[VOIPSEC] Security VoIP Project

SERGE TUMBA serget68 at msn.com
Mon Feb 1 20:29:15 CST 2010 

Hi all!
 

I am currently working on project: "Security measurements on VoIP". I would like to get some advices about some of the concerns I have on my project.
Basically, I would like to implement the secure-RTP as a security protocol for VoIP.I would like to know how to implement this protocol. I was unable to implement it based on some tutorials I found online.

What I have done so far in my project, I installed the 3CX PBX on a Windows 2003 Server and I installed two softpphones (X-Lite) on two different machines, a Windows XP and Windows 7 (all these machines run on a VMWare hosted on my laptop running Windows Vista).

I made sure that the network is good by connecting the PBX to the X-lite SIP-softphones and I successfully established calls. Next, I installed the VPN, using IPSec VPN and this helps to secure VoIP calls since IPSec acts as a network-layer security protocol that protects and authenticates IP packets exchanged between IPSec devices or peers while transmitting sensitive information, such as VoIP traffics over unprotected or untrusted networks.

However, I realized that VPN is not used only for VoIP, but there are a number of means beyond IPSec VPNs for protecting any kind of network traffic. That is why I decided to add the Secure-RTP that protects VoIP packets. I would appreciate anyone who will provide step by step instructions for secure-RTP installation on a Windows and Linux (if possible) environment. This is, of course, one thing I would need to complete before going over the security measurements on VoIP.

 

Thank you!

 

Serge.






 



 

> From: dtrammell at breakingpoint.com
> To: lists at infosecurity.ch
> Date: Sun, 31 Jan 2010 14:30:27 -0600
> CC: voipsec at voipsa.org
> Subject: Re: [VOIPSEC] Evaluation of voice cracking analysis
> 
> On Sat, 2010-01-30 at 15:51 +0100, Fabio Pietrosanti (naif) wrote:
> > i don't know how many of you have read about the analysis done on http://infosecurityguard.com 
> > .
> 
> I actually came across an article about the research and didn't bother
> to go read the research itself because at first impression, my thought
> was "Well duh, you're capturing the audio directly from the compromised
> system's audio devices, before it gets encrypted by the application...
> This is well known." Perhaps there's some nuance I'm missing, because
> as I said I didn't go read the actual research, but from the overview
> given in the article it didn't sound worth the time.
> 
> The only thing that DID sound interesting in the article that I read was
> that a few of the products tested apparently detected attempts to
> eavesdrop on the audio via the local system devices and alerted the user
> to it. Good for those particular products for going the extra mile, but
> you really can't expect your communications to and from your system to
> be secure when your entire system has been compromised.
> 
> And as I said, anyone that has been working in this field for any period
> of time at all already knows this is a possible attack vector. Along
> the same adage that "Physical access == root access", "root access ==
> full control of applications and devices".
> 
> -- 
> Dustin D. Trammell
> Security Researcher
> BreakingPoint Systems, Inc.
> 
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
 		 	   		  
_________________________________________________________________
Hotmail: Free, trusted and rich email service.
http://clk.atdmt.com/GBL/go/201469228/direct/01/

More information about the Voipsec mailing list