[VOIPSEC] Policy modifications for VOIP

Brian Rosen br at brianrosen.net
Mon Mar 21 11:32:30 CST 2005 

While I think relooking at these issues is useful when any major changes are
made, I don't understand your concern.  There is no fundamental difference
between your scenario with VoIP and the same scenario with a TDM based PBX.
The only difference is which set of wires is ripped up.

In virtually every enterprise, the data network is now as important, if not
more important, than the telephone network in terms of business continuity
before a switch to VoIP.  After the switch, it's the only network.  That can
be good and bad (fewer things to fail, more consequences for failure).
There are no significantly different issues.

I do think any major change should cause you to relook at your security
policies.  Network management deserves a serious examination, both for its
ability to monitor and manipulate the network as well as the privacy
implications of the network management people being able to monitor and
manipulate the network.  Similarly, your employee policies on acceptable
use, including snooping should be examined.

Your problem escalation procedures probably change, as well as the people
involved.  

A big issue is your backup plans.  Backup for data usually means offline
storage or duplicate facilities.  Backups for telephone systems are
different.  Many enterprises have no backup plans for their phone system.
VoIP may be very helpful here if you plan ahead.  It may be much more
reasonable to put a plan into action that uses cell phones or other
mechanisms.  VoIP systems tend to be more flexible in their ability to deal
with routing changes without physically changing wiring.

Brian

> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
> Behalf Of Mark Teicher
> Sent: Thursday, March 17, 2005 1:28 PM
> To: Voipsec at voipsa.org
> Subject: [VOIPSEC] Policy modifications for VOIP
> 
> it seems that organizations that is contemplating migrating to VOIP or has
> completed  a trial of VOIP may also want to examine modifications to their
> Business Continuity policies, since dial tone is no longer a TDM based
> issue.
> 
> What items needs to be examined in order to make certain changes to
> policies, procedures, processes for VOIP.??
> What is the back up plan if network connectivity is lost by accident?  For
> example, some big surly looking dude with a bum knee who may have just
> been woken from his work day nap (hard to find good security people these
> days)  as the VOIP vendor inserts changes into the network.   The surly
> guy upset rips out all the network wiring and then can't figure out why
> their is no dial tone, but yet the cross-connect wires look punched down
> correctly.
> 
> Understanding the changes to a network environment prior to trial and
> error is probably the first step in many security recommendations to a
> converged network.
> 
> 1. Business Continuity policy modifications (example above)
> 2. Security policy modification
> 3. .....
> 
> Can anyone think of others ??
> 
> 
> 
> 
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>

More information about the Voipsec mailing list