[VOIPSEC] Need recommendations on voip pbx's

Ari Takanen voipsa at codenomicon.com
Fri Jan 18 09:56:45 CST 2008 

At least based on our studies, 80% of VoIP implementations (*) STILL
fail even with fuzz testing. No matter what security mechanisms you
have in place, you will have very weak security if no security testing
is taking place during the software development. Products from many
major vendors are pretty safe choice still, as they have pretty good
development practises today. Ask your vendor, otherwise they will
never be motivated to improve the security/quality.

/Ari

(*) This 80% failure rate was true already in 2002 when PROTOS tests
came out. Although most of those problems were fixed, the fuzzers have
taken significant development since then. Some companies still do not
do any negative testing beyond PROTOS fuzzing (I hope they do that at
least).

On Fri, Jan 18, 2008 at 10:24:07AM -0500, Dan York wrote:
> John,
> 
> I expect you'll see a range of responses from folks here, either on- 
> list or directly. Most all of the various IP-PBX vendors have someone  
> subscribed to this list.
> 
> Since this list is focused on VoIP security, I don't know that it's  
> really the right place to have an all-out "PBX faceoff". I can say  
> that from a *security* point of view, if *I* personally were looking  
> to by an IP-PBX, I would probably ask questions like:
> 
> 1. Can the system support encryption of voice (typically Secure RTP  
> (SRTP)) and signaling (typically some form of TLS)?
> 2. Is encryption enabled by default?  What has to be done to enable  
> it?  Is there a performance impact?
> 3. Is encryption available for all supported IP phones?  Or is it  
> limited to specific handsets?
> 4. How do the IP phones authenticate to the IP-PBX? Do they use  
> certificates?
> 5. What services do the IP phones have running on them?  (Some have  
> web servers, SSH servers) Are those services necessary?
> 6. Can the IP phones be centrally managed and provisioned?
> 7. How are the software loads for the IP phones stored? Are they in  
> the phones? Downloaded via TFTP? Encrypted?
> 8. How is the security of wireless IP handsets addressed?
> 9. How are management interfaces secured?  APIs?
> 10. Do the IP phones have default passwords?  Are they forced to be  
> changed?
> 11. What kind of traditional PSTN security is available? i.e toll  
> fraud prevention, call restrictions, feature access restrictions
> 12. What operating systems do the IP-PBX and associated applications  
> use?  How up-to-date are they with patches? How do they handle that?  
> etc.
> 
> And the list can go on (and others on the list are welcome to add to  
> what I listed).  If a certain someone whose last name is York would  
> get the Best Practices project re-started, we would have a nice  
> document you could use to assess the security of various vendors.   
> (Hoping to kick that off next week...)
> 
> Hmmm... maybe in addition to the Best Practices document we should  
> have a "VoIP Security Buyer's Guide: Questions to ask your vendor"  
> that is a page or two (and points to the Threat Taxonomy, Best  
> Practices, etc.).  What do people think?
> 
> Most all of the vendors I am aware of - Cisco, Avaya, Nortel, Mitel,  
> Alcatel - all have systems that meet those questions to various degrees.
> 
> My 2 cents,
> Dan
> 
> P.S. And I say all this realizing that the security considerations  
> may all be thrown out the window at some customers if an executive  
> happens to like a particularly sleek-looking phone.... :-)
> 
> On Jan 17, 2008, at 8:52 PM, John Richards wrote:
> 
> > Hello VoIPsec Mailing List,
> >
> >    The company I work for is thinking about getting rid of our  
> > current PBX
> > system(Meridian PBX) and are thinking about deploying a Voice over IP
> > system. Our company has some small branches scattered around and we  
> > either
> > want to deploy smaller PBX systems within each branch or setup the  
> > employees
> > at each branch to somehow be remote workers.  We are looking for a
> > well-defined system with a good consumer base and a good support
> > team.Ourbudget for this project has not yet been defined, but we are
> > willing to
> > spend the extra money to get a good and reliable system. I'm open to
> > suggestions as I have been assigned the task of doing the research and
> > giving my recommendation back to our management. I've done a bit of  
> > research
> > already hence why I am asking this group for any recommendations and
> > suggestions on vendors and technologies to use.
> >
> > Cheers,
> > John Richards
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> 
> -- 
> Dan York, CISSP, Director of Emerging Communication Technology
> Office of the CTO    Voxeo Corporation     dyork at voxeo.com
> Phone: +1-407-455-5859  Skype: danyork  http://www.voxeo.com
> Blogs: http://blogs.voxeo.com  http://www.disruptivetelephony.com
> 
> Bring your web applications to the phone.
> Find out how at http://evolution.voxeo.com
> 
> 
> 
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

-- 
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
Ari Takanen                       Codenomicon Ltd.
ari.takanen at codenomicon.com       Tutkijantie 4E
tel: +358-40 50 67678             FI-90570 Oulu
http://www.codenomicon.com        Finland
PGP: http://www.codenomicon.com/codenomicon-key.asc
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-

More information about the Voipsec mailing list