[VOIPSEC] Identity Management and VoIP and More

Zmolek, Andrew (Andy) zmolek at avaya.com
Thu Jun 29 16:00:13 CDT 2006 

I've already got a mobile phone that I can't use to make calls unless I
enter my GoodLink password (thankfully I can receive a call without
entering it, but can't send DTMF or do much of anything else without
that password. Given the amount of sensitive information on the phone
and the public places it travels across, it's something I can deal with
(though a biometric lock would be more convenient).

But when I think about having to lock and unlock my desk phone, I'm
having a hard time justifying that kind of distraction unless I work in
a public space, and a lot of other questions immediately spring to mind,
many related to mobility as well:

- What kind of timeout is reasonable for my phone login?
- Do I have to buy an expensive phone with a proximity reader that can
sense that may RFID badge? 
- Should I be able to receive a call when the phone is locked? 
- Should the phones in my conference rooms require a login, and when I
login should they take on my extension?
- If I had an RFID badge, should I allow any phone in my proximity to
ring when someone is calling me?
- How do I handle the lobby phone?
- How do I meet E911 regulations phones can be locked?

And that doesn't even get into more practical issues of managing phones
as authenticators and handling priority and precedence beyond the E911
case. Suffice it to say that there are as many human issues here as
engineering ones, but I'd love to hear what others on the list think
would be both implementable and practical as we move to a more
data-oriented authentication model for phones and other voice-oriented
devices. 


/\\//\Y/\   Andy Zmolek  |  zmolek at avaya.com  |  303-538-6040 
            Senior Manager, Security Planning and Strategy
            GCS Security Technology Development  |  Avaya, Inc. 


-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Dustin D. Trammell
Sent: Thursday, June 29, 2006 12:16 PM
To: Mahesh Jethanandani
Cc: Leslie Asamoa-Krodua; Voipsec at voipsa.org
Subject: Re: [VOIPSEC] Identity Management and VoIP and More

On Wed, 2006-06-28 at 18:58 -0700, Mahesh Jethanandani wrote:
> One way that I see the equipment and the person coming together is 
> through a biometric device. The person authenticates oneself to the 
> device under use - whether it is the physical phone or a PC running a 
> softphone. Once the identity has been established between the person 
> and the device under use, the same is used to transfer it in the call 
> that is made.

But what happens when the user moves away from the device, such as the
user leaving the office after authenticating to their wired desk phone
or softphone running on their workstation?  Time to marry that biometric
authentication with some kind of proximity detection to automatically
"log out" the user from the device if they are no longer around.
Otherwise, anyone else could walk up to the phone and make a call as the
original user.

Just think of the potential human-tracking capabilities that arise from
that combination of technologies...

--
Dustin D. Trammell
VoIP Security Research
TippingPoint, a division of 3Com


_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list