Security Basics: RE: VoIP security

["Anil Saini" <ansaini567 () hotmail com>]

check with juniper netscreen security gateways. They do support ipsec 
tunneling for VoIP.
Anil

> From: "Drumm, Daniel" <dgdrumm () bf umich edu>
> To: "Joshua Berry" <jberry () PENSON COM>,"Seth Art" <sethart () gmail com>, 
> <security-basics () securityfocus com>
> Subject: RE: VoIP security
> Date: Thu, 21 Apr 2005 12:53:39 -0400
>
> I would suggest joining the VoIP security list and learn about what's
> happening with Secure RTP and other initiatives. Cisco phones can make
> use of certificates, there is IPSEC encapsulation at route edges by
> providers, there is MPLS Security, a whole gamut of things going on.
>
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
> Vomit can decode calls from a Cisco phone, provided the encapsulation is
> G.711. It doesn't handle other codecs, or at least it didn't a few
> months ago. The answer to most these types of issues is SRTP, although
> there are other initiatives going on as well.
>
> -----Original Message-----
> From: Joshua Berry [mailto:jberry () PENSON COM]
> Sent: Thursday, April 21, 2005 9:35 AM
> To: Seth Art; security-basics () securityfocus com
> Subject: RE: VoIP security
>
> There are programs out there capable of replaying VoIP sessions:
>
> Vomit:
> http://vomit.xtdnet.nl/
> The vomit utility converts a Cisco IP phone conversation into a wave
> file that can be played with ordinary sound players. Vomit requires a
> tcpdump output file. Vomit is not a VoIP sniffer also it could be but
> the naming is probably related to H.323.
>
> I haven't found any others but it is definitely possible.  VoIP travels
> over IP and therefore can be encrypted through IPSec tunnels or other
> means but I doubt most ISP's are doing that right now.
>
> -----Original Message-----
> From: Seth Art [mailto:sethart () gmail com]
> Sent: Wednesday, April 20, 2005 8:52 AM
> To: security-basics () securityfocus com
> Subject: VoIP security
>
> My coworker had an interesting question.  She had to validate her credit
> card number over the phone using her social and other sensitive
> information.  She has a VoIP router from her ISP.  The question: Are
> the VoIP packets encrypted as they go across the wire?   Or can
> someone sniffing in the right place capture all of that sensitive VoIP
> traffic and reassemble her CC# and SS# from the tones? Is this somethign
> that might be an issue in the future or is there already an answer out
> there?
>
> -Seth