[VOIPSEC] [SearchSecurity.com] Better VoIP training needed, SANS director says

Geoff Devine gdevine at cedarpointcom.com
Mon Dec 11 14:16:03 GMT 2006

Simon Horne writes:
> Diana
> I totally agree, security is not a mainstream issue until it starts
> to become an issue, then of course it's all too late.

...and that's the whole reason why VoIPSA exists. ;)

> >P.S. In H.323 haft of the bugs have been in ASN.1 parser, because 
> >that protocol is too difficult to implement.
> This is a kinda funny statement to make given you previous post on
> the topic..:-)  There are quite a few (as you know) very good ASN.1
> parsers available in both open source and can be purchased. 

H.323 is complex but that has nothing to do with ASN.1 encoding.  In my opinion, Type-Length-Value encodings are a necessary part of creating a secure computing environment.  With TLVs, you can easily check each object for valid contents that won't damage the network in a computer-friendly way that is testable for completeness.  In any telecom protocol, 80%-90% of conformance testing is exercising this kind of code.  With a text-based protocol, this sort of completeness testing is far more difficult to achieve (and mathematically impossible to prove) and you never really know if you have vulnerabilities.  

I actually had a product fail softswitch conformance testing because it did not transparently pass SDP through end-to-end.  We'd taken our best crack at decoding SDP into an internal format so no unknown and unvalidated information would traverse the network.  We had to hack in a "pass the stupid test" mode that you would never run in the field since there's no telling what kind of damage you could do by allowing rogue protocol elements to traverse your network.  If you start your internal architecture considering security to be a critical function, you'd never apply a "the internet is my sandbox" dogma to a mission-critical function like lifeline voice.  


Geoff Devine
Chief Architect
Cedar Point Communications

No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.15.15/581 - Release Date: 12/9/2006 3:41 PM

More information about the Voipsec mailing list