[VOIPSEC] Practical VoIP Security

Porter, Thomas (Tom) tporter at avaya.com
Wed Apr 19 07:22:15 CDT 2006 

I think it is fair to balance out his *review* with a note that Mark is
an ex-member of the Avaya security consulting practice, and, since
leaving Avaya, has a well known history of attacking Avaya products, and
past security consulting team members, whenever he has the chance. 

Thus, while Mark is entitled to an opinion, it is hardly an unbiased
one.

Best, Tom  


Thomas Porter, PHD | Senior Security Architect - Business Communications
Consulting | Contact Center Practice | Consulting & Systems Integration
| Avaya Global Services | Office: 919-967-2909 | [Mobile - USA]
919-593-3130 | [Mobile - DE] +49-0163-5050427 | [SIP]
s00227694 at voicepulse.com | [IM] AvayaTPorter | Email: tporter at avaya.com

-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Mark Teicher
Sent: Wednesday, April 19, 2006 7:53 AM
To: Voipsec at voipsa.org
Subject: Re: [VOIPSEC] Practical VoIP Security

After thoroughly reading this book, the editing appears to be very
choppy in some areas and in other areas the editing is above average.
Chapters that seem to invoke the read for more material doesn't, other
chapters that are not particularly interesting (i.e. The chapter on
Compliance, had no real material other than one can easily Google and
assemble themselves).  

There too many subheadings and bold extracted quotes that give the book
more of expanded feeling -- maybe there wasn't enough material.  Alot of
sidebars that provided no particular value to the chapter and could be
more easily translated into opinion dressed up as fact.  There are some
interesting factual tidbits, but it is almost too much effort to wade
through the chaff to find them. 

There are several unforgivable sins in the book especially one of not
citing sources carefully. The book overall reads and looks like a
compilation of articles, emails, mailing list archives, suport documents
and marketing claims from a one or two sources. I do agree VoIP Security
is a hot topic.  Even if it wasn't, it is a hard concept to understand
the difference between VoIP, PSTN, VoIP Communication Architectures (The
authors decided to highlight the most popular ones instead of just
referencing the history of codecs from The Asterisk Man pages).  

The Support Protocols of VoIP environments is very light and offers very
little insight to VoIP security implications of DNS, TFTP, HTTP, SNMP,
DHCP, RSVP, SDP, and SKINNY, but state more of the general security
implications of those listed protocols as written from a hands-off point
of view instead of a hands-on VoIP security specialist who actually
installs and implements VoIP infrastructures. 

Securing the whole VoIP Infrastructure sections are horribly written and
by every assumption.  The authentication sections read like they were
written from RFC's and whitepapers with no practicality.  
The Authorization/Authentication recommendations illustrated are slanted
towards, if the World was a Utopia, this is VoIP Security should work.
The S/MIME sections provides an insight of cryptographic security for
electronic messaging applications but offer no proof of their work,
testing or attestation that these solutions are practical or have any
technical merit beyond the concept and research room exercise.


Conclusion: It is an ok VoIP security introductory book, if ones knows
nothing about VoIP, my expectations were a lot higher from the authors
due to their technical abilities :(

-----Original Message-----
>From: Tobias Glemser <tglemser at tele-consulting.com>
>Sent: Apr 19, 2006 4:38 AM
>To: "Porter, Thomas (Tom)" <tporter at avaya.com>
>Cc: Voipsec at voipsa.org
>Subject: Re: [VOIPSEC] Practical VoIP Security
>
>Tom,
>
>since you asked for comments, here are mine. I got this book 2 hours 
>ago (after the book had a long travel to germany..), so I cross checked

>and red the chapters I found the most interesting for myself.
>
>Buy this book if you look for:
>  - an asterisk installation guide
>  - round ups how to secure your environment, including techniques like
>    802.1x or PKI
>  - you want to learn sth about how H.323 and SIP/RTP protocols work
>  - you want to hear buzzwords of threats, but don't think you want
them
>    to be explained technically
>
>Don't buy this book if you:
>  - know the protocols
>  - expect threats to be _explained_. Normally you have only one or two
>    sentenses per threat, and some of those really need some more
>    explanation (e. g. BYE-DoS etc). I know these threats and
understand
>    in which environments they are relevant, but for those who are new
to
>    this topic, they might get a false conclusion
>  - expect anything really new or mind blowing
>
>Noticeable: Discussing skype, the authors miss to clearly state that it

>is unclear what skype communicates exactly. They only state that it 
>might not me the best option due to the "lack of information and recent

>purchase by eBay". Sth. like "CERN doesn't allow the use of skype in 
>their network for it could potentially spy out information" would 
>sensitize the reader to this. But I guess that's a matter of opinion.
>
>Conclusion:
>If you're already into VoIP and VoIPsec the book might be a good 
>roundup, but don't expect anything new. If you are quite new to the 
>topic - this is a buy :)
>
>Cheers,
>
>Toby
>
>Porter, Thomas (Tom) wrote on 01.04.2006 11:02:
>> The book finally released this week. Your comments are appreciated.
>>  
>> Thanks, Tom
>>  
>> Thomas Porter, PHD | Senior Security Architect - Business 
>> Communications Consulting | Contact Center Practice | Consulting & 
>> Systems Integration
>> | Avaya Global Services | Office: 919-967-2909 | [Mobile - USA]
>> 919-593-3130 | [Mobile - DE] +49-0163-5050427 | [SIP] 
>> s00227694 at voicepulse.com | [IM] AvayaTPorter | Email: 
>> tporter at avaya.com
>>  
>> _______________________________________________
>> Voipsec mailing list
>> Voipsec at voipsa.org
>> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>> 
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org


_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list