[VOIPSEC] [SearchSecurity.com] Better VoIP training needed, SANS director says

Craig craig at reswob.net
Fri Dec 8 20:35:47 GMT 2006

Below is the comment I put at the end of that article...

While I respect Stephen Northcutt a LOT, his view of VoIP in this 
interview seems limited. I've been doing VoIP security for the past year 
(which doesn't make me an expert, just knowledgeable) and I have read a 
lot regarding what is going in the industry. I am glad that SANS is 
going to add a focus on VoIP security (a GIAC cert would be nice, hint, 
hint), but the concept of separating VoIP onto a separate cable makes no 
sense, when the whole POINT of VoIP was to consolidate cables and thus 
save money. Instead (as he says elsewhere) we must go and integrate 
security into VoIP NOW, while the industry is still young (relatively) 
so that Voice and Data (and eventually video as well) can coexist 
securely and efficiently on the same wire. VOIPSA was formed to acheive 
that purpose (www.voipsa.org) and Stephen Northcutt (or SANS) should 
leverage the considerable knowledge gathered there, join in the Best 
Practices effort being organized by Dan York (a VOIPSA member) and help 
promote what VOIPSA is doing in VoIP. Craig CISSP SANS GSEC

Craig L. Bowser
Security Engineer
SRA International, Inc.
craig.bowser1 at us dot army dot mil
Every wall has a gate through which people can walk; conventional hacking involves breaking this gate down. Social engineering is getting the gate keepers to wave you past with a smile on their faces.

Shawn Merdinger wrote:
> http://searchsecurity.techtarget.com/qna/0,289202,sid14_gci1233013,00.html
> Wow, Stephen Northcutt kinda throws down here...
> <snip>
> TechTarget:  A new item on this year's list is the VoIP threat. What
> is the SANS Institute doing to bolster awareness in this area?
> Northcutt: This is my single-greatest failure. We don't have the kind
> of intensive "here's what the packets look like" training that's
> needed. The problem is just massive. A technology like this never
> should have been rolled out without more thought to security. If I had
> my way, I would have the creators of VoIP stop everything and redesign
> this with security in mind from the get-go.
> ...
> ...Run VoIP as a separate cable, where you'd have one cable for data
> and another for voice...
> </snip>
> Thanks,
> --scm
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list