RE: Securing VOIP?

From: Shawn Duffy (sduffy@xecu.net)
Date: 10/16/01


From: "Shawn Duffy" <sduffy@xecu.net>
To: <reberc@post.ch>
Subject: RE: Securing VOIP?
Date: Mon, 15 Oct 2001 19:18:26 -0400
Message-ID: <00b501c155cf$b1787fa0$415e050a@D9741Q01>

Your provider is correct. PRI is a switched service provided by HIS/HER
side. The only way that data (we are talking about Internet traffic
from the providers side) can get through is by the provider allowing it.

My guess is he is providing you B channels directly from the provider's
own PBX. This means that he is hooking you up to PHONE services only.
I bet he hasn't thought of you using the channel for dial into an analog
modem... Even so, the issue would be with the terminating modem on your
end.
More likely you are running a digital service and cannot hook an analog
modem to your phone set.

Clear as mud now?
Hope this did help.

--
Shawn Duffy, CISSP
 
 

-----Original Message----- From: reberc@post.ch [mailto:reberc@post.ch] Sent: Monday, October 15, 2001 11:13 AM To: pen-test@securityfocus.com Subject: Securing VOIP?

Hi

I have to review our concept for implementing VOIP. I have to make sure, that all security issues are covered. If anybody could give me some help on this question:

Our provider says, that we need no firewall for VOIP because our Voice Gateway receives only PRI requests/transfers. He says that it is possible to restrict the Voice Gateway for only PRI-Traffic and that it is impossible to bring data along with PRI. The PRI is always converted to voice. Now I have seen, that you can send Voice, Video and Data on PRI. Is it really necessary to have an Firewall between our CallManager and Voice Gateway or can I trust the provider and be sure, that nothing else (IP-Transfers) is coming over this line?

Many thanks in advance!

Claudia Reber IT-Security Officer

Die Schweizerische Post Information Technology Services IT5 IT-Security Webergutstrasse 12 CH-3030 Bern (Zollikofen)

Tel: ++41 (0)31 338 16 44 Handy: ++41 (0)79 211 01 48 Fax: ++41 (0)31 338 74 92 > e-Mail mailto:reberc@post.ch > > visit our homepage: > http://pww.post.ch/oe/IP/corp//index.htm (intern) http://www.post.ch > (extern) > > There was a belief that it was going to be easy. They were wrong!

------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/

---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/



Relevant Pages

  • Re: question about ip addresses
    ... You are using a program to communicate to someone ... a client program, and one is the server program. ... This is neither unreasonable, nor a security issue. ... provider, your country, and likely one can deduce some more accurate ...
    (alt.computer.security)
  • Re: Event Viewer after SP3
    ... What anti-virus application or security suite is installed on the computers and is your subscription current? ... Has aNorton or McAfee application ever been installed on the computers? ... A provider, Rsop Planning Mode Provider, has been registered in the WMI ... provider will be run using the LocalSystem account. ...
    (microsoft.public.windowsxp.general)
  • Re: Security Groups from VPN
    ... security groups for the user. ... The WinNT provider requires the NetBIOS name of the domain. ... Dim dictionaryGroups ...
    (microsoft.public.scripting.vbscript)
  • Re: Vulnerabilites in new laws on computer hacking
    ... Money can't buy you software an online content provider has made themselves. ... Whoever fixed it was actually a good, security conscious programmer and I hope ... If the service provider couldn't provide the security, the customers had no ...
    (Bugtraq)
  • Re: Need to load 200 users into Form security DB
    ... You'll also want to go to ScottGu's blog and get the Table Profile Provider as the default for Profiles stores all Profiles as a delineated mess, ... So you either gotta make this work, or write your own custom membership provider. ... I ran the script that creates a security database in SQL2008 with 11 tables, ...
    (microsoft.public.dotnet.framework.aspnet)