Dan York, CISSP VOIPSA Best Practices Chair October 4, 2010
Dec 05, 2014
Dan York, CISSP VOIPSA Best Practices Chair
October 4, 2010
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA andOwners as Marked
© 2010 VOIPSA and Owners as Marked
PBX
Voicemail Physical Wiring
PSTN Gateways
© 2010 VOIPSA and Owners as Marked
Physical Wiring
IP Network
IP-PBX
Voicemail
PSTN Gateways
Mobile Devices
IM Networks
Web Servers
Email Servers
Desktop PCs
Operating Systems
Firewalls
Internet
Directory Servers
VoIP
CRM Systems
Social Networks
Database Servers
Application Servers
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
Geography
© 2010 VOIPSA and Owners as Marked
UC System
Corp HQ
Internet Firewall
Home Firewal
l
IP Phone
PC
Home
© 2010 VOIPSA and Owners as Marked
UC System
Corp HQ
Internet Firewall WiFi Café
Router
Mobile UC
client
Laptop UC
client
Mobile Data
Network
© 2010 VOIPSA and Owners as Marked
IM
Corp HQ
Corporate Network
Presence
Call Control
IVR IM
Office A
Presence
Call Control
Voicemail IM
Office B
Presence
Call Control
PSTN
Conferencing
Internet
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
Internet LAN
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
Can you trust “the Cloud” to be there?
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
Carrier
PSTN
Carrier
Carrier Carrier
Carrier
Carrier Carrier
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
ITSP
PSTN
ITSP
ITSP ITSP
ITSP
ITSP ITSP ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP ITSP
ITSP
ITSP
ITSP
ITSP ITSP
ITSP ITSP
ITSP
ITSP
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
• What does a traditional telemarketer need? • Makes for great headlines, but not yet a significant threat • Fear is script/tool that:
– Iterates through calling SIP addresses: • [email protected], [email protected], … • Opens an audio stream if call is answered (by person or voicemail)
– Steals VoIP credentials and uses account to make calls
• Reality is that today such direct connections are generally not allowed
• This will change as companies make greater use of SIP trunking and/or directly connect IP-PBX systems to the Internet (and allow incoming calls from any other IP endpoint)
• Until that time, PSTN is de facto firewall
SPAM
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
Security Vendors
“The Sky Is Falling!” (Buy our products!)
VoIP Vendors
“Don’t Worry, Trust Us!” (Buy our products!)
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
Classification!Taxonomy of!
Security Threats!
Security!Research!
Best Practices!for VoIP!Security!
Security!System!Testing!
Outreach!Communication!
of Findings!
Market and Social!Objectives and!
Constraints!
Published Active Now Ongoing LEGEND
• www.voipsa.org – 100 members from VoIP and security industries • VOIPSEC mailing list – www.voipsa.org/VOIPSEC/ • “Voice of VOIPSA” Blog – www.voipsa.org/blog • Blue Box: The VoIP Security Podcast – www.blueboxpodcast.com • VoIP Security Threat Taxonomy • Best Practices Project underway now
© 2010 VOIPSA and Owners as Marked
www.voipsa.org/Resources/tools.php
© 2010 VOIPSA and Owners as Marked
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
• VoIP Security Alliance - http://www.voipsa.org/ – Threat Taxonomy - http://www.voipsa.org/Activities/taxonomy.php – VOIPSEC email list - http://www.voipsa.org/VOIPSEC/ – Weblog - http://www.voipsa.org/blog/ – Security Tools list - http://www.voipsa.org/Resources/tools.php – Blue Box: The VoIP Security Podcast - http://www.blueboxpodcast.com
• NIST SP800-58, “Security Considerations for VoIP Systems” – http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf
• Network Security Tools – http://sectools.org/
• Hacking Exposed VoIP site and tools – http://www.hackingvoip.com/
• Seven Deadliest Unified Communications Attacks – http://www.7ducattacks.com/
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
VoIP can be more secure than the PSTN if it is properly deployed.
www.voipsa.org
Dan York - [email protected]