SlideShare a Scribd company logo
Dan York, CISSP
VOIPSA Best Practices Chair
October 4, 2010
© 2010 VOIPSA and Owners as Marked© 2010 VOIPSA andOwners as Marked
© 2010 VOIPSA and Owners as Marked
PBX
Voicemail
Physical
Wiring
PSTN
Gateways
© 2010 VOIPSA and Owners as Marked
Physical
Wiring
IP
Network
IP-PBX
Voicemail
PSTN
Gateways
Mobile
Devices
IM
Networks
Web
Servers
Email
Servers
Desktop
PCs
Operating
Systems
Firewalls
Internet
Directory
Servers
VoIP
CRM
Systems
Social
Networks
Database
Servers
Application
Servers
© 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked
© 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked
© 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked
© 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked
© 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked
Geography
© 2010 VOIPSA and Owners as Marked
UC
System
Corp	
  HQ	
  
InternetFirewal
l
Home
Firewal
l
IP
Phone
PC
Home	
  
© 2010 VOIPSA and Owners as Marked
UC
System
Corp	
  HQ	
  
InternetFirewall
WiFi
Café
Router
Mobile
UC
client
Laptop
UC
client
Mobile
Data
Network
© 2010 VOIPSA and Owners as Marked
IM
Corp	
  HQ	
  
Corporate
Network
Presence
Call
Control
IVR
IM
Office	
  A	
  
Presence
Call
Control
Voicemail
IM
Office	
  B	
  
Presence
Call
Control
PSTN
Conferencing
Internet
© 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked
Internet LAN
© 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked
Can you trust “the Cloud”
to be there?
© 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked
Carrier
PSTN
Carrier
Carrier
Carrier
Carrier
CarrierCarrier
© 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked
ITSP
PSTN
ITSP
ITSP
ITSP
ITSP
ITSPITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
© 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked
© 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked
© 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked
© 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked
© 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked
© 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked
•  What does a traditional telemarketer need?
•  Makes for great headlines, but not yet a significant threat
•  Fear is script/tool that:
– Iterates through calling SIP addresses:
•  111@sip.company.com, 112@sip.company.com, …
•  Opens an audio stream if call is answered (by person or voicemail)
– Steals VoIP credentials and uses account to make calls
•  Reality is that today such direct connections
are generally not allowed
•  This will change as companies make greater use
of SIP trunking and/or directly connect IP-PBX
systems to the Internet (and allow incoming calls
from any other IP endpoint)
•  Until that time, PSTN is de facto firewall
SPAM
© 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked
Security Vendors
“The Sky Is Falling!”
(Buy our products!)
VoIP Vendors
“Don’t Worry, Trust Us!”
(Buy our products!)
© 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked
Classification!
Taxonomy of!
Security Threats!
Security!
Research!
Best Practices!
for VoIP!
Security!
Security!
System!
Testing!
Outreach!
Communication!
of Findings!
Market and Social!
Objectives and!
Constraints!
Published Active Now OngoingLEGEND
•  www.voipsa.org – 100 members from VoIP and security industries
•  VOIPSEC mailing list – www.voipsa.org/VOIPSEC/
•  “Voice of VOIPSA” Blog – www.voipsa.org/blog
•  Blue Box: The VoIP Security Podcast – www.blueboxpodcast.com
•  VoIP Security Threat Taxonomy
•  Best Practices Project underway now
© 2010 VOIPSA and Owners as Marked
www.voipsa.org/Resources/tools.php
© 2010 VOIPSA and Owners as Marked
© 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked
© 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked
•  VoIP Security Alliance - http://www.voipsa.org/
– Threat Taxonomy - http://www.voipsa.org/Activities/taxonomy.php
– VOIPSEC email list - http://www.voipsa.org/VOIPSEC/
– Weblog - http://www.voipsa.org/blog/
– Security Tools list - http://www.voipsa.org/Resources/tools.php
– Blue Box: The VoIP Security Podcast - http://www.blueboxpodcast.com
•  NIST SP800-58, “Security Considerations for VoIP Systems”
–  http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf
•  Network Security Tools
–  http://sectools.org/
•  Hacking Exposed VoIP site and tools
–  http://www.hackingvoip.com/
•  Seven Deadliest Unified Communications Attacks
–  http://www.7ducattacks.com/
© 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked
VoIP can be more
secure than the PSTN
if it is properly deployed.
www.voipsa.org
Dan York - dan.york@voipsa.org

More Related Content

What's hot

IPv6 and How It Impacts Communication Applications
IPv6 and How It Impacts Communication ApplicationsIPv6 and How It Impacts Communication Applications
IPv6 and How It Impacts Communication Applications
Voxeo Corp
 
Cost efficient business phone system
Cost efficient business phone systemCost efficient business phone system
Cost efficient business phone system
c2mtech
 
Crystal Clear Eng1
Crystal Clear Eng1Crystal Clear Eng1
Crystal Clear Eng1
argova
 
Ip pabx-presentation
Ip pabx-presentationIp pabx-presentation
Ip pabx-presentation
sumit tayal
 
Product Overview: April 2015 (Si3D)
Product Overview: April 2015 (Si3D)Product Overview: April 2015 (Si3D)
Product Overview: April 2015 (Si3D)
SI3D systems
 
Voip security
Voip securityVoip security
Voip security
Shethwala Ridhvesh
 
VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP
Fatih Ozavci
 
Wi Fi Technology
Wi Fi TechnologyWi Fi Technology
Wi Fi Technology
ashubhardwaj03
 
Voip
VoipVoip
Why MiFi 2372?
Why MiFi 2372?Why MiFi 2372?
Why MiFi 2372?
Donald Silva
 
VoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol ProblemsVoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol Problems
seanhn
 
VoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacksVoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacks
n|u - The Open Security Community
 
how wifi has changed our life
how wifi has changed our lifehow wifi has changed our life
how wifi has changed our life
aqsattiq
 
Web3000: Hayes modem deal release
Web3000: Hayes modem deal releaseWeb3000: Hayes modem deal release
Web3000: Hayes modem deal release
Steven Spenser
 
SIPfoundry CoLab 2013 - Solving the Bring Your Own Device BYOD problem with o...
SIPfoundry CoLab 2013 - Solving the Bring Your Own Device BYOD problem with o...SIPfoundry CoLab 2013 - Solving the Bring Your Own Device BYOD problem with o...
SIPfoundry CoLab 2013 - Solving the Bring Your Own Device BYOD problem with o...
SIPfoundry
 

What's hot (15)

IPv6 and How It Impacts Communication Applications
IPv6 and How It Impacts Communication ApplicationsIPv6 and How It Impacts Communication Applications
IPv6 and How It Impacts Communication Applications
 
Cost efficient business phone system
Cost efficient business phone systemCost efficient business phone system
Cost efficient business phone system
 
Crystal Clear Eng1
Crystal Clear Eng1Crystal Clear Eng1
Crystal Clear Eng1
 
Ip pabx-presentation
Ip pabx-presentationIp pabx-presentation
Ip pabx-presentation
 
Product Overview: April 2015 (Si3D)
Product Overview: April 2015 (Si3D)Product Overview: April 2015 (Si3D)
Product Overview: April 2015 (Si3D)
 
Voip security
Voip securityVoip security
Voip security
 
VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP
 
Wi Fi Technology
Wi Fi TechnologyWi Fi Technology
Wi Fi Technology
 
Voip
VoipVoip
Voip
 
Why MiFi 2372?
Why MiFi 2372?Why MiFi 2372?
Why MiFi 2372?
 
VoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol ProblemsVoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol Problems
 
VoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacksVoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacks
 
how wifi has changed our life
how wifi has changed our lifehow wifi has changed our life
how wifi has changed our life
 
Web3000: Hayes modem deal release
Web3000: Hayes modem deal releaseWeb3000: Hayes modem deal release
Web3000: Hayes modem deal release
 
SIPfoundry CoLab 2013 - Solving the Bring Your Own Device BYOD problem with o...
SIPfoundry CoLab 2013 - Solving the Bring Your Own Device BYOD problem with o...SIPfoundry CoLab 2013 - Solving the Bring Your Own Device BYOD problem with o...
SIPfoundry CoLab 2013 - Solving the Bring Your Own Device BYOD problem with o...
 

Viewers also liked

The State of VoIP Security, a.k.a. “Does Anyone Really Give A _____ About VoI...
The State of VoIP Security, a.k.a. “Does Anyone Really Give A _____ About VoI...The State of VoIP Security, a.k.a. “Does Anyone Really Give A _____ About VoI...
The State of VoIP Security, a.k.a. “Does Anyone Really Give A _____ About VoI...
Dan York
 
NetScout nGeniusONE overview
NetScout nGeniusONE overviewNetScout nGeniusONE overview
NetScout nGeniusONE overview
BAKOTECH
 
Sip Fundamentals and Prospects Tutorial - VoiceCon Orlando 2010
Sip Fundamentals and Prospects Tutorial - VoiceCon Orlando 2010Sip Fundamentals and Prospects Tutorial - VoiceCon Orlando 2010
Sip Fundamentals and Prospects Tutorial - VoiceCon Orlando 2010
Voxeo Corp
 
SIP - The Basics
SIP - The BasicsSIP - The Basics
SIP - The Basics
Jonas Borjesson
 
SIP - Introduction to SIP Protocol
SIP - Introduction to SIP ProtocolSIP - Introduction to SIP Protocol
SIP - Introduction to SIP Protocol
LivePerson
 
3 Tier Architecture
3 Tier Architecture3 Tier Architecture
3 Tier Architecture
guestd0cc01
 

Viewers also liked (6)

The State of VoIP Security, a.k.a. “Does Anyone Really Give A _____ About VoI...
The State of VoIP Security, a.k.a. “Does Anyone Really Give A _____ About VoI...The State of VoIP Security, a.k.a. “Does Anyone Really Give A _____ About VoI...
The State of VoIP Security, a.k.a. “Does Anyone Really Give A _____ About VoI...
 
NetScout nGeniusONE overview
NetScout nGeniusONE overviewNetScout nGeniusONE overview
NetScout nGeniusONE overview
 
Sip Fundamentals and Prospects Tutorial - VoiceCon Orlando 2010
Sip Fundamentals and Prospects Tutorial - VoiceCon Orlando 2010Sip Fundamentals and Prospects Tutorial - VoiceCon Orlando 2010
Sip Fundamentals and Prospects Tutorial - VoiceCon Orlando 2010
 
SIP - The Basics
SIP - The BasicsSIP - The Basics
SIP - The Basics
 
SIP - Introduction to SIP Protocol
SIP - Introduction to SIP ProtocolSIP - Introduction to SIP Protocol
SIP - Introduction to SIP Protocol
 
3 Tier Architecture
3 Tier Architecture3 Tier Architecture
3 Tier Architecture
 

Similar to SIP, Unified Communications (UC) and Security

VoIP Presentation
VoIP PresentationVoIP Presentation
VoIP Presentation
JamJin
 
TeleVerus Business Opportunity
TeleVerus Business OpportunityTeleVerus Business Opportunity
TeleVerus Business Opportunity
Mark Goldberg
 
TeleVerus
TeleVerusTeleVerus
TeleVerus
William Austin
 
It’s time to boost VoIP network security
It’s time to boost VoIP network securityIt’s time to boost VoIP network security
It’s time to boost VoIP network security
Bev Robb
 
SATRC-WG-PR01-10_Afghanistan-Introduction_to_Voice_over_Internet_Protocol.ppt
SATRC-WG-PR01-10_Afghanistan-Introduction_to_Voice_over_Internet_Protocol.pptSATRC-WG-PR01-10_Afghanistan-Introduction_to_Voice_over_Internet_Protocol.ppt
SATRC-WG-PR01-10_Afghanistan-Introduction_to_Voice_over_Internet_Protocol.ppt
Nasir152222
 
SATRC-WG-PR01-10_Afghanistan-Introduction_to_Voice_over_Internet_Protocol.ppt
SATRC-WG-PR01-10_Afghanistan-Introduction_to_Voice_over_Internet_Protocol.pptSATRC-WG-PR01-10_Afghanistan-Introduction_to_Voice_over_Internet_Protocol.ppt
SATRC-WG-PR01-10_Afghanistan-Introduction_to_Voice_over_Internet_Protocol.ppt
AlKir1
 
VOIP Presentation
VOIP Presentation VOIP Presentation
VOIP Presentation
tofael1
 
Ultimate guide to voIP
Ultimate guide to voIPUltimate guide to voIP
Ultimate guide to voIP
Stephen Dize
 
VoIP altanai bisht , 1st sem _ Anna University , Symposium presentation paper
VoIP   altanai bisht , 1st sem _ Anna University , Symposium presentation paperVoIP   altanai bisht , 1st sem _ Anna University , Symposium presentation paper
VoIP altanai bisht , 1st sem _ Anna University , Symposium presentation paper
ALTANAI BISHT
 
Tele Verusv1
Tele Verusv1Tele Verusv1
Tele Verusv1
rannebarger
 
Tele Verusv1
Tele Verusv1Tele Verusv1
Tele Verusv1
televeruswifi
 
Tele Verusv1
Tele Verusv1Tele Verusv1
Tele Verusv1
televeruswifi
 
A study on voice over internet protocol
A study on voice over internet protocolA study on voice over internet protocol
A study on voice over internet protocol
Neelesh verma
 
MeetXO_CorpCapabilities_2015
MeetXO_CorpCapabilities_2015MeetXO_CorpCapabilities_2015
MeetXO_CorpCapabilities_2015
Ramon F. La Torre
 
Intro to Voice over Internet Protocol: What does VoIP Mean for My Business?
Intro to Voice over Internet Protocol: What does VoIP Mean for My Business?Intro to Voice over Internet Protocol: What does VoIP Mean for My Business?
Intro to Voice over Internet Protocol: What does VoIP Mean for My Business?
XO Communications
 
Anup Bootstrapping Feb9th
Anup Bootstrapping Feb9thAnup Bootstrapping Feb9th
Anup Bootstrapping Feb9th
ClubExpress
 
Pugetsoundtelecom V3.5
Pugetsoundtelecom V3.5Pugetsoundtelecom V3.5
Pugetsoundtelecom V3.5
pugetsoundtelecom
 
Voip powerpoint
Voip powerpointVoip powerpoint
Voip powerpoint
GW1992
 
What Is a VoIP Phone System_.pdf
What Is a VoIP Phone System_.pdfWhat Is a VoIP Phone System_.pdf
What Is a VoIP Phone System_.pdf
jallavattan0901
 
Sip vs. VoIP – Which one should your business choose
Sip vs. VoIP – Which one should your business chooseSip vs. VoIP – Which one should your business choose
Sip vs. VoIP – Which one should your business choose
AxVoice
 

Similar to SIP, Unified Communications (UC) and Security (20)

VoIP Presentation
VoIP PresentationVoIP Presentation
VoIP Presentation
 
TeleVerus Business Opportunity
TeleVerus Business OpportunityTeleVerus Business Opportunity
TeleVerus Business Opportunity
 
TeleVerus
TeleVerusTeleVerus
TeleVerus
 
It’s time to boost VoIP network security
It’s time to boost VoIP network securityIt’s time to boost VoIP network security
It’s time to boost VoIP network security
 
SATRC-WG-PR01-10_Afghanistan-Introduction_to_Voice_over_Internet_Protocol.ppt
SATRC-WG-PR01-10_Afghanistan-Introduction_to_Voice_over_Internet_Protocol.pptSATRC-WG-PR01-10_Afghanistan-Introduction_to_Voice_over_Internet_Protocol.ppt
SATRC-WG-PR01-10_Afghanistan-Introduction_to_Voice_over_Internet_Protocol.ppt
 
SATRC-WG-PR01-10_Afghanistan-Introduction_to_Voice_over_Internet_Protocol.ppt
SATRC-WG-PR01-10_Afghanistan-Introduction_to_Voice_over_Internet_Protocol.pptSATRC-WG-PR01-10_Afghanistan-Introduction_to_Voice_over_Internet_Protocol.ppt
SATRC-WG-PR01-10_Afghanistan-Introduction_to_Voice_over_Internet_Protocol.ppt
 
VOIP Presentation
VOIP Presentation VOIP Presentation
VOIP Presentation
 
Ultimate guide to voIP
Ultimate guide to voIPUltimate guide to voIP
Ultimate guide to voIP
 
VoIP altanai bisht , 1st sem _ Anna University , Symposium presentation paper
VoIP   altanai bisht , 1st sem _ Anna University , Symposium presentation paperVoIP   altanai bisht , 1st sem _ Anna University , Symposium presentation paper
VoIP altanai bisht , 1st sem _ Anna University , Symposium presentation paper
 
Tele Verusv1
Tele Verusv1Tele Verusv1
Tele Verusv1
 
Tele Verusv1
Tele Verusv1Tele Verusv1
Tele Verusv1
 
Tele Verusv1
Tele Verusv1Tele Verusv1
Tele Verusv1
 
A study on voice over internet protocol
A study on voice over internet protocolA study on voice over internet protocol
A study on voice over internet protocol
 
MeetXO_CorpCapabilities_2015
MeetXO_CorpCapabilities_2015MeetXO_CorpCapabilities_2015
MeetXO_CorpCapabilities_2015
 
Intro to Voice over Internet Protocol: What does VoIP Mean for My Business?
Intro to Voice over Internet Protocol: What does VoIP Mean for My Business?Intro to Voice over Internet Protocol: What does VoIP Mean for My Business?
Intro to Voice over Internet Protocol: What does VoIP Mean for My Business?
 
Anup Bootstrapping Feb9th
Anup Bootstrapping Feb9thAnup Bootstrapping Feb9th
Anup Bootstrapping Feb9th
 
Pugetsoundtelecom V3.5
Pugetsoundtelecom V3.5Pugetsoundtelecom V3.5
Pugetsoundtelecom V3.5
 
Voip powerpoint
Voip powerpointVoip powerpoint
Voip powerpoint
 
What Is a VoIP Phone System_.pdf
What Is a VoIP Phone System_.pdfWhat Is a VoIP Phone System_.pdf
What Is a VoIP Phone System_.pdf
 
Sip vs. VoIP – Which one should your business choose
Sip vs. VoIP – Which one should your business chooseSip vs. VoIP – Which one should your business choose
Sip vs. VoIP – Which one should your business choose
 

More from Dan York

Yes, IPv6 is Real! How To Make Your Apps Work (And Be As Fast As Possible)
Yes, IPv6 is Real! How To Make Your Apps Work (And Be As Fast As Possible) Yes, IPv6 is Real! How To Make Your Apps Work (And Be As Fast As Possible)
Yes, IPv6 is Real! How To Make Your Apps Work (And Be As Fast As Possible)
Dan York
 
SIPNOC 2014 - Is It Time For TLS for SIP?
SIPNOC 2014 - Is It Time For TLS for SIP?SIPNOC 2014 - Is It Time For TLS for SIP?
SIPNOC 2014 - Is It Time For TLS for SIP?
Dan York
 
A Choice Of Internet Futures: Will Nonprofits Be Stuck In The Slow Lane?
A Choice Of Internet Futures: Will Nonprofits Be Stuck In The Slow Lane?A Choice Of Internet Futures: Will Nonprofits Be Stuck In The Slow Lane?
A Choice Of Internet Futures: Will Nonprofits Be Stuck In The Slow Lane?
Dan York
 
Open Source and The Global Disruption Of Telecom: What Choices Will We Make?
Open Source and The Global Disruption Of Telecom: What Choices Will We Make?Open Source and The Global Disruption Of Telecom: What Choices Will We Make?
Open Source and The Global Disruption Of Telecom: What Choices Will We Make?
Dan York
 
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 HackathonDNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
Dan York
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Dan York
 
How IPv6 Will Kill Telecom - And What We Need To Do About It
How IPv6 Will Kill Telecom - And What We Need To Do About ItHow IPv6 Will Kill Telecom - And What We Need To Do About It
How IPv6 Will Kill Telecom - And What We Need To Do About It
Dan York
 
ClueCon2009: The Security Saga of SysAdmin Steve
ClueCon2009: The Security Saga of SysAdmin SteveClueCon2009: The Security Saga of SysAdmin Steve
ClueCon2009: The Security Saga of SysAdmin Steve
Dan York
 
SIP Trunking & Security in an Enterprise Network
SIP Trunking & Security  in an Enterprise NetworkSIP Trunking & Security  in an Enterprise Network
SIP Trunking & Security in an Enterprise Network
Dan York
 
OSCON 2008: Mashing Up Voice and the Web Using Open Source and XML
OSCON 2008: Mashing Up Voice and the Web Using Open Source and XMLOSCON 2008: Mashing Up Voice and the Web Using Open Source and XML
OSCON 2008: Mashing Up Voice and the Web Using Open Source and XML
Dan York
 
IP Telephony Security 101
IP Telephony Security 101IP Telephony Security 101
IP Telephony Security 101
Dan York
 
Recording Remote Hosts/Interviews with VoIP/Skype
Recording Remote Hosts/Interviews with VoIP/SkypeRecording Remote Hosts/Interviews with VoIP/Skype
Recording Remote Hosts/Interviews with VoIP/Skype
Dan York
 
E Tel2007 Black Bag Session - VoIP Security Threats, Tools and Best Practices
E Tel2007 Black Bag Session - VoIP Security Threats, Tools and Best PracticesE Tel2007 Black Bag Session - VoIP Security Threats, Tools and Best Practices
E Tel2007 Black Bag Session - VoIP Security Threats, Tools and Best Practices
Dan York
 
BLISS Problem Statement and Motivation
BLISS Problem Statement and MotivationBLISS Problem Statement and Motivation
BLISS Problem Statement and Motivation
Dan York
 
ETel2007: The Black Bag Security Review (VoIP Security)
ETel2007: The Black Bag Security Review (VoIP Security)ETel2007: The Black Bag Security Review (VoIP Security)
ETel2007: The Black Bag Security Review (VoIP Security)
Dan York
 

More from Dan York (15)

Yes, IPv6 is Real! How To Make Your Apps Work (And Be As Fast As Possible)
Yes, IPv6 is Real! How To Make Your Apps Work (And Be As Fast As Possible) Yes, IPv6 is Real! How To Make Your Apps Work (And Be As Fast As Possible)
Yes, IPv6 is Real! How To Make Your Apps Work (And Be As Fast As Possible)
 
SIPNOC 2014 - Is It Time For TLS for SIP?
SIPNOC 2014 - Is It Time For TLS for SIP?SIPNOC 2014 - Is It Time For TLS for SIP?
SIPNOC 2014 - Is It Time For TLS for SIP?
 
A Choice Of Internet Futures: Will Nonprofits Be Stuck In The Slow Lane?
A Choice Of Internet Futures: Will Nonprofits Be Stuck In The Slow Lane?A Choice Of Internet Futures: Will Nonprofits Be Stuck In The Slow Lane?
A Choice Of Internet Futures: Will Nonprofits Be Stuck In The Slow Lane?
 
Open Source and The Global Disruption Of Telecom: What Choices Will We Make?
Open Source and The Global Disruption Of Telecom: What Choices Will We Make?Open Source and The Global Disruption Of Telecom: What Choices Will We Make?
Open Source and The Global Disruption Of Telecom: What Choices Will We Make?
 
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 HackathonDNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
 
How IPv6 Will Kill Telecom - And What We Need To Do About It
How IPv6 Will Kill Telecom - And What We Need To Do About ItHow IPv6 Will Kill Telecom - And What We Need To Do About It
How IPv6 Will Kill Telecom - And What We Need To Do About It
 
ClueCon2009: The Security Saga of SysAdmin Steve
ClueCon2009: The Security Saga of SysAdmin SteveClueCon2009: The Security Saga of SysAdmin Steve
ClueCon2009: The Security Saga of SysAdmin Steve
 
SIP Trunking & Security in an Enterprise Network
SIP Trunking & Security  in an Enterprise NetworkSIP Trunking & Security  in an Enterprise Network
SIP Trunking & Security in an Enterprise Network
 
OSCON 2008: Mashing Up Voice and the Web Using Open Source and XML
OSCON 2008: Mashing Up Voice and the Web Using Open Source and XMLOSCON 2008: Mashing Up Voice and the Web Using Open Source and XML
OSCON 2008: Mashing Up Voice and the Web Using Open Source and XML
 
IP Telephony Security 101
IP Telephony Security 101IP Telephony Security 101
IP Telephony Security 101
 
Recording Remote Hosts/Interviews with VoIP/Skype
Recording Remote Hosts/Interviews with VoIP/SkypeRecording Remote Hosts/Interviews with VoIP/Skype
Recording Remote Hosts/Interviews with VoIP/Skype
 
E Tel2007 Black Bag Session - VoIP Security Threats, Tools and Best Practices
E Tel2007 Black Bag Session - VoIP Security Threats, Tools and Best PracticesE Tel2007 Black Bag Session - VoIP Security Threats, Tools and Best Practices
E Tel2007 Black Bag Session - VoIP Security Threats, Tools and Best Practices
 
BLISS Problem Statement and Motivation
BLISS Problem Statement and MotivationBLISS Problem Statement and Motivation
BLISS Problem Statement and Motivation
 
ETel2007: The Black Bag Security Review (VoIP Security)
ETel2007: The Black Bag Security Review (VoIP Security)ETel2007: The Black Bag Security Review (VoIP Security)
ETel2007: The Black Bag Security Review (VoIP Security)
 

Recently uploaded

Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
sunilverma7884
 
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
bellared2
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
ankush9927
 
Discovery Series - Zero to Hero - Task Mining Session 1
Discovery Series - Zero to Hero - Task Mining Session 1Discovery Series - Zero to Hero - Task Mining Session 1
Discovery Series - Zero to Hero - Task Mining Session 1
DianaGray10
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
shyamraj55
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
Jimmy Lai
 
Intel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdfIntel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdf
Tech Guru
 
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
AimanAthambawa1
 
Perth MuleSoft Meetup July 2024
Perth MuleSoft Meetup July 2024Perth MuleSoft Meetup July 2024
Perth MuleSoft Meetup July 2024
Michael Price
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
Matthias Neugebauer
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
alexjohnson7307
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
DianaGray10
 
The History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal EmbeddingsThe History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal Embeddings
Zilliz
 
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
OnBoard
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
Bhajan Mehta
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
Brian Pichman
 
kk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdfkk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdf
KIRAN KV
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Nicolás Lopéz
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
ldtexsolbl
 
Accelerating Migrations = Recommendations
Accelerating Migrations = RecommendationsAccelerating Migrations = Recommendations
Accelerating Migrations = Recommendations
isBullShit
 

Recently uploaded (20)

Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
 
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
 
Discovery Series - Zero to Hero - Task Mining Session 1
Discovery Series - Zero to Hero - Task Mining Session 1Discovery Series - Zero to Hero - Task Mining Session 1
Discovery Series - Zero to Hero - Task Mining Session 1
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
 
Intel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdfIntel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdf
 
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
 
Perth MuleSoft Meetup July 2024
Perth MuleSoft Meetup July 2024Perth MuleSoft Meetup July 2024
Perth MuleSoft Meetup July 2024
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
 
The History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal EmbeddingsThe History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal Embeddings
 
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
 
kk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdfkk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdf
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
 
Accelerating Migrations = Recommendations
Accelerating Migrations = RecommendationsAccelerating Migrations = Recommendations
Accelerating Migrations = Recommendations
 

SIP, Unified Communications (UC) and Security

  • 1. Dan York, CISSP VOIPSA Best Practices Chair October 4, 2010
  • 2. © 2010 VOIPSA and Owners as Marked© 2010 VOIPSA andOwners as Marked
  • 3. © 2010 VOIPSA and Owners as Marked PBX Voicemail Physical Wiring PSTN Gateways
  • 4. © 2010 VOIPSA and Owners as Marked Physical Wiring IP Network IP-PBX Voicemail PSTN Gateways Mobile Devices IM Networks Web Servers Email Servers Desktop PCs Operating Systems Firewalls Internet Directory Servers VoIP CRM Systems Social Networks Database Servers Application Servers
  • 5. © 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked
  • 6. © 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked
  • 7. © 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked
  • 8. © 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked
  • 9. © 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked Geography
  • 10. © 2010 VOIPSA and Owners as Marked UC System Corp  HQ   InternetFirewal l Home Firewal l IP Phone PC Home  
  • 11. © 2010 VOIPSA and Owners as Marked UC System Corp  HQ   InternetFirewall WiFi Café Router Mobile UC client Laptop UC client Mobile Data Network
  • 12. © 2010 VOIPSA and Owners as Marked IM Corp  HQ   Corporate Network Presence Call Control IVR IM Office  A   Presence Call Control Voicemail IM Office  B   Presence Call Control PSTN Conferencing Internet
  • 13. © 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked Internet LAN
  • 14. © 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked Can you trust “the Cloud” to be there?
  • 15. © 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked Carrier PSTN Carrier Carrier Carrier Carrier CarrierCarrier
  • 16. © 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked ITSP PSTN ITSP ITSP ITSP ITSP ITSPITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP
  • 17. © 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked
  • 18. © 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked
  • 19. © 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked
  • 20. © 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked
  • 21. © 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked
  • 22. © 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked •  What does a traditional telemarketer need? •  Makes for great headlines, but not yet a significant threat •  Fear is script/tool that: – Iterates through calling SIP addresses: •  111@sip.company.com, 112@sip.company.com, … •  Opens an audio stream if call is answered (by person or voicemail) – Steals VoIP credentials and uses account to make calls •  Reality is that today such direct connections are generally not allowed •  This will change as companies make greater use of SIP trunking and/or directly connect IP-PBX systems to the Internet (and allow incoming calls from any other IP endpoint) •  Until that time, PSTN is de facto firewall SPAM
  • 23. © 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked Security Vendors “The Sky Is Falling!” (Buy our products!) VoIP Vendors “Don’t Worry, Trust Us!” (Buy our products!)
  • 24. © 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked Classification! Taxonomy of! Security Threats! Security! Research! Best Practices! for VoIP! Security! Security! System! Testing! Outreach! Communication! of Findings! Market and Social! Objectives and! Constraints! Published Active Now OngoingLEGEND •  www.voipsa.org – 100 members from VoIP and security industries •  VOIPSEC mailing list – www.voipsa.org/VOIPSEC/ •  “Voice of VOIPSA” Blog – www.voipsa.org/blog •  Blue Box: The VoIP Security Podcast – www.blueboxpodcast.com •  VoIP Security Threat Taxonomy •  Best Practices Project underway now
  • 25. © 2010 VOIPSA and Owners as Marked www.voipsa.org/Resources/tools.php © 2010 VOIPSA and Owners as Marked
  • 26. © 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked
  • 27. © 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked •  VoIP Security Alliance - http://www.voipsa.org/ – Threat Taxonomy - http://www.voipsa.org/Activities/taxonomy.php – VOIPSEC email list - http://www.voipsa.org/VOIPSEC/ – Weblog - http://www.voipsa.org/blog/ – Security Tools list - http://www.voipsa.org/Resources/tools.php – Blue Box: The VoIP Security Podcast - http://www.blueboxpodcast.com •  NIST SP800-58, “Security Considerations for VoIP Systems” –  http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf •  Network Security Tools –  http://sectools.org/ •  Hacking Exposed VoIP site and tools –  http://www.hackingvoip.com/ •  Seven Deadliest Unified Communications Attacks –  http://www.7ducattacks.com/
  • 28. © 2010 VOIPSA and Owners as Marked© 2010 VOIPSA and Owners as Marked VoIP can be more secure than the PSTN if it is properly deployed.
  • 29. www.voipsa.org Dan York - dan.york@voipsa.org