[VOIPSEC] VoIP and Fraud, IP endpoint auth
Coulombe, Anne L
Anne.Coulombe at enterasys.com
Thu Feb 17 10:49:17 CST 2005
Chris, Ammar,
802.1x is certainly a standards-based way of detecting and providing a
level of authentication for endpoints, so is MAC auth, and LLDP as well.
The key as both of you mention is the automated and proactive aspects vs
application based. I believe this touches a fundamental premise of
securing endpoints: protect the network from the endpoints and the
endpoints from the network. The earlier voice fraud discussion was
touching issues of protecting access inwards towards the voice system,
although not the other way.
Glad you like John Roese's CTO chat. A solution like a Network-Based
Trusted Endpoint System doesn't require an agent, which in the case of
most IP phones whether hard phones, soft-phones or dual-mode phones
makes tons of sense ... 802.1x gets us to the first level of auth, LLDP
a bit further, but what you really want is granular policies that
control action and both protect from and/or quarantine because of a
threat on the network - I assume this is on a convergence
voice/video/data network. That way voice keep working during a threat
event, and you minimize ability to impersonate, spoof, and or commit
voice fraud. We can discuss the +/- of VLANs at a later time.
Without delving into Cisco's announcements this week @ RSA about their
continued efforts in the Self Defending network scenarios, Enterasys has
been in that part of the infrastructure and security game for close to
10 years now. Watch out -> marketing sentence coming: Gartner and
Forrester both put Enterasys at #1 in the Secure Networks space.
I think the industry itself is now demonstrating that we are past
talking of strictly securing a standards protocol (I particularly like
SIP myself), to interfacing with IDS/IPS systems, and most importantly
reliance and interaction with the network and it's security policies to
deal with threats at L2/L3/L4. VOIPSEC is the perfect list to debate and
help advance the industry.
AnneC
p.s. comments herein should not be interpreted as speaking on behalf of
Enterasys Networks. These are the view of the member of this list.
-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Christopher A. Martin
Sent: Wednesday, February 16, 2005 10:55 PM
To: 'Ammar Alammar'; Coulombe, Anne L
Cc: 'Geoff Devine'; Voipsec at voipsa.org
Subject: RE: [VOIPSEC] VoIP and Fraud, IP endpoint auth
Kind of like the methodology coming out of the 802.1x standard... the
network becomes proactive to security events... I think Cisco is
actually
implementing in this direction...
________________________________
Christopher A. Martin
P.O. Box 1264
Cedar Hill, Texas 75106
Domains.SIP1.com
http://domains.sip1.com
Low cost domain name registration & other Internet services.
Sign up for your PayPal merchant account today and start selling your
products on line today!
https://www.paypal.com/us/mrb/pal=Q622ZEE3CUWM8
-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Ammar Alammar
Sent: Wednesday, February 16, 2005 12:03 AM
To: Coulombe, Anne L
Cc: Geoff Devine; Voipsec at voipsa.org
Subject: Re: [VOIPSEC] VoIP and Fraud, IP endpoint auth
Anne,
I agree that there should be 'more-passive' ways of applysing security
than enforcing authentication on every application scenario.
I was perticularly impressed and influenced by a talk delivered by the
CTO of Enterasys where the speaker discussed 'proactive Prevention -
Netwok Bourne Assessments'.
Or even using Agent-Bourne authentication and assessments can bring a
certain level of authentication yet leave it at an automated level.
Regards,
Ammar
On Tue, 15 Feb 2005 13:15:10 -0500, Coulombe, Anne L
<Anne.Coulombe at enterasys.com> wrote:
> Michael, Geoff,
>
> You touch upon an interesting point about IP endpoint authentication.
>
> This could easily be the subject of new thread - access control for
> authentication/detection of the endpoint on a network (credential and
> identity), authorization of that device (to be there, to make a SIP
> call, call to what server, etc), as well usage policy once
> authenticated/authorized (security, QoS, CoS, network predictability
> during a threat event).
> Even with access, proactive protection of the devices and dynamic
> response architecture can kick in and quarantine a user/device that is
> attempting to make unauthorized use of the VoIP system. How do you
know?
> Might be behavior, user authentication (or device level auth),
protocol,
> other. Hence shutting down possible voice fraud or impersonation at
the
> source. What I am suggesting is that it is not only within the VoIP
> system itself...protection is also about getting into/onto the network
> and the VoIP system.
>
> AnneC
> p.s. Not all infrastructure/security vendors are like Cisco :-)
>
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org]
On
> Behalf Of Michael Todd
> Sent: Tuesday, February 15, 2005 11:50 AM
> To: Geoff Devine
> Cc: Voipsec at voipsa.org
> Subject: Re: [VOIPSEC] VoIP and Fraud
>
> I think that endpoint authentication is a big problem by definition in
> the IP Telephony world right now. End users do not want to
authenticate
> to make a call. The average user has a lifetime's expectation set for
> what telephony use should "feel like." Authentication before calling
> isn't one of these expectations. Authentication in computer use is
> expected as the technology is relatively new to end users.
Expectations
> have been set for authentication requirements. Due to this, many
> vendors, such as Cisco have completely disregarded endpoint
> authentication, especially at the infrastructure or switch level.
>
> Geoff Devine wrote:
>
> >Mark Fletcher fletch at nortel.com writes:
> >
> >
> >>There are many potential areas, but one that concerns me is the
> ability for
> >>a user to easily spoof their Caller ID. Typically this has only been
> >>available to administrators of a PBX with PRI circuits. Many call
this
> >>'security via obscurity'. By spoofing CLID, a caller could raise
havoc
> with
> >>Emergency Services and the national E9-1-1 system, or use a spoofed
> CLID to
> >>socially engineer people into giving up personal information.
> >>
> >>
> >
> >
> >
> >The issue here is that endpoints can't be trusted. Endpoints can
only
> be authenticated. A PBX running Primary Rate ISDN is quite different
> from a mass market subscriber SIP endpoint somewhere out there in the
> world. You should not _trust_ that device to give you accurate
> CallerID. The device is portable so you should use its routable IP
> address to obtain physical location rather than _trust_ it to tell you
> where it is. To create a secure service, you can't blindly pass SIP
> messages around as a lightweight SIP Proxy. You have to adopt a more
> hardened Back2Back User Agent model where you understand exactly what
> the endpoint is signaling and have the abilty to police the signaling.
> >
> >
> >
> >Geoff
> >
> >
> >
> >
> >
>
>-----------------------------------------------------------------------
> -
> >
> >_______________________________________________
> >Voipsec mailing list
> >Voipsec at voipsa.org
> >http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >
> >
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
--
Regards,
Ammar
_____________________________________
Free yourself, Open new doors ... OpenSource
www.OpenSource.com
_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
More information about the Voipsec
mailing list