VoIP SecuritySo you are thinking about implementing VoIP in your network…..

Peter H. Gregory, CISA, CISSPpetergregory@yahoo.comwww.isecbooks.com

Copyright © 2007 Peter H Gregory

About the Speaker

Author of 16 books in information security & technologyInterviews in Information Security Magazine, Tech Republic, Business Week, Computerworld, C|Net News, etc.Board member, Evergreen State InfragardBoard of Advisors, UW information assurance certificate programCo-founder, Pacific CISO Forum

www.isecbooks.competergregory@yahoo.com

Copyright © 2007 Peter H Gregory

Acknowledgments

AvayaJohn Wiley & Sons Publishing Co

Copyright © 2007 Peter H Gregory

VoIP Security book available

VoIP Security For Dummies, Avaya Limited Ed.Hardcopy from your Avaya sales repOnline

www.avaya.comwww.isecbooks.com

Copyright © 2007 Peter H Gregory

Copyright © 2007 Peter H Gregory

Copyright © 2007 Peter H Gregory

Copyright © 2007 Peter H Gregory

Copyright © 2007 Peter H Gregory

Why?

Why should we take our stable and reliable corporate telecommunications into the chaotic and risky TCP/IP world?Cost savings, features, flexibility, improved customer service

Copyright © 2007 Peter H Gregory

VoIP Security News

spoofing, eavesdropping, resource exhaustion, and denial of service vulnerabilities

Vonage, Grandstream, Globe 7, Microsoft MSN Messenger, AOL Instant Messenger, Avaya one-X Desktop Edition, Nortel Networks PC Client, Avaya 4602SW SIP Phone, Polycom SoundPointIP 601 SIP phone, Snom-320 SIP Phone, Aastra9112i SIP phone, Blackberry™ 7270 SIP stack, AGEPhone SIP soft phone, Samsung SCH-i730 phone, SJPhone SIP soft phone, D-Link DPH-540/DPH-541 Wi-Fi phone……….

Copyright © 2007 Peter H Gregory

Risks

Newer products have more vulnerabilities than established productsCorporate telecommunications inherits most of the problems present in the TCP/IP world todayAvailability of corporate telecomm is now tied to the availability and health of the data network

Copyright © 2007 Peter H Gregory

Types of VoIP incidents that can occur

EavesdroppingAccess to sensitive informationVandalismQuality of serviceToll fraud

Copyright © 2007 Peter H Gregory

The laws of data protection

What you must do What hackers can doProtect every point of entry Attack the weakest point of

entry

Be constantly vigilant, 24/7/365

Attack at a time of own choosing

Close every vulnerability Exploit any and all vulnerabilities

Close every known vulnerability

Search for new vulnerabilities

Copyright © 2007 Peter H Gregory

Threats to VoIP

Infrastructure-based attacksApplication-based attacksCall interceptionDenial of Service attacksSession hijacking/impersonationPharmingCaller ID spoofingToll fraudProtocol-specific threats (H.323, SIP, and MGCP)Worm stormsZero Day attacks

Copyright © 2007 Peter H Gregory

VoIP Vulnerabilities

Software bugsIncorrect configurationFlawed architecture

Lack of experience / trainingWeak processes and procedures

Copyright © 2007 Peter H Gregory

Protecting Your VoIP Network

Develop and enforce security policies and processesEnforce physical securityLock down servers, systems, and networksUnify network managementConfirm user identity and enforce security policies at a device levelMaintain active security monitoringEnsure logical segregationUse encryptionSelect VoIP products that have security built-in

Thank You

VoIP SecuritySo you are thinking about implementing VoIP in your network…..

Peter H. Gregory, CISA, CISSPpetergregory@yahoo.comwww.isecbooks.com