Voice over IP Security
Product Description
Voice over IP Security
Security best practices derived from deep analysis of the latest VoIP network threats
Patrick Park
VoIP security issues are becoming increasingly serious because voice networks and services cannot be protected from recent intelligent attacks and fraud by traditional systems such as firewalls and NAT alone. After analyzing threats and recent patterns of attacks and fraud, consideration needs to be given to the redesign of secure VoIP architectures with advanced protocols and intelligent products, such as Session Border Controller (SBC). Another type of security issue is how to implement lawful interception within complicated service architectures according to government requirements.
Voice over IP Security focuses on the analysis of current and future threats, the evaluation of security products, the methodologies of protection, and best practices for architecture design and service deployment. This book not only covers technology concepts and issues, but also provides detailed design solutions featuring current products and protocols so that you can deploy a secure VoIP service in the real world with confidence.
Voice over IP Security gives you everything you need to understand the latest security threats and design solutions to protect your VoIP network from fraud and security incidents.
Patrick Park has been working on product design, network architecture design, testing, and consulting for more than 10 years. Currently Patrick works for Cisco® as a VoIP test engineer focusing on security and interoperability testing of rich media collaboration gateways. Before Patrick joined Cisco, he worked for Covad Communications as a VoIP security engineer focusing on the design and deployment of secure network architectures and lawful interception (CALEA). Patrick graduated from the Pusan National University in South Korea, where he majored in computer engineering.
Understand the current and emerging threats to VoIP networks
Learn about the security profiles of VoIP protocols, including SIP, H.323, and MGCP
Evaluate well-known cryptographic algorithms such as DES, 3DES, AES, RAS, digital signature (DSA), and hash function (MD5, SHA, HMAC)
Analyze and simulate threats with negative testing tools
Secure VoIP services with SIP and other supplementary protocols
Eliminate security issues on the VoIP network border by deploying an SBC
Configure enterprise devices, including firewalls, Cisco Unified Communications Manager, Cisco Unified Communications Manager Express, IP phones, and multilayer switches to secure VoIP network traffic
Implement lawful interception into VoIP service environments
This IP communications book is part of the Cisco Press® Networking Technology Series. IP communications titles from Cisco Press help networking professionals understand voice and IP telephony technologies, plan and design converged
networks, and implement network
solutions for increased productivity.
Category: Networking—IP Communication
Covers: VoIP Security
Related Posts
Understanding Voice over IP Security, SIP Security, Miercom Cisco VoIP Security VideoComments
5 Responses to “Voice over IP Security”
Leave a Reply
VoIP security issues are becoming more and more serious as voice networks grow and intelligence attacks and fraud become more sophisticated, so any library strong in programmer’s references including extensive VoIP networking needs VOICE OVER IP SECURITY, an analysis of cryptographic algorithms, threats, and survey of how security issues on networks can be addressed. From configuring firewalls to implementing lawful interception into VoIP services, this provides all the analysis and tools necessary for understanding VoIP threats and system protection.
Rating: 5 / 5
The reviews of Voice over IP Security are fairly consistent at 4 stars, and I agree with that consensus. I’ve read a few books on this topic, and early titles were fairly awful. My favorite remains Hacking Exposed: VoIP, but a comparison with Voice over IP Security shows different audiences for the two books. The HE book is better suited for those assessing VoIP systems, while this book is better for engineers and those implementing VoIP systems.
Voice over IP Security is unique because it pays special attention to lawful intercept issues. I can’t recall another book with 2 chapters on LI and CALEA alone. I also liked the many diagrams, some of which present very complicated information in a clear manner. The author is very thorough and I appreciated when he showed details for various VoIP protocols.
On the downside, I thought the book was very dry. In some places the English was rough. The copyeditor should have fixed those errors. For example, I found three places on p 108 where I could tell the author might not have spoken English as a first language. These minor errors should be fixed in future printings. Also, I found HE:VoIP’s explanation of security issues to be better suited to my mindset. The HE:VoIP authors even built tools just to demonstrate VoIP issues, while this book relied on older tools (PROTOS) or common ones (SIPSAK, etc.)
The bottom line is that if you are building VoIP networks, especially supported by Cisco gear, you will find Voice over IP Security to be helpful.
Rating: 4 / 5
I was really excited to take a look at a book on this topic. It seems to me that while we all knew that there are security issues with this type of technology, no one really wanted to discuss the gritty details in a way that made them easy to understand. I think that `Voice over IP Security’ is a great start to understanding just what those details are. Just keep in mind while reading it just who the target audience is.
In the intro section, the `who should read this book’ section addresses a very broad audience, everyone from managers to engineers to security people to developers. This is an ambitious lot to try and satisfy in less than 400 pages. However, I think that the book makes a noble attempt to in fact meet the requirements of these various groups. Perhaps not in the depth that each of the groups would want to see, but I think it’s a good foundation for anyone trying to learn the technology.
The areas that I most appreciated (being a information security manager type who has to look at technology like this from many dimensions: policy, technical configuration recommendations, audit) were it breaks done the many vulnerable areas, actually specifying the components and their weaknesses in the context of confidentiality, availability and integrity. The book also has a detailed discussion on the protocols of VoIP and how they work. I found the diagrams and other illustrations very useful in these areas.
The last section I wanted to point out was the discussion on lawful interception. I don’t think that a lot of organizations consider this issue when they implement this type of system, so I particularly found this helpful and well explained. I will definitely use this as a reference as I prepare to write some policies for a VoIP implementation.
I noticed that the author did very well at taking some very technical topics and made them easy to understand. Well written, I think that `Voice over IP Security’ is a great read to better understand the components of a VoIP system, the threats, and how best to protect your organization from such threats.
Rating: 4 / 5
The book provides a good general overview of VoIP security, covering multiple topics involved on securing a VoIP infrastructure, from network devices to VoIP servers, plus secure VoIP protocols. In my opinion, the best chapters are chapter 8 and 10 & 11, Session Border Controllers (SBC’s) and Lawful Interception (LI), respectively; it is difficult to find books covering these topics still today, although these are two of the major areas regarding VoIP security nowadays.
SBC’s are the VoIP security element by design and therefore a key device in any VoIP infrastructure. The book covers SBC’s types, access and peering, expected SBC functionality and capabilities (such as DoS protection, translation and NAT features, LI, high availability and load balancing, etc) and offers a brief introduction to its architecture design concepts.
Lawful Interception (LI) by law enforcement (LE), or LI by LE
, is one of the main VoIP research topics today, especially when strong security features are added, such as signaling and media encryption, that difficult the interception tasks. The last two chapters cover the fundamentals of LI on VoIP networks (following the Cisco model, as there are three other standards), describing the different elements, fucntions, and interfaces involved. It is a theoretical chapter followed by some practical advice to implement LI, very detailed and Cisco-based.
The book starts with an introductory overview of VoIP, its benefits and drawbacks, and some security concerns. Then it provides another VoIP threat taxonomy, a good generic overview that lacks some VoIP threats and complements (or simply provides another perspective to) the IETF draft and VOIPSA VoIP threat taxonomies. Unfortunately, I have not found yet a classification that consolidates all the different VoIP threats from (IMHO) the right perspective.
Chapter 3 offers an interesting summarized analysis of the main VoIP protocols, how they work, and their main security requirements and features. It covers H.323, SIP, and MGCP; I specially liked the SIP section, with descriptive message captures and flow diagrams. Chapter 5 complements the VoIP protocols with the main network devices in a VoIP environment, their role, and key security requirements. Although chapter 7 extends the security analysis of VoIP protocols, covering authentication and signaling and media encryption, it does not cover the latest key exchange solutions, such as DTLS, ZRTP or MickeyV2, as it is focused mainly on S/MIME.
All these chapters provide a lightweight analysis of VoIP security, not going very much in-depth into any of the topics covered. The book is a good overview reference for the VoIP security novice reader, I guess intended for network and system administrators, law enforcement, or security pros new to VoIP.
VoIP threats, including some attack types and tools, are analyzed on chapter 6. This chapter covers in detail a few VoIP attacks, providing simulation, examples and command line options for widely available attack tools. It allows the reader to see some real attacks in action, although it only shows the tip of the iceberg regarding all the tools and attacks that are possible; please, do not get the feeling that this is all you can do.
Chapter 4 covers cryptography, and in my opinion, it doesn’t fit on the book; although crypto is a key aspect to protect VoIP infrastructures, the novice reader can get this info from other sources.
As the book is from Cisco Press, chapter 9 focuses on specific Cisco features and syntax, specially for practical sections that provide configuration details for firewalls, access devices, and the Unified Communication Manager (& Express), formerly CallManager. The info is useful to get an overview of the implementation steps, but do not apply to you if you are using equipment from other vendors.
Overall, it is a generic reference book to start getting involved into the VoIP security world, acquire a general understanding of the main VoIP security threats, target network elements, VoIP protocols, and security solutions. Once again, the SBC and LI sections are my favorites.
Rating: 4 / 5
Voice over Internet Protocol has emerged as a very popular way to do cheap (often free) long distance phone calls. But there is a huge amount of complexity beneath VoIP, that most users and even sysadmins are blissfully unaware of. The authors of this book perform a valuable service by educating the reader about current and, perhaps more importantly, possible future attacks.
A major source of weakness in VoIP is shown to be due to interoperability issues between different underlying protocols or applications. In turn, a major reason for this is that when the protocols were defined, the authors of the defining documents unwittingly left ambiguities in the specifications. Then when vendors implemented VoIP products based on those protocols, different vendors might reasonably have interpreted the documents differently.
Another source of weakness in security, as compared to traditional phone calls, is that tapping the latter often requires physical access to a phone line or a switching exchange. But VoIP at a low enough level is just like anything else that uses the Internet. Packets are routed through arbitrary third parties on the Internet. Those might have been subverted via remote attacks, so the VoIP cracker could be anywhere in the world.
The book then spends most of its time suggesting protective measures. Including, most interestingly, how to simulate current and possibly future threats. This gives you practical hands on experience in role playing the adversary. Something necessary to fully devise technical solutions.
But even if you do not do the latter, the book is useful simply in making you aware of the danger. So that for “sensitive” conversations, you might advise users to minimise the use of VoIP, perhaps by using standard land lines.
Rating: 4 / 5