[VOIPSEC] [SearchSecurity.com] Better VoIP training needed, SANS director says

Diana Cionoiu diana-liste at voip.null.ro
Fri Dec 8 22:55:06 GMT 2006

Hello Shawn,

Shawn Merdinger wrote:

> On 12/8/06, Diana Cionoiu <diana at voip.null.ro> wrote:
> Hi Diana,
>> The problem with VoIP is not really security.
> I suppose this depends on what we're talking about with the term
> "security" -- to many folks this means features like encryption, or
> technologies like VPN/firewall/IDS/IPS.  To me, and for the purposes
> of my comments below, I define security as "resistance to attacker
> capabilities and impact."
I meant the same thing. The fact that some softwares are unsecure it 
doesn't mean we don't know how to make them secure, or the fact that 
VoIP is unsecure. As long as at least one software is secure than VoIP 
is secure. And if the companies are not willing to move to those secure 
system, the competition will crush them sooner or latter. Look on how 
Linux took from the Windows market because of security.

>> The problem with VoIP is that it is the first real time communication 
>> system over Internet.
>> the Internet Protocol himself haven't been designed to handle the
>> threats. All the other threats are common for the instant messengers 
>> also.
> Sure, VoIP is new and you're saying that the infrastructure is
> challenged in providing real-time communications.  I agree.  But if
> there's problems with the infrastructure capability to provide
> real-time service, then how can we expect it to be resistant to
> attacks that stress it or target specific weaknesses?  And just
> because the threats are common for IM does that make it OK for VoIP to
> have the same issues?  Or are we just more accepting of insecurities
> with anything that uses the Internet?  Btw, a nice read is Noam
> Eppel's essay at http://www.securityabsurdity.com/failure.php
I didn't said is ok, i've said that as long as people are fine with 
using IM they will be fine with using VoIP also. Any software will 
always be a bit more unsecure than a simple phone because of the 
physical access.

>> Another major issue with VoIP himself is the fact that technology
>> himself is very complicated and 90% of the developers in this world are
>> not capable to write a decent VoIP software.   We still have problems 
>> with
>> the sound card, we still have VoIP gateways that crash.
> An my question to that is why is that happening and why is that
> acceptable?  Is it getting better?  And do we expect this to get any
> better with virtual coding teams outsourced around the globe?
Of course it goes better. For example the software that i'm working for 
pretends that is the best open source softswitch. For example we claim 
that we have one of the best support for the sound cards in Windows, and 
now thanks to one of our contributors also in Linux. We pretend that we 
can carry more phone calls than a lot of proprietary solutions around: 
. As long as we do it open source, the proprietary software will become 

>>  We still have a huge lack of training for the VoIP system 
>> administrators.
> That's to be expected with any new hot technology, and I expect the
> market will respond to the need -- there's plenty of vendor and even
> Asterisk training available now, books, support forums, etc.  The
> information and demand is there, now it's just a time catch-up on a
> admin level imho.
Taking Asterisk as an example is pretty wrong. The fact that we have 
forums and books and whatever doesn't fix the quality of the software. 
Like i've said only 10% of the developers maybe can write VoIP software, 
not all Asterisk developers enter into that category.

>> Think for second on this formula: VoIP = IP + telephony.
> I have a few variables to add to that equation, but rather than go
> into that I'll say the bigger math problem here is that we as a
> security community have not effectively designed cost and impact
> metrics that reflect the true risks/threats of attacks.  Until we can
> bring tangible and verifiable negative business impact numbers to the
> suits and bean counters we're going to be stuck with FUD, anecdotal
> snippits and annual industry reports (a la CSI/FBI) that are regularly
> discounted as pretty much worthless.
I know quite enough people which lost a lot of money because they based 
their business on a certain open source VoIP software which was prone to 
crashes and security breaks. Nobody likes to admit because is their 
image but when you go and have a technical chat they all say the same 
thing. Most of the VoIP systems are unstable.
So is very difficult to convince the people from the industry to give 
you some numbers. That will mean to admit that VoIP is worse than PSTN.

>> The VoIP system administrators mainly are old IP administrators, but
>> usually they lack the knowhow on how to handle telephony.
> I agree....though the "old" bit is dangerous territory.  And btw, how
> is this different from your building's security guards are "old" (or
> under-trained) and don't know how to work the new biometric
> authentication system for your building door security?
So we have to hire new ones or train the old dogs new tricks.

>> The telephony administrators which had become VoIP administrators, and
>> in those cases is usually even worse because they have no idea how IP
>> infrastructure works, those are the ones that install 10 systems in the
>> path of the RTP increasing the delay.
> I think this is to be expected, and is a combination of fast. hot
> technology, lack of training and additional responsibilities being
> tacked on to the administrators, who are now expected to keep the
> systems running and patched, handle the firewalls/IPS and now take
> over the phone systems since it's "just another network application."
When i'm referring to the telephony administrators i'm referring to 
those that are able to administrate a PSTN network. For those telephony 
is their core business. And anyway additional responsibilities are 
coming with additional money for them or for others.

>> There are cases when administrators do understand what is going on under
>> the hat of a VoIP system, but is not common. And the same problem
>> actually exists for all systems this days. Is just happens that in VoIP
>> due to his RTC character is more easier to notice.
> And good for them, as their employment prospects are looking very well
> these days.  But you're still talking skill set deficiencies here,
> which to me is part of the security problem.
> I like physical world examples that parallel digital ones, and one
> example I think parallels Internet security in general is the
> evolution of the US military's HumVee vehicle in the face of threats.
> Baghdad airport road is the most dangerous road in Iraq, and the
> Internet "Information Highway" has become in many respect the
> equivalent.  We've all seen the the horrible impact of attacks against
> light vehicles from IEDs, and the failure of providing adequate
> security.
I'm sorry i can't follow you here.

> I think we're at the very beginning of VoIP threats here, and have not
> even hit the "hillbilly armor" stage.  With the huge rollouts,
> widespread deployments and money-grab with of all kinds of VoIP (from
> home users to carriers...to Skype...to the geek at home with a
> Asterisk box...to Google's click-to-harass...to JaJah-style call
> brokering) the herd is still in motion.  However, once these attacks
> materialize, there will be the lamenting and pain of reacting, and we
> can expect plenty of...to paraphrase Donald Rumsfeld, "You go to VoIP
> with the security you have, not the security you wish you had."
This guy Donald Rumsfeld is him a programmer?

> Who gets hurt with VoIP insecurities will depend on many factors,
> including where they are playing in this huge space, what type of VoIP
> or VoIP-peripheral service they're using, if they are targeted, etc.
> As a simple example, for some folks a consumer VoIP box that's
> unencrypted may be a fine choice, with the acceptable risk of that on
> a DSL/cable modem at home....but if that user is a business traveler
> and takes the box to a hotel network to keep his same number and save
> a few bucks, well the risk is now significantly increased and that
> VoIP connection may not be appropriate for the big M&A deal he's
> putting together...

If the security is important a VPN can also encrypts his e-mails and is 
a good investment.

> I was thinking the other day what steps I'd take to secure a
> enterprise VoIP deployment and the funny thing that came to me was
> demand a faster and detailed billing turnaround from the VoIP
> provider...I think I'd push my budget towards that rather than the
> fancy VoIP aware security appliance du jour.  Forget the layers of
> security, marketing rambles and added network complexity, this VoIP is
> hard enough already.  Give me some opensource PBXs, a few hardened,
> stripped-down BSD firewalls and hourly billing/call correlation with
> alerting.  After all, the hit is that bill at the end of the month,
> and will be when most folks discover the nasty.
Well, you can have that if you install Yate on a BSD system. Security, 
stability and reliability have been some of our major reasons to start a 
new open source soft switch (it has PBX features).

> Thanks,
> --scm

Diana Cionoiu

More information about the Voipsec mailing list