Weitere ähnliche Inhalte Kürzlich hochgeladen (20) The State of VoIP Security, a.k.a. “Does Anyone Really Give A _____ About VoIP Security?"1. The State Of VoIP Security, a.k.a.!
!
“Does Anyone Really Give A _____ About
VoIP Security?”
Dan York, CISSP!
Chair, VoIP Security Alliance
October 5, 2011
4. Does Anyone Really !
Give A _____ About!
VoIP Unified
Communications Security?
© 2011 VOIPSA
10. © 2011 VOIPSA
http://www.flickr.com/photos/mattblaze/2275723713/
17. Fingerpointing - 2011
Mobile
Devices
IM Application
Internet Servers
Networks Operating
Systems
PSTN
IP-PBX Gateways
VoIP
Web IP Social
Firewalls
Servers Network Networks
Physical Directory
Voicemail
Wiring Servers
Desktop
Email PCs Database
Servers CRM Servers
Systems
Session
Border
Controllers
© 2011 VOIPSA
24. The Old Boys’ Club
Carrier
Carrier
Carrier
PSTN Carrier
Carrier
Carrier Carrier
© 2011 VOIPSA
25. The Wild West…
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP ITSP
ITSP
ITSP
ITSP PSTN ITSP
ITSP
ITSP ITSP
ITSP ITSP
ITSP
ITSP
ITSP ITSP
ITSP ITSP ITSP ITSP
ITSP ITSP
ITSP ITSP ITSP ITSP ITSP
© 2010 VOIPSA and Owners as Marked
© 2011 VOIPSA
30. If 1 Is Good, Why Not 3?
© 2011 VOIPSA
33. PC
UC
System
Firewall Internet Home
Firewall
IP
Corp
HQ
Phone
Home
© 2011 VOIPSA
34. Laptop
UC
client
WiFi
UC
System
Firewall Internet Café
Router
Corp
HQ
Mobile
Data
Network Mobile
UC
client
© 2011 VOIPSA
35. Corporate
Internet
Network
IVR Voicemail
IM IM IM
Presence Presence Presence
Call Call Call
Control Control Control Conferencing
Corp
HQ
Office
A
Office
B
PSTN
© 2011 VOIPSA
37. Benefits
(for us… and for attackers)
© 2011 VOIPSA
38. DDoS!
(the old-fashioned kind)!
(Asterisk & Amazon EC2, anyone?)
© 2011 VOIPSA
39. SPIT!
(“SPam for Internet Telephony”)
SPAM
© 2011 VOIPSA
41. Fingerpointing - 2011
Mobile
Devices
IM Application
Internet Servers
Networks Operating
Systems
PSTN
IP-PBX Gateways
VoIP
Web IP Social
Firewalls
Servers Network Networks
Physical Directory
Voicemail
Wiring Servers
Desktop
Email PCs Database
Servers CRM Servers
Systems
Session
Border
Controllers
© 2011 VOIPSA
46. Fingerpointing - 2011
Mobile
Devices
IM Application
Internet Servers
Networks Operating
Systems
PSTN
IP-PBX Gateways
VoIP
Web IP Social
Firewalls
Servers Network Networks
Physical Directory
Voicemail
Wiring Servers
Desktop
Email PCs Database
Servers CRM Servers
Systems
Session
Border
Controllers
© 2011 VOIPSA
65. depl oyed
tupi dly
S
“VoIP Is Insecure!!!”
^
© 2011 VOIPSA
81. What is the Industry Doing to Help?
Security Vendors VoIP Vendors
“The Sky Is Falling!” “Don’t Worry, Trust Us!”
(Buy our products!) (Buy our products!)
© 2011 VOIPSA
83. Security Links
• VoIP Security Alliance - http://www.voipsa.org/
– Threat Taxonomy
- http://www.voipsa.org/Activities/taxonomy.php
– VOIPSEC email list
- http://www.voipsa.org/VOIPSEC/
– Weblog
- http://www.voipsa.org/blog/
– Security Tools list
- http://www.voipsa.org/Resources/tools.php
– Blue Box: The VoIP Security Podcast - http://www.blueboxpodcast.com
• NIST SP800-58, “Security Considerations for VoIP Systems”
– http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf
• Network Security Tools
– http://sectools.org/
• Hacking Exposed VoIP site and tools
– http://www.hackingvoip.com/
• Seven Deadliest Unified Communications Attacks
– http://www.7ducattacks.com/
© 2011 VOIPSA
85. Thank you! Q & eh?
www.voipsa.org
7ducattacks.com
Dan York - dan.york@voipsa.org!
+1-802-735-1624
DisruptiveTelephony.com
danyork.com! blueboxpodcast.com
twitter.com/danyork
© 2011 VOIPSA