[VOIPSEC] [SearchSecurity.com] Better VoIP training needed, SANS director says

Steve Blair blairs at isc.upenn.edu
Sun Dec 10 10:23:10 GMT 2006


Richard:

 Thanks for sharing this with us. Given the conversation which has just 
taken place would it be possible for you to give examples of how this 
architecture would address some of the implementation issues other 
members of this list have raised? Perhaps this would help define at a 
practical level expectations people should have about the state of VoIP 
"security".

Thanks,Steve

Paine, Richard H wrote:

>I concur that there may be more at issue in the VOIP security mailing
>list than just VOIP security.  We are carrying all the baggage of early
>IP deficiencies, including the issues of spoofing that come from being
>unable to identify the initiator and responder at layers 2 and 3.  I
>have made several contributions to this mailing list and you appear to
>be a candidate to receive them again.  There is a functioning system
>that we are using in The Boeing Company to secure factory communications
>called the Secure Mobile Architecture (SMA).  This architecture is
>described in the attached emails I have shared with this mailing group
>before.
>
>Richard H. Paine
>Success is getting what you want, happiness is liking what you get!
>Cell:  206-854-8199
>IPPhone:  425-373-8964
>Email:  richard.h.paine at boeing.com 
>
>
>-----Original Message-----
>From: Shawn Merdinger [mailto:shawnmer at gmail.com] 
>Sent: Friday, December 08, 2006 1:55 PM
>To: Diana Cionoiu
>Cc: Voipsec
>Subject: Re: [VOIPSEC] [SearchSecurity.com] Better VoIP training
>needed,SANS director says
>
>On 12/8/06, Diana Cionoiu <diana at voip.null.ro> wrote:
>Hi Diana,
>
>  
>
>>The problem with VoIP is not really security.
>>    
>>
>
>I suppose this depends on what we're talking about with the term
>"security" -- to many folks this means features like encryption, or
>technologies like VPN/firewall/IDS/IPS.  To me, and for the purposes of
>my comments below, I define security as "resistance to attacker
>capabilities and impact."
>
>  
>
>>The problem with VoIP is that it is the first real time communication
>>    
>>
>system over Internet.
>  
>
>>the Internet Protocol himself haven't been designed to handle the 
>>threats. All the other threats are common for the instant messengers
>>    
>>
>also.
>
>Sure, VoIP is new and you're saying that the infrastructure is
>challenged in providing real-time communications.  I agree.  But if
>there's problems with the infrastructure capability to provide real-time
>service, then how can we expect it to be resistant to attacks that
>stress it or target specific weaknesses?  And just because the threats
>are common for IM does that make it OK for VoIP to have the same issues?
>Or are we just more accepting of insecurities with anything that uses
>the Internet?  Btw, a nice read is Noam Eppel's essay at
>http://www.securityabsurdity.com/failure.php
>
>  
>
>>Another major issue with VoIP himself is the fact that technology 
>>himself is very complicated and 90% of the developers in this world
>>    
>>
>are
>  
>
>>not capable to write a decent VoIP software.   We still have problems
>>    
>>
>with
>  
>
>>the sound card, we still have VoIP gateways that crash.
>>    
>>
>
>An my question to that is why is that happening and why is that
>acceptable?  Is it getting better?  And do we expect this to get any
>better with virtual coding teams outsourced around the globe?
>
>  
>
>> We still have a huge lack of training for the VoIP system
>>    
>>
>administrators.
>
>That's to be expected with any new hot technology, and I expect the
>market will respond to the need -- there's plenty of vendor and even
>Asterisk training available now, books, support forums, etc.  The
>information and demand is there, now it's just a time catch-up on a
>admin level imho.
>
>  
>
>>Think for second on this formula: VoIP = IP + telephony.
>>    
>>
>
>I have a few variables to add to that equation, but rather than go into
>that I'll say the bigger math problem here is that we as a security
>community have not effectively designed cost and impact metrics that
>reflect the true risks/threats of attacks.  Until we can bring tangible
>and verifiable negative business impact numbers to the suits and bean
>counters we're going to be stuck with FUD, anecdotal snippits and annual
>industry reports (a la CSI/FBI) that are regularly discounted as pretty
>much worthless.
>
>  
>
>>The VoIP system administrators mainly are old IP administrators, but 
>>usually they lack the knowhow on how to handle telephony.
>>    
>>
>
>I agree....though the "old" bit is dangerous territory.  And btw, how is
>this different from your building's security guards are "old" (or
>under-trained) and don't know how to work the new biometric
>authentication system for your building door security?
>
>  
>
>>The telephony administrators which had become VoIP administrators, and
>>    
>>
>
>  
>
>>in those cases is usually even worse because they have no idea how IP 
>>infrastructure works, those are the ones that install 10 systems in 
>>the path of the RTP increasing the delay.
>>    
>>
>
>I think this is to be expected, and is a combination of fast. hot
>technology, lack of training and additional responsibilities being
>tacked on to the administrators, who are now expected to keep the
>systems running and patched, handle the firewalls/IPS and now take over
>the phone systems since it's "just another network application."
>
>  
>
>>There are cases when administrators do understand what is going on 
>>under the hat of a VoIP system, but is not common. And the same 
>>problem actually exists for all systems this days. Is just happens 
>>that in VoIP due to his RTC character is more easier to notice.
>>    
>>
>
>And good for them, as their employment prospects are looking very well
>these days.  But you're still talking skill set deficiencies here, which
>to me is part of the security problem.
>
>I like physical world examples that parallel digital ones, and one
>example I think parallels Internet security in general is the evolution
>of the US military's HumVee vehicle in the face of threats.
>Baghdad airport road is the most dangerous road in Iraq, and the
>Internet "Information Highway" has become in many respect the
>equivalent.  We've all seen the the horrible impact of attacks against
>light vehicles from IEDs, and the failure of providing adequate
>security.
>
>I think we're at the very beginning of VoIP threats here, and have not
>even hit the "hillbilly armor" stage.  With the huge rollouts,
>widespread deployments and money-grab with of all kinds of VoIP (from
>home users to carriers...to Skype...to the geek at home with a Asterisk
>box...to Google's click-to-harass...to JaJah-style call
>brokering) the herd is still in motion.  However, once these attacks
>materialize, there will be the lamenting and pain of reacting, and we
>can expect plenty of...to paraphrase Donald Rumsfeld, "You go to VoIP
>with the security you have, not the security you wish you had."
>
>Who gets hurt with VoIP insecurities will depend on many factors,
>including where they are playing in this huge space, what type of VoIP
>or VoIP-peripheral service they're using, if they are targeted, etc.
>As a simple example, for some folks a consumer VoIP box that's
>unencrypted may be a fine choice, with the acceptable risk of that on a
>DSL/cable modem at home....but if that user is a business traveler and
>takes the box to a hotel network to keep his same number and save a few
>bucks, well the risk is now significantly increased and that VoIP
>connection may not be appropriate for the big M&A deal he's putting
>together...
>
>I was thinking the other day what steps I'd take to secure a enterprise
>VoIP deployment and the funny thing that came to me was demand a faster
>and detailed billing turnaround from the VoIP provider...I think I'd
>push my budget towards that rather than the fancy VoIP aware security
>appliance du jour.  Forget the layers of security, marketing rambles and
>added network complexity, this VoIP is hard enough already.  Give me
>some opensource PBXs, a few hardened, stripped-down BSD firewalls and
>hourly billing/call correlation with alerting.  After all, the hit is
>that bill at the end of the month, and will be when most folks discover
>the nasty.
>
>Thanks,
>--scm
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>  
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>  
>



More information about the Voipsec mailing list