[VOIPSEC] [SearchSecurity.com] Better VoIP training needed, SANS director says

Diana Cionoiu diana-liste at voip.null.ro
Fri Dec 8 11:38:19 GMT 2006

Hello Shawn,

The problem with VoIP is not really security. The problem with VoIP is
that it is the first real time communication system over Internet. And
the Internet Protocol himself haven't been designed to handle the
threats. All the other threats are common for the instant messengers also.

Another major issue with VoIP himself is the fact that technology
himself is very complicated and 90% of the developers in this world are
not capable to write a decent VoIP software. We still have problems with
the sound card, we still have VoIP gateways that crash. We still have a
huge lack of training for the VoIP system administrators.

Think for second on this formula:
VoIP = IP + telephony.

The VoIP system administrators mainly are old IP administrators, but
usually they lack the knowhow on how to handle telephony.

The telephony administrators which had become VoIP administrators, and
in those cases is usually even worse because they have no idea how IP
infrastructure works, those are the ones that install 10 systems in the
path of the RTP increasing the delay.

There are cases when administrators do understand what is going on under
the hat of a VoIP system, but is not common. And the same problem
actually exists for all systems this days. Is just happens that in VoIP
due to his RTC character is more easier to notice.

Diana Cionoiu

Shawn Merdinger wrote:

>Wow, Stephen Northcutt kinda throws down here...
>TechTarget:  A new item on this year's list is the VoIP threat. What
>is the SANS Institute doing to bolster awareness in this area?
>Northcutt: This is my single-greatest failure. We don't have the kind
>of intensive "here's what the packets look like" training that's
>needed. The problem is just massive. A technology like this never
>should have been rolled out without more thought to security. If I had
>my way, I would have the creators of VoIP stop everything and redesign
>this with security in mind from the get-go.
>...Run VoIP as a separate cable, where you'd have one cable for data
>and another for voice...
>Voipsec mailing list
>Voipsec at voipsa.org

More information about the Voipsec mailing list