voip security - peter h. gregory€¦ · voip security so you are thinking about implementing voip...
Post on 16-Apr-2020
9 Views
Preview:
TRANSCRIPT
VoIP SecuritySo you are thinking about implementing VoIP in your network…..
Peter H. Gregory, CISA, CISSPpetergregory@yahoo.comwww.isecbooks.com
Copyright © 2007 Peter H Gregory
About the Speaker
Author of 16 books in information security & technologyInterviews in Information Security Magazine, Tech Republic, Business Week, Computerworld, C|Net News, etc.Board member, Evergreen State InfragardBoard of Advisors, UW information assurance certificate programCo-founder, Pacific CISO Forum
www.isecbooks.competergregory@yahoo.com
Copyright © 2007 Peter H Gregory
Acknowledgments
AvayaJohn Wiley & Sons Publishing Co
Copyright © 2007 Peter H Gregory
VoIP Security book available
VoIP Security For Dummies, Avaya Limited Ed.Hardcopy from your Avaya sales repOnline
www.avaya.comwww.isecbooks.com
Copyright © 2007 Peter H Gregory
Copyright © 2007 Peter H Gregory
Copyright © 2007 Peter H Gregory
Copyright © 2007 Peter H Gregory
Copyright © 2007 Peter H Gregory
Why?
Why should we take our stable and reliable corporate telecommunications into the chaotic and risky TCP/IP world?Cost savings, features, flexibility, improved customer service
Copyright © 2007 Peter H Gregory
VoIP Security News
spoofing, eavesdropping, resource exhaustion, and denial of service vulnerabilities
Vonage, Grandstream, Globe 7, Microsoft MSN Messenger, AOL Instant Messenger, Avaya one-X Desktop Edition, Nortel Networks PC Client, Avaya 4602SW SIP Phone, Polycom SoundPointIP 601 SIP phone, Snom-320 SIP Phone, Aastra9112i SIP phone, Blackberry™ 7270 SIP stack, AGEPhone SIP soft phone, Samsung SCH-i730 phone, SJPhone SIP soft phone, D-Link DPH-540/DPH-541 Wi-Fi phone……….
Copyright © 2007 Peter H Gregory
Risks
Newer products have more vulnerabilities than established productsCorporate telecommunications inherits most of the problems present in the TCP/IP world todayAvailability of corporate telecomm is now tied to the availability and health of the data network
Copyright © 2007 Peter H Gregory
Types of VoIP incidents that can occur
EavesdroppingAccess to sensitive informationVandalismQuality of serviceToll fraud
Copyright © 2007 Peter H Gregory
The laws of data protection
What you must do What hackers can doProtect every point of entry Attack the weakest point of
entry
Be constantly vigilant, 24/7/365
Attack at a time of own choosing
Close every vulnerability Exploit any and all vulnerabilities
Close every known vulnerability
Search for new vulnerabilities
Copyright © 2007 Peter H Gregory
Threats to VoIP
Infrastructure-based attacksApplication-based attacksCall interceptionDenial of Service attacksSession hijacking/impersonationPharmingCaller ID spoofingToll fraudProtocol-specific threats (H.323, SIP, and MGCP)Worm stormsZero Day attacks
Copyright © 2007 Peter H Gregory
VoIP Vulnerabilities
Software bugsIncorrect configurationFlawed architecture
Lack of experience / trainingWeak processes and procedures
Copyright © 2007 Peter H Gregory
Protecting Your VoIP Network
Develop and enforce security policies and processesEnforce physical securityLock down servers, systems, and networksUnify network managementConfirm user identity and enforce security policies at a device levelMaintain active security monitoringEnsure logical segregationUse encryptionSelect VoIP products that have security built-in
Thank You
VoIP SecuritySo you are thinking about implementing VoIP in your network…..
Peter H. Gregory, CISA, CISSPpetergregory@yahoo.comwww.isecbooks.com
top related