[VOIPSEC] VoIP and Fraud, IP endpoint auth

Michael Todd michaeldtodd at mac.com
Thu Feb 17 13:18:28 CST 2005 

Anne,

What IP phones in the industry support 802.1x?

Thanks,
Mike
On Feb 17, 2005, at 11:49 AM, Coulombe, Anne L wrote:

> Chris, Ammar,
>
> 802.1x is certainly a standards-based way of detecting and providing a
> level of authentication for endpoints, so is MAC auth, and LLDP as  
> well.
> The key as both of you mention is the automated and proactive aspects  
> vs
> application based. I believe this touches a fundamental premise of
> securing endpoints: protect the network from the endpoints and the
> endpoints from the network. The earlier voice fraud discussion was
> touching issues of protecting access inwards towards the voice system,
> although not the other way.
>
> Glad you like John Roese's CTO chat. A solution like a Network-Based
> Trusted Endpoint System doesn't require an agent, which in the case of
> most IP phones whether hard phones, soft-phones or dual-mode phones
> makes tons of sense ... 802.1x gets us to the first level of auth, LLDP
> a bit further, but what you really want is granular policies that
> control action and both protect from and/or quarantine because of a
> threat on the network - I assume this is on a convergence
> voice/video/data network. That way voice keep working during a threat
> event, and you minimize ability to impersonate, spoof, and or commit
> voice fraud. We can discuss the +/- of VLANs at a later time.
>
> Without delving into Cisco's announcements this week @ RSA about their
> continued efforts in the Self Defending network scenarios, Enterasys  
> has
> been in that part of the infrastructure and security game for close to
> 10 years now. Watch out -> marketing sentence coming: Gartner and
> Forrester both put Enterasys at #1 in the Secure Networks space.
>
> I think the industry itself is now demonstrating that we are past
> talking of strictly securing a standards protocol (I particularly like
> SIP myself), to interfacing with IDS/IPS systems, and most importantly
> reliance and interaction with the network and it's security policies to
> deal with threats at L2/L3/L4. VOIPSEC is the perfect list to debate  
> and
> help advance the industry.
>
> AnneC
> p.s. comments herein should not be interpreted as speaking on behalf of
> Enterasys Networks. These are the view of the member of this list.
>
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
> Behalf Of Christopher A. Martin
> Sent: Wednesday, February 16, 2005 10:55 PM
> To: 'Ammar Alammar'; Coulombe, Anne L
> Cc: 'Geoff Devine'; Voipsec at voipsa.org
> Subject: RE: [VOIPSEC] VoIP and Fraud, IP endpoint auth
>
> Kind of like the methodology coming out of the 802.1x standard... the
> network becomes proactive to security events... I think Cisco is
> actually
> implementing in this direction...
>
> ________________________________
>
> Christopher A. Martin
> P.O. Box 1264
> Cedar Hill, Texas 75106
>
> Domains.SIP1.com
> http://domains.sip1.com
> Low cost domain name registration & other Internet services.
>
> Sign up for your PayPal merchant account today and start selling your
> products on line today!
> https://www.paypal.com/us/mrb/pal=Q622ZEE3CUWM8
>
>
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
> Behalf Of Ammar Alammar
> Sent: Wednesday, February 16, 2005 12:03 AM
> To: Coulombe, Anne L
> Cc: Geoff Devine; Voipsec at voipsa.org
> Subject: Re: [VOIPSEC] VoIP and Fraud, IP endpoint auth
>
> Anne,
>
> I agree that there should be 'more-passive' ways of applysing security
> than enforcing authentication on every application scenario.
>
> I was perticularly impressed and influenced by a talk delivered by the
> CTO of Enterasys where the speaker discussed 'proactive Prevention -
> Netwok Bourne Assessments'.
>
> Or even using Agent-Bourne authentication and assessments can bring a
> certain level of authentication yet leave it at an automated level.
>
> Regards,
> Ammar
>
> On Tue, 15 Feb 2005 13:15:10 -0500, Coulombe, Anne L
> <Anne.Coulombe at enterasys.com> wrote:
>> Michael, Geoff,
>>
>> You touch upon an interesting point about IP endpoint authentication.
>>
>> This could easily be the subject of new thread - access control for
>> authentication/detection of the endpoint on a network (credential and
>> identity), authorization of that device (to be there, to make a SIP
>> call, call to what server, etc), as well usage policy once
>> authenticated/authorized (security, QoS, CoS, network predictability
>> during a threat event).
>> Even with access, proactive protection of the devices and dynamic
>> response architecture can kick in and quarantine a user/device that is
>> attempting to make unauthorized use of the VoIP system. How do you
> know?
>> Might be behavior, user authentication (or device level auth),
> protocol,
>> other. Hence shutting down possible voice fraud or impersonation at
> the
>> source. What I am suggesting is that it is not only within the VoIP
>> system itself...protection is also about getting into/onto the network
>> and the VoIP system.
>>
>> AnneC
>> p.s. Not all infrastructure/security vendors are like Cisco :-)
>>
>> -----Original Message-----
>> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org]
> On
>> Behalf Of Michael Todd
>> Sent: Tuesday, February 15, 2005 11:50 AM
>> To: Geoff Devine
>> Cc: Voipsec at voipsa.org
>> Subject: Re: [VOIPSEC] VoIP and Fraud
>>
>> I think that endpoint authentication is a big problem by definition in
>> the IP Telephony world right now. End users do not want to
> authenticate
>> to make a call. The average user has a lifetime's expectation set for
>> what telephony use should "feel like." Authentication before calling
>> isn't one of these expectations. Authentication in computer use is
>> expected as the technology is relatively new to end users.
> Expectations
>> have been set for authentication requirements. Due to this, many
>> vendors, such as Cisco have completely disregarded endpoint
>> authentication, especially at the infrastructure or switch level.
>>
>> Geoff Devine wrote:
>>
>>> Mark Fletcher fletch at nortel.com writes:
>>>
>>>
>>>> There are many potential areas, but one that concerns me is the
>> ability for
>>>> a user to easily spoof their Caller ID. Typically this has only been
>>>> available to administrators of a PBX with PRI circuits. Many call
> this
>>>> 'security via obscurity'. By spoofing CLID, a caller could raise
> havoc
>> with
>>>> Emergency Services and the national E9-1-1 system, or use a spoofed
>> CLID to
>>>> socially engineer people into giving up personal information.
>>>>
>>>>
>>>
>>>
>>>
>>> The issue here is that endpoints can't be trusted.  Endpoints can
> only
>> be authenticated.  A PBX running Primary Rate ISDN is quite different
>> from a mass market subscriber SIP endpoint somewhere out there in the
>> world.  You should not _trust_ that device to give you accurate
>> CallerID.  The device is portable so you should use its routable IP
>> address to obtain physical location rather than _trust_ it to tell you
>> where it is.  To create a secure service, you can't blindly pass SIP
>> messages around as a lightweight SIP Proxy.  You have to adopt a more
>> hardened Back2Back User Agent model where you understand exactly what
>> the endpoint is signaling and have the abilty to police the signaling.
>>>
>>>
>>>
>>> Geoff
>>>
>>>
>>>
>>>
>>>
>>
>> ---------------------------------------------------------------------- 
>> -
>> -
>>>
>>> _______________________________________________
>>> Voipsec mailing list
>>> Voipsec at voipsa.org
>>> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>>
>>>
>>
>> _______________________________________________
>> Voipsec mailing list
>> Voipsec at voipsa.org
>> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>
>> _______________________________________________
>> Voipsec mailing list
>> Voipsec at voipsa.org
>> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>
>
>
> -- 
> Regards,
> Ammar
> _____________________________________
> Free yourself, Open new doors ... OpenSource
> www.OpenSource.com
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list