Security Basics mailing list archives
Re: Seeking Information regarding VoIP security Assessment
From: Abhishek Kumar <abhishek.luck () gmail com>
Date: Wed, 14 Oct 2009 23:23:57 +0530
Really very helpful suggestions and resources. Actually I have been given a task to write 2-3 page writeup on VoIP Security and how we can do VoIP security assessment. regards abhi On Wed, Oct 14, 2009 at 10:16 PM, J. Oquendo <cisa () e-fensive net> wrote:
Abhishek Kumar wrote:Dear list, Can I have some resource materials for VoIP security and its Assessment ?? regards abhi ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------Voice is no different than data. If more people understood that, more people would see similar attack vectors and risk strategies. It's a consortium of protocols (SIP, H323, etc) that work similarly to many others (SMTP, HTTP) so the same attack methodologies apply. Sniffing, spoofing and so on. When you look at it in this fashion instead of some foreign point of view, one will see how easy it is. So here are some similar questions right back: "Can I have some resource materials for HTTP security and its assessment?" "Can I have some resource materials for SMTP security and its assessment?" Follow the same structure as you would for other protocols. Learn how it functions (username, password, server, ports), how data (DATA because voice streams are (*drum roll*) ... data) and go from there. Same core principles will still apply to VoIP. Is it sniffable? Yup. Does it entail using username password combos? Yup (almost 98+ percent of the time). Is it client server based? Yup. No different than any other protocol. Understand how it works from the ground up by reading RFC's or detailed "how does VoIP work?" and go from there. You can't expect any definitive "here you go!" response for this question without having a core understanding of how networking works for starters, along with good deductive reasoning skills, core understanding of client/server interactions, the OSI and its interaction with each other. The rest doesn't matter: "zomfg ... audio! video! But its voice!... VoIP!!!" ... No it's data once it hit the network. The rest is a matter of understanding the data that you're looking at and rebuilding and or re-engineering that data. http://www.packetizer.com/ipmc/papers/understanding_voip/voip_protocols.html http://www.tech-pro.net/voice-over-ip.html http://www.cs.columbia.edu/sip/ http://www.voipsa.org/Resources/articles.php http://www.voipsa.org/Resources/tools.php -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Seeking Information regarding VoIP security Assessment Abhishek Kumar (Oct 14)
- Re: Seeking Information regarding VoIP security Assessment Lim Ming Wei (Oct 14)
- Re: Seeking Information regarding VoIP security Assessment Jon Kibler (Oct 14)
- Re: Seeking Information regarding VoIP security Assessment Abhishek Kumar (Oct 15)
- Re: Seeking Information regarding VoIP security Assessment Nikhil Wagholikar (Oct 14)
- RE: Seeking Information regarding VoIP security Assessment SOC (Oct 14)
- Message not available
- Re: Seeking Information regarding VoIP security Assessment Abhishek Kumar (Oct 14)
- Re: Seeking Information regarding VoIP security Assessment J. Oquendo (Oct 14)
- Re: Seeking Information regarding VoIP security Assessment Ivan . (Oct 15)
- Re: Seeking Information regarding VoIP security Assessment Abhishek Kumar (Oct 14)
- Re: Seeking Information regarding VoIP security Assessment Rick Zhong (Oct 15)
- Re: Seeking Information regarding VoIP security Assessment DiPo (Oct 15)
- Re: Seeking Information regarding VoIP security Assessment J. Oquendo (Oct 15)
- Re: Seeking Information regarding VoIP security Assessment DiPo (Oct 15)