[VOIPSEC] VoIP and Fraud, IP endpoint auth

Christopher A. Martin chris at sip1.com
Wed Feb 16 21:54:48 CST 2005 

Kind of like the methodology coming out of the 802.1x standard... the
network becomes proactive to security events... I think Cisco is actually
implementing in this direction...

________________________________

Christopher A. Martin
P.O. Box 1264
Cedar Hill, Texas 75106
 
Domains.SIP1.com
http://domains.sip1.com 
Low cost domain name registration & other Internet services.
 
Sign up for your PayPal merchant account today and start selling your
products on line today!
https://www.paypal.com/us/mrb/pal=Q622ZEE3CUWM8
 

-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Ammar Alammar
Sent: Wednesday, February 16, 2005 12:03 AM
To: Coulombe, Anne L
Cc: Geoff Devine; Voipsec at voipsa.org
Subject: Re: [VOIPSEC] VoIP and Fraud, IP endpoint auth

Anne,

I agree that there should be 'more-passive' ways of applysing security
than enforcing authentication on every application scenario.

I was perticularly impressed and influenced by a talk delivered by the
CTO of Enterasys where the speaker discussed 'proactive Prevention -
Netwok Bourne Assessments'.

Or even using Agent-Bourne authentication and assessments can bring a
certain level of authentication yet leave it at an automated level.

Regards,
Ammar

On Tue, 15 Feb 2005 13:15:10 -0500, Coulombe, Anne L
<Anne.Coulombe at enterasys.com> wrote:
> Michael, Geoff,
> 
> You touch upon an interesting point about IP endpoint authentication.
> 
> This could easily be the subject of new thread - access control for
> authentication/detection of the endpoint on a network (credential and
> identity), authorization of that device (to be there, to make a SIP
> call, call to what server, etc), as well usage policy once
> authenticated/authorized (security, QoS, CoS, network predictability
> during a threat event).
> Even with access, proactive protection of the devices and dynamic
> response architecture can kick in and quarantine a user/device that is
> attempting to make unauthorized use of the VoIP system. How do you know?
> Might be behavior, user authentication (or device level auth), protocol,
> other. Hence shutting down possible voice fraud or impersonation at the
> source. What I am suggesting is that it is not only within the VoIP
> system itself...protection is also about getting into/onto the network
> and the VoIP system.
> 
> AnneC
> p.s. Not all infrastructure/security vendors are like Cisco :-)
> 
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
> Behalf Of Michael Todd
> Sent: Tuesday, February 15, 2005 11:50 AM
> To: Geoff Devine
> Cc: Voipsec at voipsa.org
> Subject: Re: [VOIPSEC] VoIP and Fraud
> 
> I think that endpoint authentication is a big problem by definition in
> the IP Telephony world right now. End users do not want to authenticate
> to make a call. The average user has a lifetime's expectation set for
> what telephony use should "feel like." Authentication before calling
> isn't one of these expectations. Authentication in computer use is
> expected as the technology is relatively new to end users. Expectations
> have been set for authentication requirements. Due to this, many
> vendors, such as Cisco have completely disregarded endpoint
> authentication, especially at the infrastructure or switch level.
> 
> Geoff Devine wrote:
> 
> >Mark Fletcher fletch at nortel.com writes:
> >
> >
> >>There are many potential areas, but one that concerns me is the
> ability for
> >>a user to easily spoof their Caller ID. Typically this has only been
> >>available to administrators of a PBX with PRI circuits. Many call this
> >>'security via obscurity'. By spoofing CLID, a caller could raise havoc
> with
> >>Emergency Services and the national E9-1-1 system, or use a spoofed
> CLID to
> >>socially engineer people into giving up personal information.
> >>
> >>
> >
> >
> >
> >The issue here is that endpoints can't be trusted.  Endpoints can only
> be authenticated.  A PBX running Primary Rate ISDN is quite different
> from a mass market subscriber SIP endpoint somewhere out there in the
> world.  You should not _trust_ that device to give you accurate
> CallerID.  The device is portable so you should use its routable IP
> address to obtain physical location rather than _trust_ it to tell you
> where it is.  To create a secure service, you can't blindly pass SIP
> messages around as a lightweight SIP Proxy.  You have to adopt a more
> hardened Back2Back User Agent model where you understand exactly what
> the endpoint is signaling and have the abilty to police the signaling.
> >
> >
> >
> >Geoff
> >
> >
> >
> >
> >
> >-----------------------------------------------------------------------
> -
> >
> >_______________________________________________
> >Voipsec mailing list
> >Voipsec at voipsa.org
> >http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >
> >
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> 


-- 
Regards,
Ammar
_____________________________________
Free yourself, Open new doors ... OpenSource
www.OpenSource.com

_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list