[VOIPSEC] Enterprise VoIP certifications
Rubino, Mark (Mark)
mrubino at avaya.com
Thu Dec 8 11:05:17 CST 2005
I believe what Mr. Ortega is asking about are any enterprise recognized
certifications VoIP equipment must pass before introduction into an
enterprise network or connection between enterprise voip solutions.
Similar government standards exist for VoIP products
(http://jitc.fhu.disa.mil/tssi/reqtstdocs.html) before allowing
connection / deployment into a DOD network.
Unfortunately I am not aware of any that have been published and
accepted enterprise wide in either of the cases above. My impression is
that each enterprise would develop a specific voip security policy based
on their specific equipment, needs and concerns. I think (hope) this
would be most likely based on the NIST SP800-58-final.pdf.
Regards,
Mark Rubino
-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Voipsec-request at voipsa.org
Sent: Thursday, December 08, 2005 7:00 AM
To: Voipsec at voipsa.org
Subject: Voipsec Digest, Vol 12, Issue 6
Send Voipsec mailing list submissions to
Voipsec at voipsa.org
To subscribe or unsubscribe via the World Wide Web, visit
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
or, via email, send a message with subject or body 'help' to
Voipsec-request at voipsa.org
You can reach the person managing the list at
Voipsec-owner at voipsa.org
When replying, please edit your Subject line so it is more specific than
"Re: Contents of Voipsec digest..."
Today's Topics:
1. [Voipsec] Enterprise VoIP certifications
(Ortega, Anthony C C-E LCMC HQISEC)
2. Re: [Voipsec] Enterprise VoIP certifications (Jeremy George)
3. Re: [Voipsec] Enterprise VoIP certifications (Josh Perrymon)
----------------------------------------------------------------------
Message: 1
Date: Wed, 7 Dec 2005 14:19:33 -0700
From: "Ortega, Anthony C C-E LCMC HQISEC" <Tony.Ortega at us.army.mil>
Subject: [VOIPSEC] [Voipsec] Enterprise VoIP certifications
To: "'Voipsec at voipsa.org'" <Voipsec at voipsa.org>
Message-ID:
<EEEE99B3D73AD04F98DFC337E7AC8E5101F405C1 at isecmail.hqisec.army.mil>
Content-Type: text/plain
I'm a security engineer for the Army and we currently have two
certifications an organization must have prior to connection onto the
Army's Defense Switched Network (DSN). These certifications are the
Interim Authority to Operate/Authority to Operate and the Interim
Certificate to Operate/Authority to Connect from separate certification
authorities.
I was wondering if there are any similar required certifications at the
enterprise level for VoIP solutions.
Thank you,
Tony Ortega
-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Voipsec-request at voipsa.org
Sent: Wednesday, December 07, 2005 5:00 AM
To: Voipsec at voipsa.org
Subject: Voipsec Digest, Vol 12, Issue 5
Send Voipsec mailing list submissions to
Voipsec at voipsa.org
To subscribe or unsubscribe via the World Wide Web, visit
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
or, via email, send a message with subject or body 'help' to
Voipsec-request at voipsa.org
You can reach the person managing the list at
Voipsec-owner at voipsa.org
When replying, please edit your Subject line so it is more specific than
"Re: Contents of Voipsec digest..."
Today's Topics:
1. Telcos and VOIP/SIP security (Hank Nussbacher)
2. Re: RTP-borne virus examples? (dhiraj.2.bhuyan at bt.com)
----------------------------------------------------------------------
Message: 1
Date: Wed, 07 Dec 2005 11:11:29 +0200
From: Hank Nussbacher <hank at efes.iucc.ac.il>
Subject: [VOIPSEC] Telcos and VOIP/SIP security
To: voipsec at voipsa.org
Message-ID: <5.1.0.14.2.20051207110706.00aff138 at efes.iucc.ac.il>
Content-Type: text/plain; charset="us-ascii"; format=flowed
I am looking for documents from traditional CLECs that detail the
security considerations when migrating from an old style (exchange)
based network to a new style VOIP/SIP/NGN style network. I have read
the docs at:
http://hhi.corecom.com/voipsecurity.htm
http://www.vopsecurity.org
http://www.voipsa.org/
and the NIST doc is interesting but I am looking for something written
by a Sprint/MCI/AT&T type of CLEC. Anything out there?
Thanks,
Hank
------------------------------
Message: 2
Date: Wed, 7 Dec 2005 11:02:32 -0000
From: <dhiraj.2.bhuyan at bt.com>
Subject: Re: [VOIPSEC] RTP-borne virus examples?
To: <dtrammell at sipera.com>
Cc: Voipsec at voipsa.org
Message-ID:
<D3A8095FE029114F820F94C1C0D681D8061D4026 at i2km86-ukdy.domain1.systemhost
.net
>
Content-Type: text/plain; charset="us-ascii"
Engrypting the media stream won't solve all the problems. But not doing
so will leave a big hole in your defense. Authenticating and validating
each and every packet is one step forward towards building a secure VoIP
platform. I agree that this won't solve the problem arising from buggy
user agents. But it will be wrong to assume that RTP borne viruses will
only originate from "buggy user agents". There will be malicious user
agents and there will be remotely exploitable vulnerabilities - it is a
fact of life. Of course we still need to take care of buggy user agents.
And I think the "Trusted Computing Platform"
(https://www.trustedcomputinggroup.org/home) is one way of dealing it.
---
Dhiraj Bhuyan, CISSP
Senior Network Security Researcher,
pp2A, Rigel House, BT Group CTO
Martlesham Heath, Ipswich, IP5 3RE
-----Original Message-----
From: Dustin D. Trammell [mailto:dtrammell at sipera.com]
Sent: 02 December 2005 16:47
To: Bhuyan,D,Dhiraj,CXR7 R
Cc: Voipsec at voipsa.org
Subject: Re: [VOIPSEC] RTP-borne virus examples?
On Fri, 2005-12-02 at 15:48 +0000, dhiraj.2.bhuyan at bt.com wrote:
> Securing the media stream (using IPSec for example) will solve many
> such issues. But in my opinion, there seems to be not much interest in
> securing the media stream at this moment. I might be wrong
(hopefully!).
How exactly would using IPsec to secure a malicious media stream solve
the issue? If an attacker is sending malicious RTP packets, they're
malicious, regardless of the transport. Granted, the attacker would
have to establish an IPsec session, which most likely will require some
form of authentication allowing for a level of accountability, but
adding IPsec only limits the scope of the attack vector, it doesn't
solve the issue, which is a buggy phone or gateway crashing when an
attacker sends it malicious RTP traffic.
--
Dustin D. Trammell
Vulnerability Researcher
Sipera Systems Inc. http://www.sipera.com
------------------------------
_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
End of Voipsec Digest, Vol 12, Issue 5
**************************************
------------------------------
Message: 2
Date: Wed, 7 Dec 2005 16:38:52 -0500 (EST)
From: Jeremy George <jeremy.george at yale.edu>
Subject: Re: [VOIPSEC] [Voipsec] Enterprise VoIP certifications
To: "Ortega, Anthony C C-E LCMC HQISEC" <Tony.Ortega at us.army.mil>
Cc: "'Voipsec at voipsa.org'" <Voipsec at voipsa.org>
Message-ID: <Pine.LNX.4.61.0512071636580.20947 at tracy.its.yale.edu>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Tony,
Can you elaborate on what is being certified? Is this a form of
federation?
- Jeremy
On Wed, 7 Dec 2005, Ortega, Anthony C C-E LCMC HQISEC wrote:
> Date: Wed, 7 Dec 2005 14:19:33 -0700
> From: "Ortega, Anthony C C-E LCMC HQISEC" <Tony.Ortega at us.army.mil>
> To: "'Voipsec at voipsa.org'" <Voipsec at voipsa.org>
> Subject: [VOIPSEC] [Voipsec] Enterprise VoIP certifications
>
> I'm a security engineer for the Army and we currently have two
> certifications an organization must have prior to connection onto the
> Army's Defense Switched Network (DSN). These certifications are the
> Interim Authority to Operate/Authority to Operate and the Interim
> Certificate to Operate/Authority to Connect from separate
certification authorities.
>
> I was wondering if there are any similar required certifications at
> the enterprise level for VoIP solutions.
>
> Thank you,
>
> Tony Ortega
>
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org]
> On Behalf Of Voipsec-request at voipsa.org
> Sent: Wednesday, December 07, 2005 5:00 AM
> To: Voipsec at voipsa.org
> Subject: Voipsec Digest, Vol 12, Issue 5
>
> Send Voipsec mailing list submissions to
> Voipsec at voipsa.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> or, via email, send a message with subject or body 'help' to
> Voipsec-request at voipsa.org
>
> You can reach the person managing the list at
> Voipsec-owner at voipsa.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Voipsec digest..."
>
>
> Today's Topics:
>
> 1. Telcos and VOIP/SIP security (Hank Nussbacher)
> 2. Re: RTP-borne virus examples? (dhiraj.2.bhuyan at bt.com)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 07 Dec 2005 11:11:29 +0200
> From: Hank Nussbacher <hank at efes.iucc.ac.il>
> Subject: [VOIPSEC] Telcos and VOIP/SIP security
> To: voipsec at voipsa.org
> Message-ID: <5.1.0.14.2.20051207110706.00aff138 at efes.iucc.ac.il>
> Content-Type: text/plain; charset="us-ascii"; format=flowed
>
> I am looking for documents from traditional CLECs that detail the
> security considerations when migrating from an old style (exchange)
> based network to a new style VOIP/SIP/NGN style network. I have read
the docs at:
> http://hhi.corecom.com/voipsecurity.htm
> http://www.vopsecurity.org
> http://www.voipsa.org/
> and the NIST doc is interesting but I am looking for something written
> by a Sprint/MCI/AT&T type of CLEC. Anything out there?
>
> Thanks,
> Hank
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 7 Dec 2005 11:02:32 -0000
> From: <dhiraj.2.bhuyan at bt.com>
> Subject: Re: [VOIPSEC] RTP-borne virus examples?
> To: <dtrammell at sipera.com>
> Cc: Voipsec at voipsa.org
> Message-ID:
>
> <D3A8095FE029114F820F94C1C0D681D8061D4026 at i2km86-ukdy.domain1.systemho
> st.net
>>
>
> Content-Type: text/plain; charset="us-ascii"
>
>
> Engrypting the media stream won't solve all the problems. But not
> doing so will leave a big hole in your defense. Authenticating and
> validating each and every packet is one step forward towards building
> a secure VoIP platform. I agree that this won't solve the problem
> arising from buggy user agents. But it will be wrong to assume that
> RTP borne viruses will only originate from "buggy user agents". There
> will be malicious user agents and there will be remotely exploitable
> vulnerabilities - it is a fact of life. Of course we still need to
take care of buggy user agents.
> And I think the "Trusted Computing Platform"
> (https://www.trustedcomputinggroup.org/home) is one way of dealing it.
>
> ---
> Dhiraj Bhuyan, CISSP
> Senior Network Security Researcher,
> pp2A, Rigel House, BT Group CTO
> Martlesham Heath, Ipswich, IP5 3RE
>
>
> -----Original Message-----
> From: Dustin D. Trammell [mailto:dtrammell at sipera.com]
> Sent: 02 December 2005 16:47
> To: Bhuyan,D,Dhiraj,CXR7 R
> Cc: Voipsec at voipsa.org
> Subject: Re: [VOIPSEC] RTP-borne virus examples?
>
> On Fri, 2005-12-02 at 15:48 +0000, dhiraj.2.bhuyan at bt.com wrote:
>> Securing the media stream (using IPSec for example) will solve many
>> such issues. But in my opinion, there seems to be not much interest
>> in
>
>> securing the media stream at this moment. I might be wrong
> (hopefully!).
>
> How exactly would using IPsec to secure a malicious media stream solve
> the issue? If an attacker is sending malicious RTP packets, they're
> malicious, regardless of the transport. Granted, the attacker would
> have to establish an IPsec session, which most likely will require
> some form of authentication allowing for a level of accountability,
> but adding IPsec only limits the scope of the attack vector, it
> doesn't solve the issue, which is a buggy phone or gateway crashing
> when an attacker sends it malicious RTP traffic.
>
> --
> Dustin D. Trammell
> Vulnerability Researcher
> Sipera Systems Inc. http://www.sipera.com
>
>
>
> ------------------------------
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
> End of Voipsec Digest, Vol 12, Issue 5
> **************************************
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
------------------------------
Message: 3
Date: Wed, 7 Dec 2005 16:03:08 -0600
From: "Josh Perrymon" <perrymonj at networkarmor.com>
Subject: Re: [VOIPSEC] [Voipsec] Enterprise VoIP certifications
To: "Jeremy George" <jeremy.george at yale.edu>, "Ortega, Anthony C C-E
LCMC HQISEC" <Tony.Ortega at us.army.mil>
Cc: Voipsec at voipsa.org
Message-ID: <AA95E41CCEDC1D468B4039CB853CA72901AB5E11 at zeus.icshq.com>
Content-Type: text/plain; charset="us-ascii"
Is this Similar to the NIST standards? You perform audits and develop a
baseline. The next steps are more audits, Security Test and Evaluation,
then Certification?
J Perrymon
Network Armor
-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Jeremy George
Sent: Wednesday, December 07, 2005 4:39 PM
To: Ortega, Anthony C C-E LCMC HQISEC
Cc: 'Voipsec at voipsa.org'
Subject: Re: [VOIPSEC] [Voipsec] Enterprise VoIP certifications
Tony,
Can you elaborate on what is being certified? Is this a form of
federation?
- Jeremy
On Wed, 7 Dec 2005, Ortega, Anthony C C-E LCMC HQISEC wrote:
> Date: Wed, 7 Dec 2005 14:19:33 -0700
> From: "Ortega, Anthony C C-E LCMC HQISEC" <Tony.Ortega at us.army.mil>
> To: "'Voipsec at voipsa.org'" <Voipsec at voipsa.org>
> Subject: [VOIPSEC] [Voipsec] Enterprise VoIP certifications
>
> I'm a security engineer for the Army and we currently have two
> certifications an organization must have prior to connection onto the
Army's
> Defense Switched Network (DSN). These certifications are the Interim
> Authority to Operate/Authority to Operate and the Interim Certificate
to
> Operate/Authority to Connect from separate certification authorities.
>
> I was wondering if there are any similar required certifications at
the
> enterprise level for VoIP solutions.
>
> Thank you,
>
> Tony Ortega
>
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org]
On
> Behalf Of Voipsec-request at voipsa.org
> Sent: Wednesday, December 07, 2005 5:00 AM
> To: Voipsec at voipsa.org
> Subject: Voipsec Digest, Vol 12, Issue 5
>
> Send Voipsec mailing list submissions to
> Voipsec at voipsa.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> or, via email, send a message with subject or body 'help' to
> Voipsec-request at voipsa.org
>
> You can reach the person managing the list at
> Voipsec-owner at voipsa.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Voipsec digest..."
>
>
> Today's Topics:
>
> 1. Telcos and VOIP/SIP security (Hank Nussbacher)
> 2. Re: RTP-borne virus examples? (dhiraj.2.bhuyan at bt.com)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 07 Dec 2005 11:11:29 +0200
> From: Hank Nussbacher <hank at efes.iucc.ac.il>
> Subject: [VOIPSEC] Telcos and VOIP/SIP security
> To: voipsec at voipsa.org
> Message-ID: <5.1.0.14.2.20051207110706.00aff138 at efes.iucc.ac.il>
> Content-Type: text/plain; charset="us-ascii"; format=flowed
>
> I am looking for documents from traditional CLECs that detail the
security
> considerations when migrating from an old style (exchange) based
network to
> a new style VOIP/SIP/NGN style network. I have read the docs at:
> http://hhi.corecom.com/voipsecurity.htm
> http://www.vopsecurity.org
> http://www.voipsa.org/
> and the NIST doc is interesting but I am looking for something written
by a
> Sprint/MCI/AT&T type of CLEC. Anything out there?
>
> Thanks,
> Hank
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 7 Dec 2005 11:02:32 -0000
> From: <dhiraj.2.bhuyan at bt.com>
> Subject: Re: [VOIPSEC] RTP-borne virus examples?
> To: <dtrammell at sipera.com>
> Cc: Voipsec at voipsa.org
> Message-ID:
>
>
<D3A8095FE029114F820F94C1C0D681D8061D4026 at i2km86-ukdy.domain1.systemhost
.net
>>
>
> Content-Type: text/plain; charset="us-ascii"
>
>
> Engrypting the media stream won't solve all the problems. But not
doing
> so will leave a big hole in your defense. Authenticating and
validating
> each and every packet is one step forward towards building a secure
VoIP
> platform. I agree that this won't solve the problem arising from buggy
> user agents. But it will be wrong to assume that RTP borne viruses
will
> only originate from "buggy user agents". There will be malicious user
> agents and there will be remotely exploitable vulnerabilities - it is
a
> fact of life. Of course we still need to take care of buggy user
agents.
> And I think the "Trusted Computing Platform"
> (https://www.trustedcomputinggroup.org/home) is one way of dealing it.
>
> ---
> Dhiraj Bhuyan, CISSP
> Senior Network Security Researcher,
> pp2A, Rigel House, BT Group CTO
> Martlesham Heath, Ipswich, IP5 3RE
>
>
> -----Original Message-----
> From: Dustin D. Trammell [mailto:dtrammell at sipera.com]
> Sent: 02 December 2005 16:47
> To: Bhuyan,D,Dhiraj,CXR7 R
> Cc: Voipsec at voipsa.org
> Subject: Re: [VOIPSEC] RTP-borne virus examples?
>
> On Fri, 2005-12-02 at 15:48 +0000, dhiraj.2.bhuyan at bt.com wrote:
>> Securing the media stream (using IPSec for example) will solve many
>> such issues. But in my opinion, there seems to be not much interest
in
>
>> securing the media stream at this moment. I might be wrong
> (hopefully!).
>
> How exactly would using IPsec to secure a malicious media stream solve
> the issue? If an attacker is sending malicious RTP packets, they're
> malicious, regardless of the transport. Granted, the attacker would
> have to establish an IPsec session, which most likely will require
some
> form of authentication allowing for a level of accountability, but
> adding IPsec only limits the scope of the attack vector, it doesn't
> solve the issue, which is a buggy phone or gateway crashing when an
> attacker sends it malicious RTP traffic.
>
> --
> Dustin D. Trammell
> Vulnerability Researcher
> Sipera Systems Inc. http://www.sipera.com
>
>
>
> ------------------------------
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
> End of Voipsec Digest, Vol 12, Issue 5
> **************************************
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
------------------------------
_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
End of Voipsec Digest, Vol 12, Issue 6
**************************************
More information about the Voipsec
mailing list