[VOIPSEC] IPv6 and the demise (or not) of NAT (was Re:Interactive Connectivity Establishment (ICE))

Christopher A. Martin chris at InfraVAST.com
Tue Nov 15 07:22:33 CST 2005 

On the other hand the alternative to such stringent controls is to 
"trust" the end point/users. This is not a good alternative either in a 
network that needs to employ security measures to protect business.

I shot a quick MIDCOM poke earlier, but this is also my biggest concern 
about MIDCOM, trust is being placed in the endpoint to open "holes" by 
telling the controller what to do. The good thing about MIDCOM enabled 
devices is that if deployed they are presumably under the same 
administrative domain and protective measures as the endpoints (I 
wouldnt allow an endpoint that does not fall under this scenario).

Also, STUN/TURN/ICE/UPNP provide an additional network overhead chatter 
maintaining all of the connections, which depending on the number of 
hosts using it hinders scalability. These protocols are all limitted to 
home networks and soho at that point.

This all basically goes back to the right tool for the job. There is a 
place for everything, based on what is acceptable to the entity as well 
as what type of scale is required. The question is, what liability is 
also going to befall those who deploy insecure methodologies..when the 
time comes I am certain that there will be a sort of reverse fallout if 
someone is burned using a VoIP client on one of these networks or if the 
network is used as an amplifier due to its insecure rollout.

Babbling completed,
Chris


Hallam-Baker, Phillip wrote:

>There is a moral here.
>
>Try to enforce security by refusing to provide needed functionality in a safe fashion only leads to someone else providing it insecurely.
>
>My firewall gives me an all or nothing choice... Control individual ports by micromanagement or throw it all open... Not a good choice.
>
> -----Original Message-----
>From: 	Robert Moskowitz [mailto:rgm at icsalabs.com]
>Sent:	Mon Nov 14 16:02:06 2005
>To:	Voipsec at voipsa.org
>Subject:	Re: [VOIPSEC] IPv6 and the demise (or not) of NAT (was Re:Interactive Connectivity Establishment (ICE))
>
>At 03:03 PM 11/14/2005, Simon Horne wrote:
>
>  
>
>>At 05:52 AM 15/11/2005, Bipin_Mistry at 3com.com wrote:
>>So I agree with you Phillip.  There should be a standard way of telling
>>the Firewall which ports it needs to open and close and not rely on
>>session border controllers.
>>
>>There is, it is called UPnP IGD or Universal Plug 'n Play (Internet Gateway
>>Device) refer www.upnp.org and most home/small office routers now support it.
>>
>>
>>The biggest problem is that it potentially adds a security risk to the
>>network, other malicious programs running on the LAN can open ports up as
>>they wish, there is no security to filter which programs can us it . For
>>this reason a lot of people are very hesitant to turn it on in their routers.
>>    
>>
>
>Other security risks as well.
>
>As you imply, Malcode on a PC can take advantage of PnP to set up all 
>sorts of covert channels.
>
>I have seen some rather nasty uses of PnP in attacks on physical 
>security.  I hope we don't punt on this one.
>
>
>Robert Moskowitz
>Senior Technical Director
>ICSA Labs, a division of Cybertrust, Inc.
>W:      248-968-9809
>F:      248-968-2824
>VoIP:   248-291-0713
>E:      rgm at icsalabs.com
>
>There's no limit to what can be accomplished if it doesn't matter who 
>gets the credit
>
>
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
>  
>

More information about the Voipsec mailing list