and does not move to the PSTN, the
>>vulnerability increases.  End-to-end secure sessions, like the Secure
>>Mobile Architecture (SMA) provides, will eventually become imperative to
>>protect VOIP communications.  Until the perception that everything is
>>protected is debunked, there will be a lack of interest in such systems.
>>It will only take one well publicized security event and the attitudes
>>will change.
>>
>>Richard H. Paine
>>Success is getting what you want, happiness is liking what you get!
>>Cell:  206-854-8199
>>IPPhone:  425-373-8964
>>Email:  richard.h.paine at boeing.com 
>>
>>
>>-----Original Message-----
>>From: richb2 at pegasus.rutgers.edu [mailto:richb2 at pegasus.rutgers.edu] 
>>Sent: Sunday, April 23, 2006 7:24 AM
>>To: Voipsec at voipsa.org
>>Subject: Re: [VOIPSEC] Indentity Management and VoIP and More
>>
>>Richard sorry to be emailing you directly, but I get a "daily journal"
>>of the emails from this group and thus did not get the attachment (SMA)
>>that you mentioned. I was a VoIP software application engineer in the
>>days before Cisco took over the game, and am now getting an MBA in
>>accounting, hoping to become an IT Auditor. My question regards the use
>>of this SMA technlogy in the enterprise. I understand that the ISACA
>>group sometimes sponsors classes on VoIP security, but not enough people
>>even signed up for the one here in NY/NJ this past session to even have
>>the seminar. This makes me think that VoIP security is not high on the
>>list of Risks to companies. Possibly it is not considered a risk to the
>>validity of the financials?
>>
>>Do you see this changing? Do you see a future for the VoIP
>>specialization in the Auditing of IT systems?
>>
>>
>>_______________________________________________
>>Voipsec mailing list
>>Voipsec at voipsa.org
>>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>
>>_______________________________________________
>>Voipsec mailing list
>>Voipsec at voipsa.org
>>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>    
>>
>
>  
>




More information about the Voipsec mailing list