E Tel2007 Black Bag Session - VoIP Security Threats, Tools and Best Practices

4,001 views

Published on

At O'Reilly's 2007 Emerging Telephony conference in March 2007 in San Francisco, Dan York, Jonathan Zar and Shawn Merdinger presented a 90-minute workshop in which they discussed the threats to VoIP security, the tools out there to test/defend your network and the best practices for securing VoIP systems. A podcast audio recording of the workshop is available at http://www.blueboxpodcast.com/2007/03/blue_box_se_16_.html

Published in: Business, Technology
1 Comment
11 Likes
Statistics
Notes
No Downloads
Views
Total views
4,001
On SlideShare
0
From Embeds
0
Number of Embeds
45
Actions
Shares
0
Downloads
0
Comments
1
Likes
11
Embeds 0
No embeds

No notes for slide
  • E Tel2007 Black Bag Session - VoIP Security Threats, Tools and Best Practices

    1. 1. The Black Bag Security Briefing Dan York, Jonathan Zar, Shawn Merdinger
    2. 2. Who We Are <ul><li>Dan York, CISSP </li></ul><ul><ul><li>Best Practices Chair, VoIP Security Alliance </li></ul></ul><ul><ul><li>Chair, Product Security Team, Mitel Corporation </li></ul></ul><ul><ul><li>Co-host, Blue Box: The VoIP Security Podcast </li></ul></ul><ul><ul><li>Email: dan_york@mitel.com </li></ul></ul><ul><li>Jonathan Zar </li></ul><ul><ul><li>Secretary & Threat Taxonomy Chair, VoIP Security Alliance </li></ul></ul><ul><ul><li>Managing Director, Pingalo </li></ul></ul><ul><ul><li>Co-host, Blue Box: The VoIP Security Podcast </li></ul></ul><ul><ul><li>Email: jz@ieee.org </li></ul></ul><ul><li>Shawn Merdinger </li></ul><ul><ul><li>Technical Advisor, VoIP Security Alliance </li></ul></ul><ul><ul><li>Independent Security Researcher & Consultant </li></ul></ul><ul><ul><li>Email: shawnmer@io.com </li></ul></ul>
    3. 3. Speaker Introduction – Dan York <ul><li>Dan York, CISSP, is Director of IP Technology reporting to the CTO of Mitel Corporation and focused on emerging VoIP technology and VoIP security. As chair of Mitel's Product Security Team, he coordinates the efforts of a cross-functional group to communicate both externally and internally on VoIP security issues, respond to customer inquiries related to security, investigate security vulnerability reports, and monitor security standards and trends. Previously, York served in Mitel Product Management bringing multiple products to market including Mitel's secure VoIP Teleworker Solution in 2003. </li></ul><ul><li>As Best Practices Chair for the VOIP Security Alliance, York leads the project to develop and document a concise set of industry-wide best practices for security VoIP systems. He is also heading up VOIPSA's move into &quot;social media&quot; with the launch of the Voice of VOIPSA group weblog. Additionally, York is the producer of Blue Box: The VoIP Security Podcast where each week he and co-host Jonathan Zar discuss VoIP security news and interview people involved in the field. </li></ul><ul><li>His writing can also be found online at his weblog, Disruptive Telephony . </li></ul>
    4. 4. Speaker Introduction – Jonathan Zar <ul><li>Jonathan Zar is Secretary and Outreach Chair for VOIPSA, the VoIP Security Alliance, the industry’s global coalition to protect security and privacy in converged media. </li></ul><ul><li>More than 115 million units of products have now been sold based on technologies created and commercialized under his leadership at companies including Apple Computer. </li></ul><ul><li>A member of the IEEE, the ACM, the Licensing Executive Society, GABA, CINA and TiE, global associations for entrepreneurs. </li></ul><ul><li>Jonathan is a recognized authority in creating valuable brands for revenue growth. He is a trusted advisor to venture investors and C-level executives at public corporations. </li></ul>
    5. 5. Speaker Introduction – Shawn Merdinger <ul><li>Shawn Merdinger is a independent security researcher and consultant based in Austin Texas, USA and expert in VoIP. </li></ul><ul><li>Shawn has prior corporate experience on major projects working with with Cisco Systems' STAT and TippingPoint. </li></ul><ul><li>His research in VoIP security has led to multiple CVE vulnerabilities, several international security conferences, and involvement as a Technical Advisor with VOIPSA, the Voice Over IP Security Association, and other organizations. </li></ul>
    6. 6. Agenda The Challenge of VoIP Security Understanding VoIP Security Threats VoIP Security Best Practices Tools, Contacts, Help Summary VoIP Security Tools VoIP Security Best Practices Resources Questions / Answers
    7. 7. The Challenge of VoIP Security
    8. 8. The Implications are Clear Privacy Compliance Cost Avoidance Availability Business Continuity Confidence Mobility
    9. 9. The Noise is Deafening
    10. 10. The Problem is Complex Databases Directories E-mail Systems Web Servers Operating Systems Firewalls Desktop PCs Voice over IP Network Switches Wireless Devices PDAs PSTN Gateways Instant Messaging Standards Internet
    11. 11. VoIP Is More Than IP Telephony <ul><li>VoIP means more than low cost telephony </li></ul><ul><li>… more than: VOICE + IP </li></ul><ul><li>Market Concept vs. Technology </li></ul><ul><li>Technology MUCH broader than popular understanding </li></ul><ul><li>Enabling Technology Diffusing Rapidly </li></ul><ul><li>- Bit streams are democratic, they can carry anything </li></ul><ul><li>- Bundling and triple-play are only interim steps </li></ul><ul><li>- Research informs future threats to both security and privacy </li></ul>Source: Pingalo
    12. 12. Technology Underneath Mobile and Wireless Source: Pingalo
    13. 13. Into The Core Network Source: 3G Americas, Pingalo
    14. 14. Key Market Inhibitors <ul><li>Parity With PSTN </li></ul><ul><ul><li>Network Availability </li></ul></ul><ul><ul><li>Network Performance </li></ul></ul><ul><ul><li>End-point Security </li></ul></ul><ul><li>Feature and Service Reliability </li></ul><ul><ul><li>E911 – fire, ambulance, police </li></ul></ul><ul><ul><li>Emergency Power </li></ul></ul><ul><ul><li>Universal Access </li></ul></ul><ul><ul><li>Consistent Billing, Tariff Regulation </li></ul></ul><ul><li>Public Confidence in Security and Privacy </li></ul>Source: Pingalo
    15. 15. Social Model <ul><li>Social Policy </li></ul><ul><ul><li>Fairness </li></ul></ul><ul><ul><li>Privacy Privilege </li></ul></ul><ul><ul><li>Social Responsibility Model: Intention + Impact </li></ul></ul><ul><li>Social Issues </li></ul><ul><ul><li>Misrepresentation </li></ul></ul><ul><ul><ul><li>False: Identity, Authority, Rights, Content </li></ul></ul></ul><ul><ul><li>Unwanted Conduct and Bypassing Refused Consent </li></ul></ul><ul><ul><ul><li>Harassment, Extortion, Obscenity, Other Unsolicited Communication </li></ul></ul></ul><ul><ul><li>Theft of Services </li></ul></ul>Source: Pingalo
    16. 16. Global Approach to Privacy <ul><li>US First to Regulate But Limited to Fair Use </li></ul><ul><ul><li>Originating in 1960’s first regulation of credit databases (A. Weston) </li></ul></ul><ul><ul><li>Based on commercial due process </li></ul></ul><ul><ul><li>Pro-business but gives public certain rights </li></ul></ul><ul><li>Usually Sector Specific Regulation </li></ul><ul><ul><li>Addresses abuses in certain industries </li></ul></ul><ul><ul><li>Or public fears of abuse, but industry specific </li></ul></ul><ul><ul><li>Examples: financial services, telecommunications, databases </li></ul></ul><ul><li>EU Approach Is Broader [opt-in vs. opt-out] </li></ul><ul><li>Asia Approach Mid-way Between US and EU </li></ul>Source: Pingalo
    17. 17. Global VoIP Regulatory Issues <ul><li>Emergency Services </li></ul><ul><ul><li>End-points and system have stand-by-power </li></ul></ul><ul><ul><li>Number to call for emergency response </li></ul></ul><ul><li>Universal Access </li></ul><ul><ul><li>Subsidized rates for lower income </li></ul></ul><ul><ul><li>Fund (tax) to pay for subsidy </li></ul></ul><ul><ul><li>Government support (laws, funding) for inclusive infrastructure </li></ul></ul><ul><li>Non-discrimination </li></ul><ul><ul><li>Competitive peering (CLEC vs. ILEC) </li></ul></ul><ul><ul><li>Neutrality on carriage (net neutrality) </li></ul></ul><ul><li>Caller identification </li></ul><ul><li>Common numbering plans </li></ul><ul><li>Confidentiality and Exceptions </li></ul>Source: Pingalo
    18. 18. CALEA and EU data retention <ul><li>FCC August 2004 ruling (upheld on appeal) requires VoIP providers that offer a substitute service for traditional telephone service to comply with the Communications Assistance for Law Enforcement Act (CALEA). </li></ul><ul><li>Does not address the issue of encryption which is allowed subject to export control e.g. Wassenaar Arrangement. </li></ul><ul><li>Directive 2006/24/EC of the European Parliament and EU Council, (clarifying Directive 2002/58/EC) specifies 15 September 2007 as the deadline to enact laws mandating that all publicly available electronic communications services and networks retain: </li></ul><ul><ul><li>identity of telephone and internet services used by parties </li></ul></ul><ul><ul><li>The name and address of all subscribers and users, essentially all parties name and address </li></ul></ul><ul><ul><li>IP numbers used in the communications </li></ul></ul><ul><ul><li>date and time of log-in and log-off of the IP, IPT, and email services </li></ul></ul><ul><ul><li>date, time, and duration of all calls </li></ul></ul><ul><ul><li>called, calling, and routed numbers of all parties </li></ul></ul><ul><ul><li>user ID and telephone numbers on the PSTN </li></ul></ul><ul><ul><li>for mobile the IMSI and IMEI of all parties </li></ul></ul><ul><ul><li>location data (time and place by all Cell IDs) in a mobile call </li></ul></ul>Source: Pingalo
    19. 19. What is the Industry Doing to Help? Security Vendors “ The Sky Is Falling!” (Buy our products!) VoIP Vendors “ Don’t Worry, Trust Us!” (Buy our products!)
    20. 20. Voice Over IP Security Alliance (VOIPSA) <ul><li>www.voipsa.org – 100 members from VoIP and security industries </li></ul><ul><li>VOIPSEC mailing list – www.voipsa.org/VOIPSEC/ </li></ul><ul><li>“ Voice of VOIPSA” Blog – www.voipsa.org/blog </li></ul><ul><li>Blue Box: The VoIP Security Podcast – www.blueboxpodcast.com </li></ul><ul><li>VoIP Security Threat Taxonomy </li></ul><ul><li>Best Practices Project underway now </li></ul>LEGEND Classification Taxonomy of Security Threats Security Research Best Practices for VoIP Security Security System Testing Outreach Communication of Findings Market and Social Objectives and Constraints Published Active Now Ongoing
    21. 21. VoIP Security & Privacy
    22. 22. Security concerns in telephony are not new… Image courtesy of the Computer History Museum
    23. 23. Nor are our attempts to protect against threats… Image courtesy of Mike Sandman – http://www.sandman.com/
    24. 24. 12 Years of Automated Attacks
    25. 25. Current Major Threats <ul><li>Interruption of Service </li></ul><ul><ul><li>Non-VoIP specific (UDP..) </li></ul></ul><ul><ul><li>VoIP specific (INVITE..) </li></ul></ul><ul><ul><li>Malformed Packets / Fuzzing </li></ul></ul><ul><ul><li>End-point specific </li></ul></ul><ul><li>Unlawful Interception </li></ul><ul><ul><li>General Methods – Packet Capture / Replay </li></ul></ul><ul><ul><li>Unauthorized Modification </li></ul></ul><ul><li>Social Attacks </li></ul><ul><ul><li>Spit </li></ul></ul><ul><ul><li>Phishing </li></ul></ul><ul><ul><li>Service Abuse and Toll Fraud </li></ul></ul>
    26. 26. Security Aspects of IP Telephony Media / Voice PSTN Call Control TCP/IP Network Manage ment Policy
    27. 27. The Media Path <ul><li>Example Threats: </li></ul><ul><ul><li>Eavesdropping – particularly if over wireless or open Internet (sniffing) </li></ul></ul><ul><ul><li>Degraded voice quality through Denial of Service (DoS) attack </li></ul></ul>PSTN Private Enterprise IP Network Internet IP phones Application Servers SOHO IP phones Softphone Call Controller Real-Time Protocol (RTP) Packets TDM IP Policy 802.11 wireless PSTN Call Control TCP/IP Network Manage ment Media / Voice
    28. 28. The Signalling Path <ul><li>Example Threats: </li></ul><ul><ul><li>Denial of Service </li></ul></ul><ul><ul><li>Impersonation </li></ul></ul><ul><ul><li>Snooping account codes </li></ul></ul><ul><ul><li>Toll fraud </li></ul></ul>PSTN Internet IP phones Application Servers SOHO IP phones Softphone Call Controller SIP, H.323, Proprietary Private Enterprise IP Network Policy 802.11 wireless PSTN Media / Voice TCP/IP Network Manage ment Call Control
    29. 29. The Management Path <ul><li>Example Threats: </li></ul><ul><ul><li>Snooping passwords </li></ul></ul><ul><ul><li>Denial of service </li></ul></ul><ul><ul><li>Application Impersonation </li></ul></ul><ul><ul><li>Monitoring call patterns </li></ul></ul><ul><ul><li>Malicious system modifications </li></ul></ul>PSTN Internet Remote Service Call Controller Examples – Telnet, HTTP, FTP, SNMP, XML, TAPI Application Server System Admin NMS System Remote Service Enterprise IP Network Policy PSTN Media / Voice Call Control TCP/IP Network Manage ment
    30. 30. PSTN and Legacy Devices <ul><li>Threats: </li></ul><ul><ul><li>Toll fraud via public network attack </li></ul></ul><ul><ul><li>Impersonation </li></ul></ul><ul><ul><li>Feature access </li></ul></ul>PSTN Internet IP phones Application Servers SOHO Softphone Analog LS, ISDN, Q.SIG, DPNSS Analog Gateway Analog to IP media and signaling conversion Existing PBX Call Controller Private Enterprise IP Network Policy 802.11 wireless Media / Voice Call Control TCP/IP Network Manage ment PSTN
    31. 31. New Infrastructure <ul><li>Including: </li></ul><ul><li>The Network </li></ul><ul><li>Devices on the Network </li></ul><ul><li>Endpoint Devices </li></ul>Policy Media / Voice Call Control Manage ment PSTN TCP/IP Network
    32. 32. What about SPIT? (“SPam over Internet Telephony”) <ul><li>Makes for great headlines, but not yet a significant threat Fear is script/tool that: </li></ul><ul><ul><li>Iterates through calling SIP addresses: </li></ul></ul><ul><ul><ul><li>[email_address] , [email_address] , … </li></ul></ul></ul><ul><ul><ul><li>Opens an audio stream if call is answered (by person or voicemail) </li></ul></ul></ul><ul><ul><li>Steals VoIP credentials and uses account to make calls </li></ul></ul><ul><li>Reality is that today such direct connections are generally not allowed </li></ul><ul><li>This will change as companies make greater use of SIP trunking and/or directly connect IP-PBX systems to the Internet (and allow incoming calls from any other IP endpoint) </li></ul><ul><li>Until that time, Telemarketers have to initiate unsolicited calls through the PSTN to reach their primary market: slows them down and adds cost </li></ul>SPAM
    33. 33. VoIP Security Tools
    34. 34. Tools to test or attack VoIP systems <ul><li>Lists of VoIP security tools now becoming available </li></ul><ul><li>Test/defend? Or attack? (Depends upon your perspective) </li></ul><ul><li>Lists: </li></ul><ul><ul><li>VOIPSA: http://www.voipsa.org/Resources/tools.php </li></ul></ul><ul><ul><li>Hacking Exposed VoIP: http://www.hackingvoip.com/tools.html </li></ul></ul><ul><ul><li>Top 100 Network Security Tools - http://sectools.org/ </li></ul></ul>
    35. 35. VoIP Sniffing Tools pcapsipdump Oreka NetDude
    36. 36. VoIP Endpoint Scanning/Enumeration Tools SIP Forum Test Framework (SFTF) SIP-Scan SIPScan enumIAX
    37. 37. VoIP DoS/Flooding Tools kphone-ddos INVITE Flooder IAX Flooder RTP Flooder BYE Teardown SIP-Kill SIP-Proxy-Kill CheckSync Phone Rebooter
    38. 38. VoIP Fuzzing/Protocol Manipulation Tools BYE Teardown ohrwurm RedirectPoison Registration Hijacker Registration Eraser
    39. 39. Other... Um... “interesting” tools Spitter RTP InsertSound SIP-Send-Fun RTP MixSound and........
    40. 40. Best Practices to Secure VoIP Systems
    41. 41. First objective is to employ best practices and plug the obvious holes…
    42. 42. Security Challenges … CIA <ul><li>C onfidentiality </li></ul><ul><ul><li>Protect the voice and data stream including call control signaling </li></ul></ul><ul><ul><li>Prevent eavesdropping on conversations, toll fraud, impersonation </li></ul></ul><ul><li>I ntegrity </li></ul><ul><ul><li>Ensure that information is protected from unauthorized modification </li></ul></ul><ul><ul><li>Prevent discovery of a user, system or application password </li></ul></ul><ul><li>A vailability </li></ul><ul><ul><li>Ensure that communication services are available to users </li></ul></ul><ul><ul><li>Avoid any adverse effects resulting from a denial of service (DoS) attack or computer worm </li></ul></ul><ul><li>Others </li></ul><ul><ul><li>Authentication </li></ul></ul><ul><ul><li>Authorization </li></ul></ul><ul><ul><li>Accounting / Audit Trail </li></ul></ul><ul><ul><li>Nonrepudiation </li></ul></ul>Confidentiality Integrity Availability
    43. 43. The Media Path <ul><li>Threats: </li></ul><ul><ul><li>Eavesdropping – particularly if over wireless or open Internet (sniffing) </li></ul></ul><ul><ul><li>Degraded voice quality through Denial of Service (DoS) attack </li></ul></ul><ul><li>Defense Strategies: </li></ul><ul><ul><li>Encryption of voice path </li></ul></ul><ul><ul><li>WPA, WPA2 for wireless </li></ul></ul><ul><ul><li>VLANs </li></ul></ul><ul><ul><li>Packet filtering </li></ul></ul>PSTN Private Enterprise IP Network Internet IP phones Application Servers SOHO IP phones Softphone Call Controller Real-Time Protocol (RTP) Packets TDM IP Policy 802.11 wireless PSTN Call Control TCP/IP Network Manage ment Media / Voice
    44. 44. The Signalling Path <ul><li>Threats: </li></ul><ul><ul><li>Denial of Service </li></ul></ul><ul><ul><li>Impersonation </li></ul></ul><ul><ul><li>Snooping account codes </li></ul></ul><ul><ul><li>Toll fraud </li></ul></ul><ul><li>Defense Strategies: </li></ul><ul><ul><li>Signalling path encryption </li></ul></ul><ul><ul><li>Encrypted phone software loads </li></ul></ul><ul><ul><li>Proper system programming </li></ul></ul>PSTN Internet IP phones Application Servers SOHO IP phones Softphone Call Controller SIP, H.323, Proprietary Private Enterprise IP Network Policy 802.11 wireless PSTN Media / Voice TCP/IP Network Manage ment Call Control
    45. 45. The Management Path <ul><li>Threats: </li></ul><ul><ul><li>Snooping passwords </li></ul></ul><ul><ul><li>Denial of service </li></ul></ul><ul><ul><li>Application Impersonation </li></ul></ul><ul><ul><li>Monitoring call patterns </li></ul></ul><ul><ul><li>Malicious system modifications </li></ul></ul><ul><li>Defense Strategies: </li></ul><ul><ul><li>DoS defenses in network infrastructure </li></ul></ul><ul><ul><li>Changing default passwords </li></ul></ul><ul><ul><li>Strong password management </li></ul></ul><ul><ul><li>Ensure physical security </li></ul></ul><ul><ul><li>Authentication – secure port access </li></ul></ul><ul><ul><li>Secure Socket Layer (SSL) </li></ul></ul><ul><ul><li>Audit logs </li></ul></ul>PSTN Internet Remote Service Call Controller Examples – HTTP, SSH, Telnet, FTP, SNMP, XML, TAPI Application Server System Admin NMS System Remote Service Enterprise IP Network Policy PSTN Media / Voice Call Control TCP/IP Network Manage ment
    46. 46. PSTN and Legacy Devices <ul><li>Threats: </li></ul><ul><ul><li>Toll fraud via public network attack </li></ul></ul><ul><ul><li>Impersonation </li></ul></ul><ul><ul><li>Feature access </li></ul></ul><ul><li>Defense Strategies: </li></ul><ul><ul><li>Class of Restriction (COR) </li></ul></ul><ul><ul><li>Class of Service (COS) </li></ul></ul><ul><ul><li>Account Codes </li></ul></ul><ul><ul><li>Trunk Restrictions </li></ul></ul><ul><ul><li>Interconnect Restrictions </li></ul></ul>PSTN Internet IP phones Application Servers SOHO Softphone Analog LS, ISDN, Q.SIG, DPNSS Analog Gateway Analog to IP media and signaling conversion Existing PBX Call Controller Private Enterprise IP Network Policy 802.11 wireless Media / Voice Call Control TCP/IP Network Manage ment PSTN
    47. 47. Other Best Practices <ul><li>Network </li></ul><ul><ul><li>Networks should be evaluated for readiness to carry VoIP traffic. </li></ul></ul><ul><ul><li>Secure mechanisms should be used for traversal of firewalls. </li></ul></ul><ul><li>Phone Sets </li></ul><ul><ul><li>Set software loads should be encrypted and tamper-proof. </li></ul></ul><ul><ul><li>Sets should run the minimum of services required. </li></ul></ul><ul><ul><li>Connection of a set to the system must require an initial authentication and authorization. </li></ul></ul><ul><li>Servers </li></ul><ul><ul><li>Servers should be incorporated into appropriate patch management and anti-virus systems. </li></ul></ul><ul><ul><li>Sufficient backup power should be available to maintain operation of telephony devices (and necessary network infrastructure) in the event of a power failure. </li></ul></ul><ul><li>Wireless </li></ul><ul><ul><li>All wireless devices should implement WPA and/or WPA2 versus WEP. </li></ul></ul>Policy Media / Voice Call Control Manage ment PSTN TCP/IP Network
    48. 48. VOIPSA Best Practices Project Objective <ul><li>Objective: </li></ul><ul><ul><li>“ This project aims to define a common set of industry-wide ‘best practices’ for securing VoIP systems against the threats outlined in the Threat Taxonomy. While specific practices will vary according to vendor and architecture, the document created by this group will provide an overall view of how best to secure VoIP systems. ” </li></ul></ul><ul><ul><li>A common document that we all can use and supplement with our own materials. </li></ul></ul><ul><li>Audience: </li></ul><ul><ul><li>End customers trying to understand how best to secure their systems. </li></ul></ul><ul><ul><li>System administrators, technicians and others looking to enter into working with VoIP systems. </li></ul></ul><ul><ul><li>Press/media whom we can show that VoIP systems can be secured. </li></ul></ul><ul><ul><li>http://www.voipsa.org/Activities/bestpractices.php </li></ul></ul>
    49. 49. VOIPSA Best Practices Project How You Can Help <ul><li>Join the mailing list </li></ul><ul><ul><li>http://voipsa.org/mailman/listinfo/bestpractices_voipsa.org </li></ul></ul><ul><li>Visit the Wiki and comment on proposed best practices </li></ul><ul><ul><li>http://wiki.voipsa.org/tiki-index.php?page=BestPracticesHome </li></ul></ul><ul><li>Contribute your own best practices or to the text around practices already listed </li></ul><ul><ul><li>As in the Threat Taxonomy, contributors will be credited in the final product </li></ul></ul><ul><li>Encourage your staff and others to review the web site and documents </li></ul><ul><li>Promote the best practices project where you can </li></ul>
    50. 50. Resources
    51. 51. Security Links <ul><li>VoIP Security Alliance - http://www.voipsa.org </li></ul><ul><ul><li>Threat Taxonomy - http://www.voipsa.org/Activities/taxonomy.php </li></ul></ul><ul><ul><li>VOIPSEC email list - http://www.voipsa.org/VOIPSEC/ </li></ul></ul><ul><ul><li>Weblog - http://www.voipsa.org/blog/ </li></ul></ul><ul><ul><li>Security Tools list - http://www.voipsa.org/Resources/tools.php </li></ul></ul><ul><ul><li>Blue Box: The VoIP Security Podcast - http://www.blueboxpodcast.com/ </li></ul></ul><ul><li>NIST “Security Considerations for VoIP Systems” </li></ul><ul><ul><li>http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf </li></ul></ul><ul><li>Network Security Tools </li></ul><ul><ul><li>http://www.sectools.org/ </li></ul></ul><ul><li>Hacking Exposed VoIP site and tools </li></ul><ul><ul><li>http://www.hackingvoip.com/ </li></ul></ul>
    52. 52. Q&A www.voipsa.org

    ×