[VOIPSEC] VoIP Attack : How feasible

Michael Slavitch slavitch at gmail.com
Fri Jul 28 16:54:05 CDT 2006 

(Let me send this message again to the right party in the right thread.)

On 7/28/06, Volker Tanger <vtlists at wyae.de> wrote:
> Greetings!
>
> On Fri, 28 Jul 2006 15:22:07 -0400
> "Michael Slavitch" <slavitch at gmail.com> wrote:
>
> > I suggest reading up on the Windows security model.  It does
> > App-to-app authentication.  Done like dinner for a decade.
>
> ???
>
> Sorry, you lost me somewhere. IPSec/OpenVPN and other layer 2/3 VPNs
> are, well, layer 3 and thus pretty much independent of application
> which is on layer 7.
>
> Or were you thinking along SSL-type of connections e.g. using
> certificate-authentication?
>
> And what has the Windows security model to do with the generic VPN and
> (e.g.) SIP thread we had before?
>
> If I missed a mail, maybe you could send it to me as PM?
>
> Thanks
>
> Volker
>
>



The orthodoxy of layer independence is how the IETF got in this pig in
a poke in the first place.  IPSec deployments are dwarfed by PPTP
implementations that depend on Windows login using so called "layer-7"
Windows credentials to authenticate at the "layer-2" level, largely
based on a locally-generated cert.  No global certificate, no
certificate authority needed.

Single login / single signon / single identity isn't just a matter of
convenience, it's a matter of correct architecture.  Microsoft got it
right long ago.  Layer 7 identity and auth must go all the way down
the stack to make communications useful, for communications are
ultimately between people and organizations, not machines.

Engineers of course hate this reality because people are hard.

To Microsoft everything is driven by the application and identity
because that is how you build effective systems and effective
applications.  And by "effective" I don't mean the most elegant
implementation, "effective" means that it can be sold, deployed and
leverage an installed base.  This is how you build mighty vendors.

If you've noticed Cisco and Microsoft are in a product war over VOIP,
the battle is over which vendor controls the application layer.
Microsoft will eventually win after struggling with their
implementations and their partnerships, and Cisco will struggle with
applications development because it is not their game. But it's an
application game and that's Microsoft's native turf.

The layers below the application layer are now commodities for all
computing, including telecommunications. Skype proved this. The rest
is but timing and product.

All that is left is applications and services, so application-level
identity by definition wins.  Any other model is doomed to failure not
because it is wrong or doesn't work, but because it is not useful to
the user or the customer.  You can't sell it.

My employer is but a mouse in this game, focused on the seemingly
forgotten SME, which for some reason most mega corporations choose to
ignore, including it seems Microsoft.

Systems designers forget that most of the business world is made up of
small and medium sized companies, 500 or so people is the mean, and
these places don't have time or energy for fancy deployments or IPSEC
or whatever, they want something that solves a problem, can be
maintained by people with a high school level of education, and 'just
works'.   Microsoft mastered this with Windows NT, which is why Novell
is now a pale shadow and Microsoft dominates corporate networking.
Remember, it's all about money.  We work for salesmen.

Regards


M






>
> Volker Tanger    http://www.wyae.de/volker.tanger/
> --------------------------------------------------
> vtlists at wyae.de                    PGP Fingerprint
> 378A 7DA7 4F20 C2F3 5BCC  8340 7424 6122 BB83 B8CB
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>

More information about the Voipsec mailing list