[VOIPSEC] [SearchSecurity.com] Better VoIP training needed, SANS director says

Shawn Merdinger shawnmer at gmail.com
Fri Dec 8 21:55:17 GMT 2006

On 12/8/06, Diana Cionoiu <diana at voip.null.ro> wrote:
Hi Diana,

> The problem with VoIP is not really security.

I suppose this depends on what we're talking about with the term
"security" -- to many folks this means features like encryption, or
technologies like VPN/firewall/IDS/IPS.  To me, and for the purposes
of my comments below, I define security as "resistance to attacker
capabilities and impact."

> The problem with VoIP is that it is the first real time communication system over Internet.
> the Internet Protocol himself haven't been designed to handle the
> threats. All the other threats are common for the instant messengers also.

Sure, VoIP is new and you're saying that the infrastructure is
challenged in providing real-time communications.  I agree.  But if
there's problems with the infrastructure capability to provide
real-time service, then how can we expect it to be resistant to
attacks that stress it or target specific weaknesses?  And just
because the threats are common for IM does that make it OK for VoIP to
have the same issues?  Or are we just more accepting of insecurities
with anything that uses the Internet?  Btw, a nice read is Noam
Eppel's essay at http://www.securityabsurdity.com/failure.php

> Another major issue with VoIP himself is the fact that technology
> himself is very complicated and 90% of the developers in this world are
> not capable to write a decent VoIP software.   We still have problems with
> the sound card, we still have VoIP gateways that crash.

An my question to that is why is that happening and why is that
acceptable?  Is it getting better?  And do we expect this to get any
better with virtual coding teams outsourced around the globe?

>  We still have a huge lack of training for the VoIP system administrators.

That's to be expected with any new hot technology, and I expect the
market will respond to the need -- there's plenty of vendor and even
Asterisk training available now, books, support forums, etc.  The
information and demand is there, now it's just a time catch-up on a
admin level imho.

> Think for second on this formula: VoIP = IP + telephony.

I have a few variables to add to that equation, but rather than go
into that I'll say the bigger math problem here is that we as a
security community have not effectively designed cost and impact
metrics that reflect the true risks/threats of attacks.  Until we can
bring tangible and verifiable negative business impact numbers to the
suits and bean counters we're going to be stuck with FUD, anecdotal
snippits and annual industry reports (a la CSI/FBI) that are regularly
discounted as pretty much worthless.

> The VoIP system administrators mainly are old IP administrators, but
> usually they lack the knowhow on how to handle telephony.

I agree....though the "old" bit is dangerous territory.  And btw, how
is this different from your building's security guards are "old" (or
under-trained) and don't know how to work the new biometric
authentication system for your building door security?

> The telephony administrators which had become VoIP administrators, and
> in those cases is usually even worse because they have no idea how IP
> infrastructure works, those are the ones that install 10 systems in the
> path of the RTP increasing the delay.

I think this is to be expected, and is a combination of fast. hot
technology, lack of training and additional responsibilities being
tacked on to the administrators, who are now expected to keep the
systems running and patched, handle the firewalls/IPS and now take
over the phone systems since it's "just another network application."

> There are cases when administrators do understand what is going on under
> the hat of a VoIP system, but is not common. And the same problem
> actually exists for all systems this days. Is just happens that in VoIP
> due to his RTC character is more easier to notice.

And good for them, as their employment prospects are looking very well
these days.  But you're still talking skill set deficiencies here,
which to me is part of the security problem.

I like physical world examples that parallel digital ones, and one
example I think parallels Internet security in general is the
evolution of the US military's HumVee vehicle in the face of threats.
Baghdad airport road is the most dangerous road in Iraq, and the
Internet "Information Highway" has become in many respect the
equivalent.  We've all seen the the horrible impact of attacks against
light vehicles from IEDs, and the failure of providing adequate

I think we're at the very beginning of VoIP threats here, and have not
even hit the "hillbilly armor" stage.  With the huge rollouts,
widespread deployments and money-grab with of all kinds of VoIP (from
home users to carriers...to Skype...to the geek at home with a
Asterisk box...to Google's click-to-harass...to JaJah-style call
brokering) the herd is still in motion.  However, once these attacks
materialize, there will be the lamenting and pain of reacting, and we
can expect plenty of...to paraphrase Donald Rumsfeld, "You go to VoIP
with the security you have, not the security you wish you had."

Who gets hurt with VoIP insecurities will depend on many factors,
including where they are playing in this huge space, what type of VoIP
or VoIP-peripheral service they're using, if they are targeted, etc.
As a simple example, for some folks a consumer VoIP box that's
unencrypted may be a fine choice, with the acceptable risk of that on
a DSL/cable modem at home....but if that user is a business traveler
and takes the box to a hotel network to keep his same number and save
a few bucks, well the risk is now significantly increased and that
VoIP connection may not be appropriate for the big M&A deal he's
putting together...

I was thinking the other day what steps I'd take to secure a
enterprise VoIP deployment and the funny thing that came to me was
demand a faster and detailed billing turnaround from the VoIP
provider...I think I'd push my budget towards that rather than the
fancy VoIP aware security appliance du jour.  Forget the layers of
security, marketing rambles and added network complexity, this VoIP is
hard enough already.  Give me some opensource PBXs, a few hardened,
stripped-down BSD firewalls and hourly billing/call correlation with
alerting.  After all, the hit is that bill at the end of the month,
and will be when most folks discover the nasty.


More information about the Voipsec mailing list