[VOIPSEC] [SearchSecurity.com] Better VoIP training needed, SANS director says
Paine, Richard H
richard.h.paine at boeing.com
Sun Dec 10 07:15:35 GMT 2006
I concur that there may be more at issue in the VOIP security mailing
list than just VOIP security. We are carrying all the baggage of early
IP deficiencies, including the issues of spoofing that come from being
unable to identify the initiator and responder at layers 2 and 3. I
have made several contributions to this mailing list and you appear to
be a candidate to receive them again. There is a functioning system
that we are using in The Boeing Company to secure factory communications
called the Secure Mobile Architecture (SMA). This architecture is
described in the attached emails I have shared with this mailing group
Richard H. Paine
Success is getting what you want, happiness is liking what you get!
Email: richard.h.paine at boeing.com
From: Shawn Merdinger [mailto:shawnmer at gmail.com]
Sent: Friday, December 08, 2006 1:55 PM
To: Diana Cionoiu
Subject: Re: [VOIPSEC] [SearchSecurity.com] Better VoIP training
needed,SANS director says
On 12/8/06, Diana Cionoiu <diana at voip.null.ro> wrote:
> The problem with VoIP is not really security.
I suppose this depends on what we're talking about with the term
"security" -- to many folks this means features like encryption, or
technologies like VPN/firewall/IDS/IPS. To me, and for the purposes of
my comments below, I define security as "resistance to attacker
capabilities and impact."
> The problem with VoIP is that it is the first real time communication
system over Internet.
> the Internet Protocol himself haven't been designed to handle the
> threats. All the other threats are common for the instant messengers
Sure, VoIP is new and you're saying that the infrastructure is
challenged in providing real-time communications. I agree. But if
there's problems with the infrastructure capability to provide real-time
service, then how can we expect it to be resistant to attacks that
stress it or target specific weaknesses? And just because the threats
are common for IM does that make it OK for VoIP to have the same issues?
Or are we just more accepting of insecurities with anything that uses
the Internet? Btw, a nice read is Noam Eppel's essay at
> Another major issue with VoIP himself is the fact that technology
> himself is very complicated and 90% of the developers in this world
> not capable to write a decent VoIP software. We still have problems
> the sound card, we still have VoIP gateways that crash.
An my question to that is why is that happening and why is that
acceptable? Is it getting better? And do we expect this to get any
better with virtual coding teams outsourced around the globe?
> We still have a huge lack of training for the VoIP system
That's to be expected with any new hot technology, and I expect the
market will respond to the need -- there's plenty of vendor and even
Asterisk training available now, books, support forums, etc. The
information and demand is there, now it's just a time catch-up on a
admin level imho.
> Think for second on this formula: VoIP = IP + telephony.
I have a few variables to add to that equation, but rather than go into
that I'll say the bigger math problem here is that we as a security
community have not effectively designed cost and impact metrics that
reflect the true risks/threats of attacks. Until we can bring tangible
and verifiable negative business impact numbers to the suits and bean
counters we're going to be stuck with FUD, anecdotal snippits and annual
industry reports (a la CSI/FBI) that are regularly discounted as pretty
> The VoIP system administrators mainly are old IP administrators, but
> usually they lack the knowhow on how to handle telephony.
I agree....though the "old" bit is dangerous territory. And btw, how is
this different from your building's security guards are "old" (or
under-trained) and don't know how to work the new biometric
authentication system for your building door security?
> The telephony administrators which had become VoIP administrators, and
> in those cases is usually even worse because they have no idea how IP
> infrastructure works, those are the ones that install 10 systems in
> the path of the RTP increasing the delay.
I think this is to be expected, and is a combination of fast. hot
technology, lack of training and additional responsibilities being
tacked on to the administrators, who are now expected to keep the
systems running and patched, handle the firewalls/IPS and now take over
the phone systems since it's "just another network application."
> There are cases when administrators do understand what is going on
> under the hat of a VoIP system, but is not common. And the same
> problem actually exists for all systems this days. Is just happens
> that in VoIP due to his RTC character is more easier to notice.
And good for them, as their employment prospects are looking very well
these days. But you're still talking skill set deficiencies here, which
to me is part of the security problem.
I like physical world examples that parallel digital ones, and one
example I think parallels Internet security in general is the evolution
of the US military's HumVee vehicle in the face of threats.
Baghdad airport road is the most dangerous road in Iraq, and the
Internet "Information Highway" has become in many respect the
equivalent. We've all seen the the horrible impact of attacks against
light vehicles from IEDs, and the failure of providing adequate
I think we're at the very beginning of VoIP threats here, and have not
even hit the "hillbilly armor" stage. With the huge rollouts,
widespread deployments and money-grab with of all kinds of VoIP (from
home users to carriers...to Skype...to the geek at home with a Asterisk
box...to Google's click-to-harass...to JaJah-style call
brokering) the herd is still in motion. However, once these attacks
materialize, there will be the lamenting and pain of reacting, and we
can expect plenty of...to paraphrase Donald Rumsfeld, "You go to VoIP
with the security you have, not the security you wish you had."
Who gets hurt with VoIP insecurities will depend on many factors,
including where they are playing in this huge space, what type of VoIP
or VoIP-peripheral service they're using, if they are targeted, etc.
As a simple example, for some folks a consumer VoIP box that's
unencrypted may be a fine choice, with the acceptable risk of that on a
DSL/cable modem at home....but if that user is a business traveler and
takes the box to a hotel network to keep his same number and save a few
bucks, well the risk is now significantly increased and that VoIP
connection may not be appropriate for the big M&A deal he's putting
I was thinking the other day what steps I'd take to secure a enterprise
VoIP deployment and the funny thing that came to me was demand a faster
and detailed billing turnaround from the VoIP provider...I think I'd
push my budget towards that rather than the fancy VoIP aware security
appliance du jour. Forget the layers of security, marketing rambles and
added network complexity, this VoIP is hard enough already. Give me
some opensource PBXs, a few hardened, stripped-down BSD firewalls and
hourly billing/call correlation with alerting. After all, the hit is
that bill at the end of the month, and will be when most folks discover
Voipsec mailing list
Voipsec at voipsa.org
More information about the Voipsec