RE: Converged Network Assessment



Ken,

Thank you for the email, however, I did not post that original email. My email address was forged by an ex-employee of mine who has been doing this around the internet.

I think one of the additional implications here is the realization
that VoIP and multi-media will introduce new issues to the security
community and should be factored into risk assessments. Pen tests
should be adjusted accordingly.

Several simple observations on the convergence impact:

1) first, convergence is going to have a lot to do with integrating
VoIP - here we should note that general managers are traditionally
more concerned about voice privacy than email privacy (while most
data folks know there's a lot of critical information in email,
mgmt cares more about confidentiality on their voice
communications) - this is likely to lead to wide-spread encryption
of voice traffic which means it's an ideal convert channel since
filters can't inspect encrypted data flows so look for malicious
use of encrypted UDP packets
2) VoIP requires two ports (each is unidirectional) for
conversations - some firewalls or perimeter defenses talk about pin
holes being opened for voice; don't you love it - a hole in the
perimeter but it's only a pin prick 2) acceptable, or functional
latency is very different for voice and live video than for email
or browsing; this means that many exploits that might cause a delay
can actually produce an outage in the converged network 3) power
dependency is an important issue since the phone grid traditionally
carried it's own power and that's not easy to do with VoIP 4)
location awareness is an issue as we see in the FCC battle over
E911 for VoIP 5) spoofing of caller ID is made quite trivial in VoIP
6) Convergence also commonly includes wireless and new client form
factors like cell phones and hybrid PDAs

These are not all direct issues for a pen test but risk assessment
and planning should address these and far more.

Each new technology we deploy opens up new vulnerabilities and it's
our jobs to be in front of these.

Convergence is far more than market hype - it's going to bring lots
of new vulnerabilities and will require new, enhanced defenses.

And, as I've said to vendors for 30 years "it's got to be taught
before it will be bought" so it's got to start with education.


-----Original Message-----
From: Bob Radvanovsky [mailto:rsradvan@xxxxxxxxxxxxx]
Sent: Sunday, February 05, 2006 3:12 PM
To: joseph@xxxxxxxxx; pen-test@xxxxxxxxxxxxxxxxx
Subject: Re: Converged Network Assessment

Actually, it could go either way. The latest thing within the IT
and security industries is "standardization". For the security
industries, this means converging physical, cyber and policy
management security together. For the IT industries, this means
converging telephone (VoIP), video, and networking together.

This makes sense that what they're offering is a complete suite of
networking assessments for telephony, video and network (data).
They're taking advantage of the "convergence movement" lately, and
utilizing it as a method of a one-stop-shopping for assessing ALL
technologies under ONE quote.

Makes sense, doesn't it?

Bob Radvanovsky, CISM, CIFI, REM, CIPS
"knowledge squared is information shared"
rsradvan (at) unixworks.net | infracritical.com | ehealthgrid.com
(630) 673-7740 | (412) 774-0373 (fax)

*** DISCLAIMER NOTICE ***
This electronic mail ("e-mail") message, including any and/or all
attachments, is for the sole use of the intended recipient(s), and
may contain confidential and/or privileged information, pertaining
to business conducted under the direction and supervision of Bob
Radvanovsky and/or his affiliates, as well as is the property of
Bob Radvanovsky and/or his affiliates, or otherwise protected from
disclosure. All electronic mail messages, which may have been
established as expressed views and/or opinions (stated either
within the electronic mail message or any of its attachments), are
left at the sole discretion and responsibility of that of the
sender, and are not necessarily attributed to Bob Radvanovsky.
Unauthorized interception, review, use, disclosure or distribution
of any such information contained within this electronic mail
message and/or its attachment(s), is(are) strictly prohibited. As
this e-mail may be legally privileged and/or confidential and is
intended only for the use of the addressee(s), no addressee should
forward, print, copy, or otherwise reproduce this message in any
manner that would allow it to be viewed by any individual not
originally listed as a recipient. If the reader of this message is
not the intended recipient, you are hereby notified that any
unauthorized disclosure, dissemination, distribution, copying or
the taking of any action in reliance upon the information herein is
strictly prohibited. If you have received this communication in
error, please notify the sender immediately, followed by the
deletion of this or any related message.


----- Original Message -----
From: joseph@xxxxxxxxx
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: Converged Network Assessment


I am newbie in the field of security, and stumbled across a
security

company
advertising that they conduct Converged Network Assessments. As
they describe the assessment focuses on both the voice and the
data network, in order to expose any new security holes created
by a converged network.

.The assessment covers:
- External Security Assessment
- Internal Security Assessment
- PBX Assessment
- Adjunct Assessment
- Wireless Assessment
- Bluetooth Assessment
- Rogue Modem Assessment
- IDS Assessment
- SAN's Assessment
- VoIP Assessment
- Penetration testing

So can someone provide me a honest answer to what a Converged
Network Assessment is, it sounds like a lot of marketing speak.

thx

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



Relevant Pages

  • RE: Converged Network Assessment - VoIP Security
    ... second annual VoIP Security Conference at Illinois Institute of Technology ... Subject: Converged Network Assessment ... convergence is going to have a lot to do with integrating VoIP ...
    (Pen-Test)
  • RE: Converged Network Assessment - VoIP Security
    ... VoIP Conference 2006 participants requirements: ... CPD Network Security Technologies ... Converged Network Assessment - VoIP Security ... convergence is going to have a lot to do with integrating VoIP ...
    (Pen-Test)
  • RE: Converged Network Assessment - VoIP Security
    ... Converged Network Assessment - VoIP Security ... convergence is going to have a lot to do with integrating VoIP ...
    (Pen-Test)
  • RE: Converged Network Assessment
    ... I think one of the additional implications here is the realization that VoIP ... Several simple observations on the convergence impact: ... Subject: Converged Network Assessment ... security industries is "standardization". ...
    (Pen-Test)
  • RE: Pen Test vs. Health Check
    ... I agree with the idea that an internal assessment is far more effective than ... involves working with the staff who designed the network to identify issues ... Managers who have only experienced information security issues from ... A Pen Test is only as good as the testers and is only a snapshot. ...
    (Pen-Test)